Text only | Text with Images

OPNsense Forum

English Forums => High availability => Topic started by: rudiratlos63 on February 04, 2026, 05:14:29 PM

Title: CARP and Unbound DNS response
Post by: rudiratlos63 on February 04, 2026, 05:14:29 PM
Hello,
I have a CARP-IP (10.8.99.1) on my INT ernal Interface and a physical IP (10.8.99.3).
my client gets per KEAdhcp the DNS serverIP as CARP-IP (10.8.99.1).
a nslookup to google.com from client cli gets the error, that the info is expected from 10.8.99.1#53, but 10.8.99.3#3 responded.
The client drops the dns info, because its not from the CARP-IP.
How to configure, that Unbound uses the CARP-IP and not the physical IP from node1 in the HA config.
Title: Re: CARP and Unbound DNS response
Post by: Patrick M. Hausen on February 04, 2026, 09:06:53 PM
Create a NAT port forwarding rule on the INT interface:

Source: INT net
Destination: CARP-IP (create a manual alias if necessary)
Protocol: TCP & UDP
Destination port: 53
Redirect target: 127.0.0.1:53

If all your interfaces have a CARP address you can do this for all of them and bind Unbound to 127.0.0.1:53 only.
Title: Re: CARP and Unbound DNS response
Post by: rudiratlos63 on February 05, 2026, 03:55:05 PM
Hello Patrick,
this is not working. same result. pls. see attached screenshots. I've defined the nat rule you suggested.
Title: Re: CARP and Unbound DNS response
Post by: Patrick M. Hausen on February 05, 2026, 04:14:18 PM
Then try to bind Unbound to 127.0.0.1 only, please.
Title: Re: CARP and Unbound DNS response
Post by: rudiratlos63 on February 05, 2026, 07:01:03 PM
Where should I do this?
I have Adguard running on DNS Port 53. Unbound runs on Port 5354
Text only | Text with Images