Messages

I am allowing along certain hosts to a firewall rule.

If I try to use a FQDN in the "content" field of a FW alias Host(s) then use that alias the firewall does not allow that host as a source. 

But if I replace in that "content" field of the alias with the actual IP of the that host then the firewall works correctly allowing access to that alias. 

If I use the opnsense DNS lookup under interfaces/diagnostics that FQDN is properly looked up. 

So what am I missing here.  Why can't I use FQDN with an alias pointer.

Looks like I will comment on my own post  :)

Actually this was pretty easy to set up.

On lan1 running opnsense/unbound

Add domain override for the subdomain of the remote vpn lan (lan2)    lan2.mydomain.net with ip of where dnsmasq or unbound is running on lan2

now in the host overrides use an alias for every entry
for example  add nas.mydomain.net to local ip  with alias nas.lan1.mydomain.net

now over on the remote lan (lan2). For unbound do the reverse of above

otherwise for dnsmasq

----for dnsmasq-----
in etc/dnsmasq.conf
add the line with ip of the opnsense gateway box (running unbound) lan1
server=/lan1.mydomain.net/xxx.xxx.xxx

now for dns records in dnsmasq there is no alias so add one for local and another remote access
address=/gateway.nas.645.mydomain.net/xxx.xxx.xxx.xxx   //local ip
address=/gateway.nas.lan2.mydomain.net/xxx.xxx.xxx.xxx   // same ip as above

restart both dns servers also may have to flush dns cache on individual machines

so nas.mydomain.net  resolves to the local server but nas.lanx.mydomain.net will resolve to which lanx you use.

Each lan has it's own records, no need to share or sync.  It does require that an alias be set up for each record.

I am just getting opnsense set up for the first time as the gateway for both my two lans (remote) 

I had my own custom gateway builds that both had dnsmasq running.   I guess I could disable unbound and use dnsmasq but maybe unbound is a better choice.

What I need is for any machine on either lan (the lans will be connected via openvpn) to resolve local records (overrides) on either lan.  I mean any machine on either lan can resolve any machine on either lan  (given it has a dns entry)

If I were to use dnsmasq I'd maintain a file for each lan's local dns entries in /etc/dnsmasq.d  on both opnsense instances  (i.e. they both have identical copies of both files).

I read that unbound is a "real" dns server thus can forward/sync records?   So maybe it can forward records from the one opnsense instance to the other via the vpn?   (but not to any public DNS server).   That would be great as then I wouldn't have to manage two lists and make sure they are updated on both opnsense machines.   Any record I add to either would automagically be on the other.

Can anyone comment on my desired setup and whether/how unbound can meet it??  If not then maybe I'll just punt and use dnsmasq of which I am more familiar

Yup it was magic sauce not mentioned in any other post about setting up wan rules

enable "Disable reply-to" under Firewall: Settings: Advanced.

https://forum.opnsense.org/index.php?topic=3763.msg13034#msg1

all seems good.  I'll mark this solved when I am sure this now works for all the one off rules

opnsense Noob here but experienced with firehol and iptables. 

I have a new box I'm setting up for another location.  So the wan interface is temporarily on my 10. private network  Starting with the factory defaults I unchecked the block private networks and block bogon networks for the wan interface.   All operational.  I can reach internet from the LAN and the WAN interface was assigned a 10. ip.

Now I want to open up the wan side.   So to start
I've added rules for ICMP ping, ssh, and a port forward an interior nx server.  All accessing from a source computer with a 10. IP.    They all are not working

So concentrating on just getting the ping to work  I set a rule to open up (override the default deny all)  WAN interface (answering "any").   The same "open it up"  rule I use when doing some testing when I use firehol

When I ping from the 10. machine I see a "green" log for that rule from that machine but then on the machine there is no ping response not even a "Destination Unreachable" it behaves like it's waiting for some response which what the ssh connect acts like too. (yes ssh server is on and listening on all interfaces, i.e. can reach from LAN).  Attached is rule match log details.  FYI I can ping from opnsense box to that 10. machine without issue.

This makes me think this is something to do with my source being on 10. even though I have block private networks disabled.

Is there some magic sauce I need to further apply to have the wan interface on a private network with private network sources trying to connect via firewall?????

I've set up other custom routers this way including the one using firehol (wan side temporarily in private network) without issue so this seems something particular to opnsense