OPNsense Forum
English Forums => General Discussion => Topic started by: TunTuri on December 30, 2017, 03:10:33 pm
-
Hello!
I might be missing something somewhere, what causes DNS not to work in my system. If someone could give me some hints to check or push me into right direction. The environment and problem is described below:
- OPNsense 17.7.5-i386
- Multi WAN environment
- Router: Asus EEEBOX EB1007 with Atom D410, only 1 NIC. I had to do the install via serial image because normal image didn't boot. Afterwards I enabled the VGA console.
- HP 2610 switch, LAN as untagged vlan, WAN, OPT1 and OPT2 as tagged vlans. Primary WAN has public IP, other ones are behind their own NAT.
- The WAN connections are 4g/LTE connections from different Finnish ISP's. Similar config worked with pfsense 2.3.6 (though, the used switch was a extreme networks summit), but I'm moving away from pfsense (due things)
--
Various settings:
Services: Unbound DNS: General
- DNS Resolver (unbound) : on
- "All" network interfaces selected
- DNS Query forwarding mode : on
System: Settings: General
- Allow DNS server list to be overridden by DHCP/PPP on WAN : on
- Do not use DNS Forwarder/Resolver as DNS server for the firewall : off
- Tried with no DNS servers, and 8.8.8.8 and 8.8.8.4 as dns servers, with "use gateway" as none and primary WAN
System: Settings: Administration
- Disable DNS Rebinding Checks : on
Services: DHCP: Server
- DNS servers blank
Interfaces: Diagnostics: DNS Lookup
- Finds hostnames without problem
For example google.fi gives following:
127.0.0.1 1538 msec
192.89.123.230 28 msec (WAN primary DNS)
192.89.123.231 29 msec (WAN secondary DNS)
192.168.4.1 2 msec (OPT1)
8.8.4.4 43 msec
8.8.8.8 45 msec
192.168.22.1 53 msec (OPT2)
8.8.8.8 48 msec
8.8.4.4 63 msec
--
If I enter 8.8.8.8 and 8.8.4.4 as my client computer's DNS, network works flawlessly. All WANs are utilized then. If it is set as auto, then the DHCP gives my router address as DNS and no name resolving works. (I can access certain web pages with direct IP addresses, so the connection do seem to work)
I tried even to change from Unbound to Dnsmasq (with it's defaults). No joy there either. I catch nothing from the firewall logs either. When connecting the PC directly to the LTE boxes, connections work ok.
I have a workaround currently, I entered the 8.8.8.8 and 8.8.4.4 to the DHCP server settings as DNS, to enable internet usage to client computers. Nevertheless, I'd like to enable using my router IP as DNS for clients. What I might be missing now?
:'(
-
Do you block UDP/53 or is unbound running?
-
Unbound is running, I tried even restart.
UDP/53 is not blocked, I even made allow any rule for the port 53.
But, this answer got me forward.. I changed the last "allow all" rule to be "anywhere", not just to a single gateway group.. Then everything started working. Now I'm confused, why that was the problem, because in my configuration, I'd want to forward thing to different WAN connections by the ports, and put all the rest with traffic shaping to single gateway group.
Thank you for the reply, it surely helped me forward when I rechecked things and tried something extra. Now I have to educate myself. Is there way to see how many states are caught to different firewall rules?
-
probably not but you can view the state table itself (should be somewhere in the firewall diagnostics)