Messages

OPNsense has static routes under System, Routes, Configuration

Do the DNS server and the gateway router have a (static) route back to OPNsense and its clients?
Do you allow TCP and UDP 53 to the DNS server along the path?

Bart...

Also Unbound Access list needs to allow the subnet the request is coming from.

the DNS is served using dnsmasq from pi-hole, while the DNS server itself resolve domain using unbound, in the pi-hole GUI setting there are option to accept all dns request regardless of it's port, will it be enough?

OPNsense has static routes under System, Routes, Configuration

Do the DNS server and the gateway router have a (static) route back to OPNsense and its clients?
Do you allow TCP and UDP 53 to the DNS server along the path?

Bart...

I'm afraid I haven't set it up yet, the opnsense have 2 virtual NIC LAN (separated by VLAN from VM) and 1 NIC WAN (different port), so I have to set the static router and UDP 53 on opnsense only right?

the DNS Server only have 1 virtual NIC LAN for segment 192.168.1.x (255.255.255.0), I don't know best what's the best practice or do I have to set 2 virtual LAN on the DNS Server and use only one LAN in the opnsense?

the opnsense serve internet from it's own WAN port, while the DNS serve access the internet from it's own gateway (192.168.1.x)

I have opnsense router box with ip address (192.168.2.1) that act as internet gateway and local dns server (linux with pi-hole and unbound)with ip address (192.168.1.10)
Both segment are serving different client since there are another gateway router in 192.168.1.1 (same subnet as my dns server), the problem is I want my dns server to serve request from client in both segment but I seems cannot connect to the dns server from opnsense, do I have to route in terminal or is there a way in the opnsense GUI to make it work?
both the opnsense and the dns server are served in VM and using different VLAN for each subnet.

I think I found the problem, disabling WAN ipv6 and now everytime ISP Gateway issues new ipv4 ip address it handles normally (wan gateway never have ipv6 anyway), hopefully this resolve the problem.

After hours of tweaking I finally tried clean reinstall of OpnSense and configuring just like the previous system... and it works normally again.
I don't know what cause OpnSense in previous system failed to resolve some of the hostname but for now I just try to get snapshot of latest working program and monitor for any weird changes in few days.

Yesterday, when I tried to connect to several game client platform I got error cannot connect or similar, some like steam client can connect after several retries. but most stay unable to connect.

So tried domain resolve some of the domain / ip address for the server, oddly enough it says cannot resolve the hostname. My DNS / DHCP server are on another VM (Unbound pointed to root DNS server, with Pi-Hole as DHCP and filtering), so first culprit is the DNS server...

However, I tried switching my router / gateway to another VM, this time using OpenWRT (I have both OpenWRT and OpnSense on VM, all using same ip address so both VM never run simultaneously) and all the game client works perfectly without restart, and when switching back to OpnSense the problem appeared again. I've used OpnSense for months (switching back and forth with OpenWRT for testing) and this problem just occured since yesterday.

I tried looking at the firewall log (live view), seems normal except some ip address got red "Default deny rule" with port 443. Is there any hints which logs should I see to find the problem culprit?

My OpnSense build is pretty basic, no IPS or whatsoever only :
- FQ Codel Shaper in pipe, queue, and rules for both upstream and downstream.
- Dynamic State Reset active in advanced settings (My ISP change my private WAN address to the extent of different subnet so I got connection problem every weekend, The Router itself are connected to ISP modem as bridged mode. Still after checking that option the problem still persisted).
- Blok Private Networks are unchecked (my WAN ip address is stil private ip address).
- GeoIP address set (no aliases or rule set though, and the problem already occured before I set this up).

Edit : also I noticed when download files from some websites, chrome thrown errors like : <filename> can't be downloaded securely with option to <Discard> or <Keep>. It didn't behave like this previously.

sorry to ressurect this thread, can you share the scripts? because I have similar problem with wan interfaces that need restart every week due to subnet changes, thank you.

After waiting for next WAN IP restart, similar problem still occured. getting WAN DHCP address (different subnet) but no internet connection that only after restarting OpnSense internet went back online again.

After this I tried changing some options in WAN :
1. uncheck

Code Select Expand

"block private networks" since my WAN IP Address is still private network (10.x.x.x)
2. check

Code Select Expand

"enable dynamic gateway policy" (I don't really quite understand about this option though)

Hopefully I got new results next week when my WAN IP address automatically refreshes from the ISP side.

Thanks will try that. The results will probably can be seen for another weeks though as the wan only change ip subnet every weekends.

Hello, I have this weird problem where I lost internet connection every weekends (saturday or sunday at specific time), only after I restarted the WAN interface or router then the problem goes away... until next week.

My current configuration is Intel nuc with USB EA300 gigabit (RTL8153) to wan port) virtualized in proxmox and OpnSense 20.7.3, WAN is connected to ISP GPON fiber optic modem (ZTE) and using bridged configuration to bypass NAT. Previously I had similar problem with snapshot OpenWRT on Raspberry Pi 4 and same USB Gigabit ethernet. At first I thought it's unstable USB Gigabit ethernet but this is the 3rd adapter that I've tried and all shows similar problem.

When I tried view OpnSense backend log, there was almost no weird log during internet loss except that during the disconnect I noticed that in WAN connection :

Code Select Expand

dhclient[53240] bound to 10.88.138.210 -- renewal in 1800 seconds.
changed to this after restarting interface

Code Select Expand

dhclient[66388] bound to 10.88.142.56 -- renewal in 1800 seconds.

It seems that my ISP issues DHCP refresh every 30 minutes or so, and every week on saturday or sunday it changes the subnet segment which both OpenWRT and OpnSense failed to receive new IP's, I haven't tried using non USB ethernet for WAN Port though.

Is there a script to detect subnet change in WAN and initiate interface restart?