Messages

reading this

In order to provide a secure and verified environment, it is advisable to use a firewall rule to prohibit any outgoing DNS traffic on port 53 when using DNS over TLS. If clients choose to directly query other nameservers on their own, a NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.

ive done the block rule

   IPv4+6 TCP/UDP    *    *    ! RFC1918     53 (DNS)    *    *       block LAN DNS to internet

but how do i set up the NAT

what do i put in

destination -  any
destination port range - 53
redirect target ip - 127.0.0.1/32 or "this firewall"
redirect target port - 53

thanks,
rob

LOL, what an idiot, your right @meyergru

my phone was still on wifi, as soon as i was on mobile data went back on the tapo app and i can no longer see my camera feeds, interesting i dont need the other ipv6 rule, it just works with the ipv4 rule (i attach below pic)

https://postimg.cc/5HgtF54C

i have no floating rules

changed the cameras alias from hosts to mac address and added the mac addresses of both cameras, applied the changes and still not working

the way im seeing them not working is i go on the tplink tapo app on phone and i can still see them connected so i know there still going on the internet

what ip address do i put in for ipv6 as they havnt got an ipv6 address, or have they?

ok heres my new rules

https://postimg.cc/ctGjQ7tr

so ive made one for ipv4 and one for ipv6, my ipv4 is camera ipv4 ips and ipv6 is camera mac addresses

heres my "allint" i have grouped all my local LAN interfaces

LAN_HOME - my tp link cameras sit here
DMZ
openvpn
wg1
wg0

heres my full set of rules

https://postimg.cc/3d9xSHDG

but trouble is my rule doesnt work and i dont understand why it doesnt work, i dont get how its going out even tho ive created a rule for it, do i need to create an outbound NAT rule aswell?

but surely there on my LAN and using those ips i gave to you guys ie 10.100.1.249 and 250 as i can see the leases on my dhcp?

how would i then go about blocking those cameras off the internet then please?

hi all,

made a rule to block cameras to the internet as i dont want to manage on the cloud anymore as i have a local NVR set up

this is my rule

https://postimg.cc/kBq4V72N

and these are my aliases

rfc1918
<content>10.0.0.0/8
172.16.0.0/12
192.168.0.0/16</content>

cameras
<content>10.100.1.249
10.100.1.250</content>

and there def the ips as when i stream them via vlc i see the streams

am i doing something stupid

thanks,
rob

thanks RamSense

doing this command on my opnsense

tcpdump -i vtnet0 port 853

should i replace vtnet0 with my lan or wan interface?

thats very wierd i made a floating rule to block 53 and it worked as i couldnt access any websites anymore but when i did a tcpdump on my lan interface on 53 i could see loads of activity so somethings wierd, so it looks like my DoT isnt working

thanks,
rob

hi all,

enabled DNS over TLS via here

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense

getting stuck when i create my own fw rules and nat to stop 53 out

as i have a few fw rules, should i create the block for 53 at the bottom so its first or at the top

thanks,
rob

found a good link

https://www.youtube.com/watch?v=H7zsBNFCG5M

so reading this

To ensure a validated environment, it is a good idea to block all outbound DNS traffic on port 53 using a firewall rule when using DNS over TLS. Should clients query other nameservers directly themselves, a NAT redirect rule to 127.0.0.1:53 (the local Unbound service) can be used to force these requests over TLS.

do i create two rules, one firewall rule and one NAT rule?

nice yeah i did

https://dnscheck.tools

and thats what got me down this rabbit hole, it was my ISP's DNS even tho i changed my system nameservers to quad9/google/cloudflare

but now its WoodyNet ie quad9 when i set up DoT

do i need to make a fw rule as it says on the page to block outgoing 53 ?

nice, so now im using DoT

before i was using dns settings under system > settings > general

and when i went to

https://ipleak.net/

my dns was coming back as my isp's dns even tho i had it using google, quad9 or cloudflare

since i changed to DoT and refreshing the page my DNS now is google/quad9/cloudflare so all good

has anyone else experienced this

so reading this guide

https://docs.opnsense.org/manual/unbound.html#dns-over-tls

il go here

services > unbound dns > dns over tls - add

fill it in with either cloudflare google or quad9

do i need to do the "advanced configurations"

this is DoT, is "os-dnscrypt-proxy" DoH

what one is better to use?

basically the reason why im asking is because I got from my ISP a block page when trying to access a website

I dont understand why i got a block page from them as im not using my ISP's DNS

under

system > settings > general

im using 8.8.8.8 and  1.1.1.1 and 9.9.9.9

and i have "unticked" both "dns server options"

allow dns server list to be overrridden by dhcp/ppp
do not use the local dns service as a nameserver

on my main pc i have changed my dns ip to that of my opnsense lan ip