Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: fred78 on December 28, 2025, 04:21:45 AM

Title: NAT Forwarding
Post by: fred78 on December 28, 2025, 04:21:45 AM
Hoping for some help here.
Tried to follow many guides but cant get NAT Port forwarding to work
(https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/)
- opnsense IP 192.168.1.1 on a mini pc.
- running Unbound on port 53.
- running on separate VM - AdGuard 192.168.1.254

I have a number of google devices that have a hard coded DNS and wanting to redirect these to Adguard.
They are all on same subnet - 192.168.1.0/24
Once I follow the HNG guide and enable the rules, then the google DNS just times out.
How do I fix this?
Title: Re: NAT Forwarding
Post by: OPNenthu on December 28, 2025, 05:09:33 AM
When you created the NAT rule, which option did you use for 'Filter rule association'?

The default is to create an associated allow rule and you should see that it got added to the interface rules.  Make sure that rule has precedence over any blocking rules, especially any quick rules before it.
Title: Re: NAT Forwarding
Post by: fred78 on December 28, 2025, 06:15:28 AM
These are the only rules I have for the LAN interface
I dont have any block rules that arnt auto generated
                Protocol   Source   Port   Destination   Port   Gateway   Schedule      Description
                IPv6 *           LAN net   *   *           *    *   *      Default allow LAN IPv6 to any rule      
        IPv4 TCP/UDP   LAN net   *   192.168.1.254   53 (DNS) *   *      Redirect all DNS to AdGuard Home   
        IPv4 *           LAN net   *   *           *    *   *      Default allow LAN to any rule
Title: Re: NAT Forwarding
Post by: OPNenthu on December 28, 2025, 06:34:43 AM
Could you show the NAT rule as well?  I think this should be:

Interface: LAN
TCP/IP version: 4
Protocol: TCP/UDP
Source: LAN net
Source port range: any
Destination: any
Destination port range: 53 (DNS)
Redirect target IP: 192.168.1.254
Redirect target port: 53 (DNS)

This will redirect all plain DNS requests on LAN, not just from the google devices, to the AdGuard server and will break local resolution.  You'd have to make host overrides in AGH or forward back to Unbound for local zones without creating a loop.

If you need to you can create an Alias with the source IPs of just the google devices and use that in place of 'LAN net' for Source.

AdGuard Home is also available as a plugin in OPNsense, but requires that you enable the repo.  I'm assuming your AGH VM is able to receive requests and doesn't have a host firewall block (e.g. default deny on incoming with no exception for DNS).
Text only | Text with Images