OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: MCMLIX on March 08, 2021, 04:30:25 pm
-
Hello!
I have a couple of questions if someone can help.
I am coming from pfSense and had it setup using this https://nguvu.org/pfsense/pfsense-baseline-setup/.
I use OPNsense in a Proxmox VM and all three network cards are pass-through (one is an onboard Intel). Same as i did with pfSense.
Proxmox has the a dual port i350 network card for itself and vlans, 5 network interfaces in total.
I see in OPNsense the floating rules have a Default reject. Do I need to add a Default reject IPv4 at the end of my individual vlan rules?
I'm a little confused on how Floating rules are applied. Individual rules make sense being from top down.
In the baseline setup he uses localhost in the DNS Forwarder setup. It's not in the OPNsense GUI. How would I configure OPNsense to mirror my old setup?
I have everything set through unbound at the moment and have switched to SurfsharkVPN.
Everything seems to be working.
My final problem is I don't get internet in my Container's in Proxmox. All other VM's do get normal network. If I setup a new VM dhcp works ,but, not in a Container, It all worked in my old setup.
Sorry if these have been answered somewhere before, I looked but did not find anything.
An old retired millwrght very much appreciate any help.
Brian
-
Hi,
That default deny rule in the floating rules, will get caught by any interface, so no you don't need to create any end deny rules in your interface rules.
How do you want DNS configured in forwarding mode to like 1.1.1.1 or 8.8.8.8 or in recursive DNS mode?
In that guide he's using the two DNS services on different networks, do you really need that complexity? You can just send all your DNS traffic to SurfsharkVPN's DNS server via the DNS servers in the DHCP settings, if you want VPN'd clients to use the VPN connection, or you can use NAT rules to NAT any traffic going to port 53 and redirect them over the tunnel to surfsharkvpn, many ways to do this one.
Personally I use DNSoverTLS and send all DNS requests using that, to stop ISP snooping it.
As for the networking issue in your containers, that sounds like an issue with your setup, if VMs get an IP than something else is a miss with your containers.
-
Thank you for your reply.
I actually wanted to install pihole in a container. This is how I found out I had no internet in the containers. Only other container is a UNIFI Controller.
I restored a pfSense 2.5 VM and everything works, containers and all. I must have done something silly.
When I installed OPNsense I restored what I could from a pfSense backup Vlans,NAT,DHCP and firwall rules. DHPC is important because of all the IoT. I have a vlan IoT with Tasmota flashed switches I did not want wondering the net.
I looked at this setup from the forum https://forum.opnsense.org/index.php?topic=20841.0 to see if I could see something I fowled up, but nothing jumped out at me.
So I would like to use pihole as DNS. I only using 208.67.222.222 and 208.67.220.220 at present.
Long winded I know sorry.
-
Ah I gotcha, good use of a container to put pi hole in it.
Hmm have you misconfigured your gateway or something on the containers? Can the containers ping OPNsense?
Some people say your better off not restoring PFsense to OPNsense, as it can cause off issues but I think that's mainly for complex setups.
Yeah I have a IOT Network so I get the point of that requirement.
That guide looks fine, more or less how I would go about it, pretty much.
I can TeamViewer your machine if you want me to see the setup with my own eyes, if not can keep chatting here :)
-
So I restored OPNsense from a VM backup.
Removed all "Firewall: NAT: Outbound" ,except for the Surfshark Wan NAT.
I implimented the "Hybrid outbound NAT rule generation" Mode.
I removed the Default reject IPv4 and Default reject IPv6 rules on all vlans.
Now my containers get net access again. I would like to understand that , but grateful its working.
Just created a new Debian Container for pihole and apt update worked so internet works .
So I would like to get pihole working ,but my setup (unbound) is setup like the nguvu setup. Only difference is I include VL30_CLRNET in unbound as I dont us DNS Forwarder. The whole localhost thing.
What is the difference between "Local Zone Type" static and transparent.
I also have this in "Custom options:
local-data: "local.lan. 10800 IN SOA opnsense.local.lan. root.local.lan. 1 3600 1200 604800 10800"
Do you think this will conflict with a pihole setup
Would I change "opnsense.local.lan" to pihole's address.
I wouldn't mind Team-viewer idea ,but I'm running Arch Linux and a have to compile it I think.
I know this is a bit off my origianl post. I do appreciete your help so far.