Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - A1Dox

Pages1
#1
20.1 Legacy Series / Re: MultiWAN and BIND DNSBL
July 13, 2020, 11:31:19 AM
Quote from: lzamel on July 10, 2020, 05:56:36 PM
Is there a way to push this traffic thru firewall?

Where is your bind instance running? Is it on the firewall itself or is it behind it, on your network? 

  • If it's on the OPNsense device, did you work through Step 5 in the Multi-WAN setup here https://docs.opnsense.org/manual/how-tos/multiwan.html to manage local DNS traffic?
  • If it's behind it, did you set similar firewall rules to ensure DNS requests from your LAN bind server go out the way you want?
#2
20.1 Legacy Series / Re: Multi WAN - works in fallback but oddness ensues when load balancing
June 12, 2020, 01:26:33 AM
I've been having the same issues. LAN0 is PPPoE with Zen, LAN1 is Ethernet to a LAN port on a Vodafone Modem/Router. With basic default routing in place everything is great. When I switch to load balancing I experience the same oddness.

I think it's down to DNS as, when I have been able to spot anything, I see both my internal Pi-Hole and  Unbound on the Opnsense box time-out on random lookups and then immediately return a response queried for the same fqdn a second time. I have two Quad9 addresses set in system DNS, one on each gateway, and two Google DNS used as the gateway monitors. DHCP was handing out the Pi-Hole and that was using Unbound which in turn used Quad9. I also tried with just Unbound in DHCP but got the same results.

I tried all sorts of rules ahead of the LB Gateway Group rule, to try and force DNS and some specific hosts over the default route/gateway and that seemed to work but didn't cure the oddness. I also force the Xbox out over Zen while the default was via Vodafone and again, that worked, but I couldn't get the Xbox to show "Open-NAT" no matter what I tried and still saw the issues.

My previous firewall was a Meraki MX60, and I was running Opnsense on an old mini-ITX machine as a test (before buying a small fanless "appliance" device to run it on permanently). Other than the issues, I've been really impressed with the functionality of Opnsense, which far exceeds the capabilities of the Meraki.

Earlier today I had the Vodafone swapped with an EE G.Fast service, which came with a separate modem which allows me to try PPPoE on both uplinks. I'm back on the Meraki for now but, once the EE service has settled down I will try Opnsense again to see if dual PPPoE (with no rfc1918 addressing on a "WAN" port now) makes any difference.
Pages1