Messages

Ok, I got it working now...

Really odd behaviour, but I rebooted my Opnsense machine several times in the hope this would resolve the issue. So now I power cycled all switches and Opnsense (power down and back up), and now I'm successfully getting the DHCP allocations to the .30 subnet.

Thanks all for you help and replies!

No problem Cyberloard

I checked the config again on the GUI, I cannot seem to find a way of getting debug level logging for DHCPv4 but if there is a way please let me know.

FWIW, Before I found this issue, I performed a fresh install of Opnsense a few days ago to resolve an issue with Suricata dumping huge logs to disk and locking up the router. I restored the configuration from a backup. I also greatly reduced the rulesets for Suricata as well as installed Zenarmour. Not sure if any of this is relevant but I thought I would add this.

Do you know where I can change the log level to "Debug"? I can only find the log level option for IPv6 DHCP.

From the ISC DHCPv4 page for that interface:
The DHCP server is enabled
Deny unknown clients > unchecked
Ignore Client UIDs > unchecked
Subnet > 192.168.30.0
Subnet mask > 255.255.255.0
Available range > 192.168.30.1 - 192.168.30.254
Range > 192.168.30.100 - 192.168.30.200
All other configuration is blank/not filled in

This mirrors the configuration for the IOT interface but with 10 as the subnet

Looking at the DHCP logs on Opnsense I can see the following (vlan0.30 is the Cameras VLAN):
DHCPDISCOVER from [IP CAM MAC ADDRESS] via vlan0.30

I also tried to assign the unifi port the IOT VLAN to compare and the following was in a multiple entries in the logs (em2_vlan10 is the IOT VLAN):
DHCPDISCOVER from [IP CAM MAC ADDRESS] via em2_vlan10
Then a second later
DHCPOFFER on 192.168.10.138 to [IP CAM MAC ADDRESS] via em2_vlan10
DHCPREQUEST for 192.168.10.138 (192.168.10.1) from [IP CAM MAC ADDRESS] via em2_vlan10
DHCPACK on 192.168.10.138 to [IP CAM MAC ADDRESS] via em2_vlan10

I cannot see what config differences there are to cause differing behaviour here

Thanks for the reply EricPerl.

Yes I've enabled ISC, as it comes up under ISC DCHPv4 as an entry and the DHCP server is enabled on the interface. I've checked the configuration via the Opnsense UI and it seems to mirror the configuration I have with the IOT VLAN which works as expected.

As I understand it for Unifi switches, "Native" means untagged, but I'm happy to be corrected on this.

So are you suggesting that all traffic is therefore on a VLAN and nothing should therefore hit the physical LAN interface on Opnsense?

Hi all,

I recently performed a fresh install of Opnsense using a config backup, mainly because Suricata was creating huge log files (99G files within 10 mins). I have since tried to create a VLAN for a set of new IP cameras, however they are unable to get an IP from the DHCP server for the new VLAN which has been set-p (with VLAN tag 30). I have configured my unifi lite 8 POE in the same way I have configured my other two VLANs. See below for the summary of the set-up.
I have tried to reboot Opnsense, try re-create the VLAN with a different ID, open up the firewall temporarily to see if it a firewall issue, but all to no avail.

Unifi switch set-up for IP cam ports:
VLANs
1=Default > Blocked
10=IOT > Blocked
20=PCs > Blocked
30=Cameras > Native

VLANs for Trunk port to Opnsense:
1=Default > Native
10=IOT > Tagged
20=PCs > Tagged
30=Cameras > Tagged

Opnsense and a few other devices are on the physical LAN using a .68 subnet, however the traffic all runs through this unifi switch.

Any ideas to help would be greatly appreciated. I'm hoping I don't need to yet again wipe and start again!

In addition to this, I have tried disabling the block rules on the LAN network for stopping non-unbound DNS traffic to be passed, to see if this allows me to successfully specify a DNS server on a device. However this does not work either.

I'm clearly missing something here but not sure what

Hi all,

I have Unbound DNS configured for some time now and it has worked well for my use case for all devices in the home to use Unbound. This includes firewall rules to block devices using other internal/external DNS addresses other than the OpnSense address.

I now have a device which requires to use a specified DNS server and this is now a problem as all traffic is only allowed using the local DNS address. I have tried applying a NAT port forwarding rule to resolve this as well as trying Query forwarding in the Unbound DNS UI both with no luck.

Port forwarding attempt (referencing https://forum.opnsense.org/index.php?topic=21814.0):
Interface: LAN / VLAN xx
Porto: TCP/UDP
(Source) Address: ALIAS_HOSTS_DNS_REDIR
(Source) Ports: *
(Destination) Address: !This Firewall
(Destination)) Ports: 53 (DNS)
(NAT) IP: specified external DNS IP
(NAT) Ports: 53 (DNS)
Description: Redirect external DNS to specified external DNS

How can I get this working so that a external DNS IP can be sucessfully used for specific devices/IPs?

Thanks

I've followed the guide to install AdGuard using the repo and it works great. The problem is that my unraid server cannot update its docker containers. I have tried to specify a port forwarding rule just for the unraid server to send the traffic to port 5353 in the unbound server to effectively bypass AdGuard, however it seems to direct all traffic on the network to unbound. See the additional rule I set-up and moved it before the other rule in the guide:

Code Select Expand

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Ticked
Destination: UnraidServerIP
Destination port range: From: DNS - To: DNS
Redirect target IP: 127.0.0.1
Redirect target port: 5353
Description: Bypass AdGuard for unraid server
NAT Reflection: Disable

What am I doing wrong? How can I achieve forwarding traffic to AdGuard with the exception of a single IP which doesn't need to go through AdGuard?