Messages

ok so apart from that you cant do anymore hardening on your opnsense?

Hi all,

what other steps can i take to stop my ISP eves dropping on me and seeing what im doing, i have enabled DoT, what else is there to enable to make my connections secure so they cant see what im doing apart from getting a VPN ?

Thanks,
Rob

ok thanks OPNenthu makes sense, thanks for all your help in this and now its all working, just want to say a big thank you to you!!!!!

thanks OPNenthu,

Im a bit confused then, whats the point of making an VIP for it even tho i can enter it directly in?

ok ive added the "IP Alias" thanks but i dont see it when i add the destNAT as when i click the drop down under "redirect target ip" i dont see it as an option, i can see all my "aliases" should i make it into an alias?

sorry what do you mean by this please sorry

Easiest is to add a VIP to your existing loopback device, something like fdff::1.  Any short, valid ULA will do.  Then you can use that ULA as the redirect target.

Better is to create a dedicated loopback device for redirects and assign it a static ULA in interface settings, then use that.

ok interesting

i changed both destNAT and fw rule the "dest" to "!RFC1918" and still didnt work

as soon as i changed "version" from "ipv4+ipv6" to "ipv4" under destNAT it worked

Hi,

thanks for that!

I made these rules

https://i.postimg.cc/tJRRpBjY/dest-NAT.png
https://i.postimg.cc/XJsSc3Rc/rule.png

for my destNAT i have made the "firewall rule" "pass" as you said but still doesnt work as im testing it on a vm and when i make my DNS use my opnsense DNS works but when i change it 1.1.1.1 it doesnt work i get no internet

thanks, can i get some help with how to setup this

NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.

Thanks,
Rob

bumping this please as i need help

also I heard encrypting your DNS via DoH or DoT still leaks the SNI to your ISP, is there anyway round this to fully encrypt my DNS via opnsense?

thanks,
rob

thanks franco,

yes i noticed that as under "interfaces" theres a "point to point" section and the pppoe settings are there so if i change igb2 pppoe0 to a new igb2 the pppoe settings will still be there?

ahhh i see nice, so if i do this and go in wan again i will see DHCP option under "IPv4 configuration type"

sorry so atm my WAN is assigned to pppoe0 (igb2)

do i need to delete that and then

create a new WAN and assign it to igb2

hi all,

when i click on WAN interface and for the drop down "IPv4 configuration type" i cant see DHCP anymore, all thats in the drop down box is

None
PPPoE

i need DHCP as sky my ISP use this and not PPPoE

thanks,
rob

reading this

In order to provide a secure and verified environment, it is advisable to use a firewall rule to prohibit any outgoing DNS traffic on port 53 when using DNS over TLS. If clients choose to directly query other nameservers on their own, a NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.

ive done the block rule

   IPv4+6 TCP/UDP    *    *    ! RFC1918     53 (DNS)    *    *       block LAN DNS to internet

but how do i set up the NAT

what do i put in

destination -  any
destination port range - 53
redirect target ip - 127.0.0.1/32 or "this firewall"
redirect target port - 53

thanks,
rob