OPNsense Forum
English Forums => General Discussion => Topic started by: Wyrm on November 21, 2018, 06:33:18 pm
-
I have new install of opnsense 18.7 from last image on PC EnginesAPU.3C4 system board with 60GB SSD msata.
Topology is :
Internet:
PROVIDER - cable - OPNSENSE WAN by PPPOE
LAN:
OPNSENSE LAN - Mikrotik switch RB2011 (10 ports) - to this unit is connected by cable WIFI CISCO(only transparent AP) and also WIFI MIIKROTIK HAP LITE (only transparent AP) and also rest of network by cables.
OPNSENSE is set in basic configuration and DNS from provider set in General settings.
Cable hosts - computers, printer, cameras and others are without problem - only have to some times refresh pages to get content - mainly https.
BIG problem is in case wireless clients connected to wifi units (Cisco or Mikrotik) - they do not have internet connectivity and problem is in DNS - I could ping for example 8.8.8.8 but not www.google.com.
I have installed opnsense several times but did not have any problems, but now with actual version is maybe some problem with DNS ???
What is needed to report or look in configuration ?
I will need some help to solve this to have working network.
Now I have to set all on Mikrotik, but I need to have opnsense working...
Thanks for any reply...
-
Can OPNsense resolve DNS names correctly?
Interfaces -> Diagnostics -> DNS Lookup
Bart...
-
I did not try this but from my notebook there was response only from ip not dns host name. When I tested ping 8.8.8.8 it was ok but ping www.google.com was problem.
When I will be back to it in customers office, will try to reset to defaults, connect again and test all...
-
I have found some solution - maybe. Main problem was solved by setting DNS server of ISP in DHCP setting.
It is very strange, because only users of APPLE devices had problems (iphones, macs and other...) - they simply did not accepted that DNS server is also IP from LAN.
There is PPPOE connection int this site, which sends DNS to WAN and also public IP. I have entered also DNS 8.8.8.8 and 9.9.9.9 in general settings. So system has four DNS ips to use.
When I made dnslookup to www.google.com there was latency about 300ms from localhost and from other dns arounc some 7ms.
So I set ON "Do not use the local DNS service as a nameserver for this system"
Also I filled in DHCP settings ISP DNS ...
In another site, where I have opnsense this was not required even for apple devices.
Does anybody have some good explanation or tutorial how to set right DNS ????
I done all by initial wizard settings, but know how to set it also directly....
Is better to use DNS resolver or forwarder ?
Thanks for answer...
-
Better is a subjective concept ;)
For security, it is best if a firewall accepts as few connections as possible, as in connections to the firewall itself - not connections to hosts behind the firewall. Any service it provides is another attack surface.
A resolver gives you control over name resolution but consumes resources. A forwarder delegates the lookup to an external server. Both will cache lookups to improve performance. DNS is a popular target for snooping and man-in-the-middle attacks by anybody from governments to criminals. Your best defence is an encrypted connection to a trusted DNS service, but trust is hard to quantify.
My DNS servers are internal hosts, but that is more to do with the fact that they host authoritative zones.
Bart...
-
Thank you for reply.
So how could I have authoritative zones ? If customer has his own domain and there are some nameservers of hosting company...it is possible to use them ?
-
An authoritative zone is one that you buy (rent?) from a domain provider, or more commonly, one that holds a split-horizon DNS copy for your internal clients. https://en.wikipedia.org/wiki/Split-horizon_DNS
E.g. if you have a web server on your LAN, you want your clients to access it by the internal IP address. External users will need to use the public IP address, and NAT through the firewall to reach it. You can then have different security policy for internal and external clients, and even change the settings of the web service based on the source IP. If you only had external DNS, then internal clients would go out of the firewall on outbound NAT, and straight back in on the web service NAT. This is known as hairpinning: https://en.wikipedia.org/wiki/Hairpinning and is generally A Bad Thing for performance and security reasons.
In your case it is perfectly feasible to have an externally hosted zone with public DNS records and an internally hosted zone with the same private DNS records and possibly some more records for internal-only hosts.
Bart...