I have been searching for an answer as to why DNS requests to Unbound from a VLAN interface get blocked by the default deny/state violation rule, even though the source and destination IP's are on the same subnet
I seem to have to create a specific firewall rule to allow devices on the subnet to talk to the DNS server on their own gateway IP?
Quote from: paf23 on January 08, 2026, 04:31:07 PMI seem to have to create a specific firewall rule to allow devices on the subnet to talk to the DNS server on their own gateway IP?
Yes. Apart from the LAN interface which comes with a default "allow all" rule on a newly installed OPNsense any additional interface (VLAN or physical) you create does not have any rules at all which means nothing is allowed. You need to create rules for Internet access as well as for all local services the firewall provides.
Only rules for a selected few services like DHCP or IPv6 neighbour discovery are in the "automatic rules" because these are difficult and error prone to get right.
Everything else: DNS, NTP, SMTP, ... needs explicit rules.
HTH,
Patrick
Thanks for the clarification Patrick.