Messages

Problem solved.

LÖSUNG:

Outbound-NAT einrichten. Für das entfernte Netzwerk muss eine Outbound-NAT-Regel eingerichtet werden, in der die NAT-Adresse auf die WAN-Adresse gesetzt wird.

Hallo,

ich habe ein VPN zwischen zwei Fritzboxen. Die Adressen des entfernten Netzwerks lassen sich erfolgreich pingen, sofern ich direkt mit der Fritzbox verbunden bin.

Eine OSF steht hinter der Fritzbox und soll nun auch Verbindungen über die Fritzbox (WAN) auf das entfernte Netzwerk zulassen. Dies habe ich mit Regeln bereits auf der OSF eingerichtet.
Führe ich dann als Firewall-Client ein tracert durch, geht die Anfrage zunächst an das Gateway des interfaces (ungleich der OSF-WAN-Adresse) und danach zur Fritzbox. Alles gut also. Leider schränkt die Fritzbox die Anfragen aber scheinbar ein, sodass sie das Routing nur vornimmt, wenn die Anfrage von der OSF-WAN-Adresse stammt.

Gibt es eine Möglichkeit dies zu erreichen? Wie wäre die Vorgehensweise? Ich habe mir vorgestellt, dass sämtliche Anfragen, die die OSF selbst nicht beantworten kann, mit ihrer eigenen WAN-Adresse an die Fritzbox weitergereicht wird - die OSF also ihre IP noch dazwischen schiebt.

Danke für eure Unterstützung!

Hello all,

in my setup i have an opnsense with three ethernet ports. One port is used to connect to the WAN device (FritzBox) and another is used to be connected to my switch where all devices are directly and indirectly connected to.

This leaves me with one port unused. Is there a possibility to make use of this unused port? I was thinking about connecting it to the WAN device (WAN although has only 100Mbit download/ 40 Mbit upload), or connecting it to the switch, so traffic can go through both ports (1GB + 1GB = 2GB?)

Very thankful for your help.

Best regards

Hello all,

i have had the following idea and would love to hear from you experts what you think of it.

I have an OPNsense and nine VLANs configured. I want all clients in each VLAN to use Unbound DNS configured in OPNsense and also the NTP service provided by OPNsense.

I created a VLAN [2] called NetServices without DHCP. I created a floating rule including every vlan interface allowing access to VLAN [2]. In every VLAN DHCP configuration i entered the NetServices address to be used as DNS and NTP.

With this set up, Unbound DNS now only listens on NetServices address and nslookup of the opnsense hostname will only return this address. I did not like it, when every client on every subnet could see which subnets are configured inside OPNsense (which happens, when Unbound DNS listens on every net).

What do you think? What are your practices?

Best regards

I hope it is okay not to open a new topic for this question.

For network services like DNS and NTP I reated a vlan and interface. With a floating rule I allow all packets from all other nets (all ports, all sources, destination Network Services net). Do you think this is a bad idea?

I tried the following:
- Removed all DNS servers from System > Settings > General
- Firewall rule on network "Private" to allow all packets from Private net to This Firewall
- Added 172.16.1.1 [LAN net ip] as DNS server to DHCP settings of Private net
- Removed Private from Unbound DNS listening networks, leaving it with WAN, LAN

When I apply these settings nslookup returns "Query refused" and I do not understand why.

Network Interfaces: Interface IP addresses used for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

My client on Private net does a "nslookup ecosia.org 172.16.1.1" on port 53 so Unbound DNS should receive a request from Private net ip and answer it, but it doesn't.



EDIT:
I forgot to put 0.0.0.0/0 back into the Unbound DNS access list. Now it is working!

Alright, I get it. So in this case every client should use 172.16.1.1 as DNS server, then they could use Unbound DNS which is answering to LAN ip (172.16.1.1).

Maybe a weird question, but... I have port forwarding set for every port 53 dns request from any VLAN to be routed to 172.16.1.1:53 (Unbound DNS), is it true that Unbound DNS will see the client ip as the requesting ip, instead of the opnsense ip (which is port forwarding the request)?

Is there a possibility to configure 172.16.1.1 as DNS for every VLAN/ DHCP at one point or do I have to enter it in every single VLAN/ DHCP setting?

Thanks for your help :)

Yes, all clients will get the gateway IP as DNS. Also I have a port forward for every DNS (Port 53) request to "127.0.0.1". This is working since I can reach all other overwrites I configured.

Hello all,

I am used to access my hosts by their hostname on the local domain, like opnsense.opojomo.local

With OPNsense itself there is something I do not understand. If I try to access opnsense.opojomo.local the IP I get from the DNS (Unbound DNS) is always [when I flush DNS of course] a random gateway (=OPNsense) IP address of one of my VLANs. Thus, if the IP returned by the DNS is not a specific IP [one from a VLAN that shall have access to OPNsense, others must not] I will not get access to OPNsense.

I have set Unbound DNS overwrite for opnsense.opojomo.local -> 172.16.1.1, still, the IP my clients get are always different.

How may I resolve this issue?

Thanks in advance for your help!

Best regards