OPNsense Forum
English Forums => General Discussion => Topic started by: dudeman21 on January 09, 2020, 11:11:58 am
-
I'm trying to have all DNS traffic on my LAN redirected to my pihole. I've looked at several guides and tutorials and I think I have it setup properly but it doesn't seem to work.
My pihole is on 192.168.1.22
My Port Forward rule is (see screenshot):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: DNS
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled
https://imgur.com/UnEzcka
In the firewall rules LAN interface, I moved the rule that was created to the top (just under the automatic rules).
When I run 'nslookup test.com 192.168.1.22' I can see the lookup in the pihole logs. But when I run 'nslookup car.com 8.8.8.8', I don't see the lookup in the pihole logs meaning that it was able to look up directly to 8.8.8.8 and bypass the pihole.
Is there anything that I'm missing?
Thanks.
-
Why you invert the address?
DHCP -> DNS -> IP Pihole
LAN Rule:
Pihole Ip -> any tcp/udp:53
thats all.
-
The pihole already works correctly in terms of being pushed to users via DHCP. I want to setup a rule to force some devices that have hard coded DNS servers and don't respect the DHCP settings.
The idea being that the router will intercept any packets going on port 53 that are trying to leave the LAN network and port forward them to the pihole. Of course the pihole needs to be able to communicate with an external DNS, so the source IP is inverted to that traffic coming from the pihole is not affected.
My thinking is as follow:
All traffic on port 53 trying to leave the LAN network should be redirected to 192.168.1.22 (pihole) with the exception of traffic originating from the pihole itself, in which case it should be able to access an external DNS server (such as 8.8.8.8 ). I've experimented with the destination being !192.168.1.22 and also !LANADDRESS and neither works.
Here is a full screenshot of the port forward settings. After making this rule, I have moved the rule to the top of the LAN firewall rules (just under the automatic rules)
https://imgur.com/hiNioe4
-
if you want to redirect it, a NAT is great;)
You then forward all DNS traffic to your Pihole.
you have to build a rule that all DNS requests from your LAN are forwarded to your pihole IP.
then that should work, I think.
-
you have to build a rule that all DNS requests from your LAN are forwarded to your pihole IP.
then that should work, I think.
I thought that's what I thought I had with the port forward rule, is there another rule I need to make? The port forward rule automatically creates a rule on the LAN interface which I have placed at the very top to get first priority. Any idea what else I need? Thanks.
-
It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.
-
Why you invert the address?
DHCP -> DNS -> IP Pihole
LAN Rule:
Pihole Ip -> any tcp/udp:53
thats all.
I'm facing similar issue.
Where do I add the LAN rule? can you please clarify?
Does it do into
Firewall --> rules --> LAN --> add -->??
-
It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.
Hi,
Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled
Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address
This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.
When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.
Maybe it can be done in an easier way. Open to suggestions.
-
Thanks Northguy!
One more question, is there a package/plugin similar to "pi hole" for opnsense?
I saw one called sunnyvalley but not sure if this can take place of phhole or it's an overkill for a basic home usage.
-
It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.
Hi,
Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled
Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address
This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.
When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.
Maybe it can be done in an easier way. Open to suggestions.
Thank you so much for this! It works perfectly. I can now do ''nslookup car.com 1.1.1.1" and it will show up in the pi-hole logs.
Just a note for the noobs like me: when setting a specific IP address like 192.168.1.22 if there is a box next to it, set it to /32. (32 specifies a specific IP address).
Also this seemed to work better if for the out bound NAT rule I set the source port to DNS (53) instead of any. But for the port forward rule I kept it exactly as you said.
As far as the IP address all looking like it came from the router, that is true but only for clients that are not respecting the DHCP settings in the first place and have hard coded DNS servers set, so that is an ok compromise. Most clients show up correctly with the above settings because they have their DNS server set to 192.168.1.22 to begin with.
Thanks again for your help!
-
Thanks Northguy!
One more question, is there a package/plugin similar to "pi hole" for opnsense?
I saw one called sunnyvalley but not sure if this can take place of phhole or it's an overkill for a basic home usage.
There is DNSBL for Unbound and Sensei from Sunnyvalley. Don't know if they suit your needs, so you need to experiment for yourself.
-
It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.
Hi,
Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled
Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address
This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.
When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.
Maybe it can be done in an easier way. Open to suggestions.
Do i have to create this outbound rule for all networks separately, LAN and VLAN?
Thanks, Chris
-
I would think that would be the case. Each network has its own set of firewall rules. I do something similar where I allow users on other networks to use a printer in my LAN.
-
I did this (similar set-up) but never needed an outbound NAT rule (did I miss something)? What's the purpose of that the first wouldn't handle?
Also, I used two NAT Port Forward rules, one for each ipv4 and ipv6...I use ipv4 for both LAN and VLAN (one rule, two interfaces), but have ipv6 disabled on VLAN (IoT network). So for the ipv6 address on the LAN I use the link local address, if anyone is wondering. I also allow ping to the pihole from VLAN as several IoT devices seem to like that...otherwise everything else is blocked.
-
Im also wondering if it is necessary to create an outbound NAT translation. I havent read that in other tutorials.
In which case it would be necessary?
-
To solve things like this:
dig @8.8.8.8 heise.de
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
Where 10.20.30.4 is one of my internal DNS server.
-
I have implemented both port forward and the outbound NAT. I turned on hybrid outbound NAT rule generation, so I got the manual rule first and the automatic rules after. Attached is the outbound NAT and the port forward. Do they look right? First time doing this and want to make sure I am good to go! I am testing this on my IoT vlan, as this is where the devices that would bypass my Pi-Hole and DNS would be.
This begs the final question...how do I know if this is working for my devices?
-
It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.
Hi,
Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled
Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address
This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.
When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.
Maybe it can be done in an easier way. Open to suggestions.
I followed your suggestion and converted it to my needs. I am running AdGuard on the same box OPNsense is running. AdGuard is pointing to unbound on port 5335 to do the DNS-resolving with DoT.
The port forward rule is looking like this:
Interface: local_Networks (group with all networks as members)
Protocol: TCP/UDP
Source: invert -> This Firewall
Source Port: Any
Destination: invert -> local_Networks net
Destination Port: DNS
Redirect Target: 127.0.0.1
Redirect Port: DNS
Nat Reflection: Disabled
outbound NAT translation is looking like this:
Interface: local_Networks
Protocol: any
Source: invert -> This Firewall
Source Port: Any
Destination: This Firewall
Destination Port: DNS
Translation/Target: interface address
Unfortunately when I do a nslookup the result is not as expected:
nslookup yahoo.com 9.9.9.9
;; reply from unexpected source: 192.168.1.1#53, expected 9.9.9.9#53
Where is my fault?
Regards Chris
-
Another problem which I have with my IoT devices is, that same of them will not work with this rules, especially my Google Nest mini, while the Google Home mini is working as normal.
The Chromecast device I have not tested yet, first I want to solve the Nest mini behavior.
Has someone else the same problems with the Nest mini devices to force them to use the internal DNS resolver?
UPDATE:
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".
-
UPDATE:
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".
Hi
I just ran into the same problems here too, could you show your settings exactly how you set them in the end?
-
Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...
https://labzilla.io/blog/force-dns-pihole
For the Port Forward rules take care that "NAT reflection" is set to disabled.
Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers
I hope this will help you to setup your firewall.