Messages

Late to the party, but I've been working my way thru this issue the last few days.. and finally got it working:
- wireguard connection up, routing only hosts I want across this interface
   - no DNS leaks
- all LAN hosts (wireguard routed, and non-wireguard routed) able to resolve local DNS
- DHCP handing out the router's ip as DNS to all hosts

Had to do jump thru a few hoops here tho.. I can go into detail if anyone's interested, but to get this to work:
- Unbound running on router
- two PiHole instances running as hosts (one for wireguard hosts, one for non-wireguard hosts)
- DNS path for wireguard hosts: HOST -> Router(LAN interface) -> Pihole#1 -> Wireguard Interface
- DNS path for NON-wireguard hosts: HOST -> Router(LAN interface) -> Pihole#2 -> Unbound(Router) -> WAN
- I wrote a shell script that I have running on OPNsense as a cron job every minute, it:
   - creates a list of LAN IPs / hostnames from Unbound's conf file: dhcpleases.conf and host_entries.conf
   - takes that list and formats them into a new file called custom.list - <ip address> <hostname>
   - copies custom.list to Pihole#1 - Pihole scrapes custom.list for local dns entries

The result of all this is that local dns gets resolved by Pihole#1 for wireguard routed hosts
Also a bunch of firewall rules to make it all work.

I've read a few other posts with this issue, but I can't get it working.. posting new as the other posts were pretty old.

I've created an alias for a local server: host1alias
It's an alias for: host1.mylocaldomain.com (I've also tried just "host1")

I'm able to ping this host via the hostname, or the hostname + domain from every other host on my lan. eg, can ping, "host1" or "host1.mylocaldomain.com" from every pc on my lan, including from the OPNsense shell.

I use Unbound on OPNsense, with Pihole downstream up-stream handling all lan DNS querries, then forwarding them down-stream to Unbound running on my OPNsense node. This all works great.

But.. for some reason when I use the alias mentioned above in a Firewall rule, the traffic is blocked. I setup a port forward for port 1234 on my WAN address, to forward to port 1234 on "host1alias" - does not work.

When I change the alias to use the IP address, everything works fine. Others have this working.. hoping for some insight. Thanks.

I just checked on errors or collisions for both interfaces -- all 0's.
If there were errors / collisions at one point, would they be reset back to 0 after some time?

Hey thanks for the response.

I checked the bandwidth graphs, and don't see a correlation.

I suppose next time it's happening I should call my ISP and have them do some diagnostics.

I was thinking about backing up my OPNsense settings, and putting pfSense back on to see if that changes anything.

Hi there, a few questions about gateway loss / health.

I upgraded my internet connection at home, because of this my ISP gave me a new modem (I'm now on a gigabit connection). I used to run pfSense on a mini ATX Intel embedded board - dual NICs, etc..
Soon after getting the gigabit connection, I realized my router setup wasn't fast enough to get full gigabit speeds (processors were too slow). I bought a Protectli box which I installed OPNsense on (this is my current setup).
Problem solved, I'm able to get full gigabit speeds.

The issue I'm having is intermittent gateway loss (50-98%). When this loss percentage ramps up, the internet is barely usable.

Two things changed before this started happening: 1) new modem from my ISP, and 2) new router, now running OPNsense.

Is there any known issues with OPNsense and gateway loss? Or is this probably an issue on my ISPs end?

If I'm home when it's happening, I can power cycle my modem and the problem seems to resolve. If I'm travelling, and trying to use my Plex server (for example), it's unusable until the issue resolves itself -- which can take hours.

I've attached an image of the health report graph available in OPNsense.

If anyone has any ideas or suggestions, I'd love to hear them.

Thanks.

Hi thanks for the reply.

I'm not seeing Router Advertisements under Services.
Looked around other places, but not seeing it anywhere.

Hi all, I'm not sure what's happening here.. I recently got new hardware for OPNSense, I started from scratch in getting my router setup again.

I'm using Pi-Hole on a VM, and Unbound on OPNSense (not in forwarding mode).
I have port-forwarding rules to send all DNS traffic not destined for the Pi-Hole VM, to the Pi-Hole VM.
I have the IP address (192.168.1.101) of the Pi-Hole VM set as my DNS address in the DHCPv4 settings (on the LAN interface).
I am not allowing DNS to be overwritten from WAN DHCP (Settings->General).

The idea: all DHCP hosts on my network get the Pi-Hole address as their DNS server, the Pi-Hole, in turn forwards valid requests to OPNSense, OPNSense then resolves the requests. If it's some tricky LAN host that's trying to use its own hardcoded DNS, it'll get forwarded to the Pi-Hole due to the port-forwarding rules.

On my old setup this worked perfectly, and as far as I can tell I've got it setup the same way now.

The way I would test it before is shut down the Pi-Hole VM and I wouldn't be able to resolve any websites (which makes sense because the Pi-Hole was shut off).

I just tried that same test now that I've got my new OPNSense hardware running, and to my surprise, I was able to resolve websites with the Pi-Hole shut down.

I checked my IP Settings -> ipconfig /all on the Windows machine I was testing from. The DNS servers listed were:
192.168.1.101 (as expected from the OPNSense DHCP server)
two IPv6 addresses (no idea where these are coming from)

It seems DNS requests are being handled by whatever those IPv6 addresses are.

The problem is, I have no idea how my Windows machine is getting these as DNS servers. I triple checked the DHCP server, they're not listed there.

Any ideas on this one? I'm not sure what I'm missing.

Thanks!

Edit: I should mention that the IPv6 DNS server my LAN hosts are getting is my OPNSense box's IPv6 address on its LAN interface. I just did a "what's my DNS server" test from one of those website, and it's my public IPv4 address that's being shown as my DNS server. So, my OPNSense Unbound instance is doing the resolving.