Messages

I updated and all is working with os-dyndns which was previously installed.

If you install os-ddclient you can only access it via the search function as stated earlier. I think the most important points are made, you want to specify the listening interface that is not possible. Also the lack of common servers such as freedns is not user friendly. I could find documentation on the freedns page for ddclient but unfortunately it is not in the drop-down list.

I have been monitoring my logs on the Synology and there is no extra activity found. I guess I am safe, so this topic can be deleted/closed

I could use some confirmation from experts active on the forum.
Setup: Synology DSJ216 which is only open to local lan. Not setup for logging from outside sources

To use the NAS as a download station I followed the steps in https://forum.opnsense.org/index.php?topic=4979.15
Provided by Nilss. I also added my laptop to the vpn user group tot check if everything is setup alright with no DNS leaks.

Everything is routed nicely through my vpn provider via openvpn and the dns leak tests are good.

Now the question, when searching online I have came across people saying not to connect a NAS to a VPN connection. https://www.reddit.com/r/synology/comments/iaayq7/how_to_check_vpn_leak/

As far as I understand routing, there should not be an security issue bit the above linkade me doubt myself. Am I taking a risk I am not seeing?

Thanks for any help or guidance!

You're welcome!
According to https://www.pcengines.ch/pdf/alix1c.pdf you should be able to run a Debian distribution on the alix. So proxmox will not be necessary.

Hi Marc,

OPNSense runs on a hardened version of FreeBSD, this is not the same as Linux. There is a request to make Pihole available on FreeBSD but it does not seem to get much traction. https://discourse.pi-hole.net/t/freebsd-compatability/2092/16

You have three options:
1. Run a VM on the APU and have an instance for the Pihole and OPNSense. Proxmox as an example can run both
2. Use the options within OPNSense that have the same function as PiHole but not the GUI Pihole has. https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/  This does not support per client settings as far as I know. I use Pihole on a Rpi
3. Get a RPi

I solved it myself :)
It appears this does not work if the pihole is in the same subnet. I solved by redirecting DNS to 127.0.0.1 and let unbound forward the request to the pihole. Only downside is that I can't see which device is trying to circumvent the DNS via the Pihole queries. That's why I will enable logging of this rule

Thanks, I am one step further but still no real working redirect to my pihole.
When I do an Nslookup of a random website with 8.8.8.8 i get an    8.8.8.8.in-addr.arpa querie in the logs in my pihole instead of the website I tried to resolve.

Any ideas?

Setup:
OPNsense with 192.168.1.0/24 local net
Pihole running Unbound, 192.168.1.6

I want to redirect all traffic outgoing on port 53 by the local net to the Pihole. This is pretty is via the portforward as described here https://forum.opnsense.org/index.php?topic=9245.0

I also added a Floating rule to allow the Pihole itself to perform DNS queries to the rootservers, else Unbound can't work of course

I can see the DNS requests being redirected to the Pihole when this setup is complete. But unfortunately the requests of the Pihole-IP to the rootservers are still being redirected and can't be resolved. They are stuck in a loop I guess

Is there an option to add a (floating) rule as not to redirect queries from 192.168.1.6? Or some setting in which you can check to not redirect traffic from the IP stated to rederict the traffic to?

Another possible solution seems to create an Alias which contains all local LAN except the Pihole IP and set that as the source in the portforward. I can't seem to get a grip in how to create such an alias.

Any help or advice is greatly appreciated

Thanks for verifying!  8)

Thanks for your reply, I have made aliases for several IP blocklists for extra security of my home network. Following https://docs.opnsense.org/manual/how-tos/edrop.html. Some list are Firehol3, Feodo, Spamhaus, BLocklist.de etc.

I have only added the rules  to the LAN side, because I think the WAN side is not necessary. The link does let you also add the rules to the WAN side of the firewall but that is complete closed anyways, so my guess is that would not be necessary.

I have a rookie question about IP-Filtering using IP-lists. When I follow the how to for Spamhaus drop list, I also have to make Firewall rules on the WAN side. I am not intending to have open ports on the WAN side, maybe someday in the future but not for now. From what I understand all incoming traffic will be blocked on the WAN-side.

- If I add the rules on the wan side it seems unneccesary, is that correct?
- If I add the rules to be future proof, would that impact performance? Does it impact RAM per example?

Thanks for your help in advance!