Hi everyone,
I set up a dual WAN failover on my OPNsense machine (it actually runs in a Proxmox VM) by following the official guide here:
https://docs.opnsense.org/manual/how-tos/multiwan.html
It suggests to add an allow rule (step 5) for DNS traffic "to make sure traffic to and from the firewall on port 53 (DNS) is not going to be routed to the Gateway Group". However, I didn't add it and everything works fine nonetheless; no problem with internet traffic.
Could anyone please tell me why?
Thanks
The guide suggests to do policy-routing for all LAN traffic in step 4. This means any traffic would be sent out to the current upstream gateway (gateway group). Hence you would not be able to reach any internal destination, even not OPNsense itself.
The suggested rule in step 5 would allow DNS only to OPNsense befor this.
If DNS resolution on your internal devices works anyway without it, you either didn't state the gateway in step 4 or your internal devices are not configured to use OPNsense for DNS resolution.
Quote from: viragomann on January 28, 2026, 02:18:13 PMThe guide suggests to do policy-routing for all LAN traffic in step 4. This means any traffic would be sent out to the current upstream gateway (gateway group). Hence you would not be able to reach any internal destination, even not OPNsense itself.
The suggested rule in step 5 would allow DNS only to OPNsense befor this.
If DNS resolution on your internal devices works anyway without it, you either didn't state the gateway in step 4 or your internal devices are not configured to use OPNsense for DNS resolution.
For the time being, I can reach OPNsense dashboard even without the rule, if I exactly got what you meant about this point.
As for DNS resolution I set up Unbound for DoT DNS. I also set up NAT rules for DNS redirection and even block DoH DNS queries from LAN clients.
Maybe I missed something here.
Thanks
Quote from: ricksense on January 28, 2026, 02:44:36 PMFor the time being, I can reach OPNsense dashboard even without the rule
This might be allowed by the automatically generated "anti-lockout rule", which is not shown up by default.
Quote from: ricksense on January 28, 2026, 02:44:36 PMI also set up NAT rules for DNS redirection
Normally this also adds a rule for allowing the access.
Checking your whole rule set including "Automatically generated rules", "Floating rules" and "Group rules" if any might give you a better insight, whats allowing the traffic.
You can also enable logging in each rule and checkt out the log after trying to access your firewall.