Messages

I have a simple OPNsense system. One LAN, one WAN connected to a cable modem.  My ISP is not very reliable and I want a backup connection for a critical host.  I intend to add a 4G modem as WAN1 and follow the directions in the documentation for a multi-WAN setup.  However I only want the one host to fallback to the 4G connection.

In "Step 4 - Policy based routing" it says to change the default LAN pass rule to add the WANGWGROUP as the gateway.  Instead of this I intend to add another rule above this whose source matches my critical host and assign it the WANGWGROUP. 

Will this work?

I have just upgraded from version 22 (22.7 I think) and am getting routing error messages every few seconds of the form "cannot forward from fe80::ca56:4eae:27be:12b0 to ff02::1:3 nxt 17 received on em2".  To setup IPv6 on version 22 I enabled it on all interfaces and on the firewall then set the LAN to Track Interface . . . I think!  That worked well on version 22, can anyone help solve the problem on version 23? 

I have a two Opnsense systems, one connected to an AT&T VDSL gateway and the other an Xfinity cable gateway.  Periodically the WAN interfaces or each one fail, this seems to be linked to when the provider resets their gateway and/or updates the public IP address.  Both Opnsense systems are setup up in their gateways' DMZ.  It appears that the gateway goes down for a few minutes, usually in the middle of the night, that breaks the WAN/internet communication but Opnsense does not recover when the internet comes back up.  Rebooting Opnsense cures the issue.  One system is in Chicago and the other in Boston but I can only be in one place at a time, hence this is a problem!

As this is the same behavior on two different gateways, I am thinking it is an Opnsense issue.  Any thoughts on where I start looking?

Many thanks, I will try that.

I have a question on how the firewall rules are executed. 

I use a NAT Port Forward to redirect DNS requests from selected devices (using an alias) on my LAN to an external server of my choice.  That automatically creates a firewall rule to pass the traffic to the external server.  I also want to setup a failover group but leave those devices using the default WAN0, so I have another firewall rule to pass traffic from those devices to WAN0 gateway.  I cannot combine those two rules as I cannot edit the rule linked to the NAT Port Forward.

If I set "Quick" only on the last rule, will both of those rules be executed on a match?

Ah, yes.  One of the posts in Pfsense said a port forward should work with a external IP but I couldn't do it.  I'll read up on the outbound NAT rules.

I think that is pretty much what I have done.  Here is the rule I have created:

Interface: LAN0
TCP/IP Version: IPv4 + IPv6
Protocol: TCP/UDP
(Source) Address: MyDeviceAlias
(Source) Ports: any
(Destination) Address: !LAN0 address
(Destination)) Ports: 53 (DNS)
(NAT) IP: MyDNSAlias
(NAT) Ports: 53 (DNS)
Description: Redirect external DNS to Cloudflare DNS

Disable NAT reflection (?). Tried both enable & disable.

If I use 127.0.0.1 as the Redirect Target IP and (say) Cloudfare as the system DNS servers all works.  The DNS calls to Google are caught by the port forward and the address returned comes from the system DNS servers.  If I use 1.1.1.1 as the redirect target and Google as the system DNS servers then the address returned comes from Google not Cloudfare.  So it would appear that if the port forward is listening on the LAN, it cannot redirect to and an address on the WAN.  I should add that I have recently switched to  Opnsense from Pfsense.  I had the same issue on Pfsense but did not have to resolve it until now.

Ran another test. 

System DNS servers pointed to Google, port forward pointed to another external DNS server.  Reset the hard coded device and Opnsense, the hard coded device uses Google servers not the one in the port forward.  It looks like the port forward does not work with an external IP address.

Not sure I understand how inverting the alias that catches the hard coded devices works?

Just to recap here is what I want to do:

    Default: All devices get their DNS servers through DHCP which points to Opnsense and thereby Unbound. 
    Unbound uses DNS serves of my choice, say Google.

    Selected Devices: Their DNS server is hard coded and needs to be redirected to another DNS server, say
    OpenDNS

As for the cache, always forget to clear it!  I'll try gain and report back.

I do have an alias for those hosts I want to redirect, that catches them and redirects them to loopback which is then picked up by Unbound.  if I invert that alias then don't I let them go to Google DNS and catch everything else?

I am looking for help on how to redirect DNS requests to an external server of my choice.

I have a couple of devices that are hard coded to Google DNS servers.  I can catch those requests with a Port Forward and redirect them to 127.0.0.1 and use Unbound to send them to, for example, OpenDNS.  However that means all of my devices now use OpenDNS, I have tried using the external server IP in the Port Forward instead of  127.0.0.1 but it still redirects to Unbound.

I want to use Unbound to service most of my LAN but redirect a couple of devices to a different DNS server.  Any thoughts on how I do that?