OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Droppie391 on May 30, 2017, 04:48:14 pm

Title: [SOLVED] DNS requests do not enter IPsec tunnel
Post by: Droppie391 on May 30, 2017, 04:48:14 pm

DNS requests made to the dns resolver (unbound) do not go through the ipsec tunnel for domain-overrides.
These DNS requests follow the routing table which states for the network on the other side of the ipsec tunnel to go via the wan interface. I don´t understand how traffic from any workstation other then the oünsense box and destinated to the remote ipsec network can find its way through the tunnel but packets originating from the opnsense box itself are routed via the wan interface bypassing the ipsec tunnel.

Title: Re: DNS requests do not enter IPsec tunnel
Post by: franco on May 30, 2017, 08:26:59 pm

Binding unbound to the explicit interfaces that you need it to work with is required, especially including the the one that is paired with IPsec. It's in the main settings page, interfaces and outbound interfaces selection.

FreeBSD does not support routes into IPsec by default, it is very strict about its security associations. To illustrate with ping from the OPNsense box:

Doesn't work:

# ping REMOTE.RIGHTSUBNET.IP

Works:

# ping -S LOCAL.LEFTSUBNET.IP REMOTE.RIGHTSUBNET.IP


Cheers,
Franco

Title: Re: DNS requests do not enter IPsec tunnel
Post by: Droppie391 on May 31, 2017, 02:12:57 pm

Thanks, that did the trick.

Title: Re: [SOLVED] DNS requests do not enter IPsec tunnel
Post by: franco on May 31, 2017, 03:34:19 pm

Yay, cool, thanks for checking back! 8)