Messages

The guide suggests to do policy-routing for all LAN traffic in step 4. This means any traffic would be sent out to the current upstream gateway (gateway group). Hence you would not be able to reach any internal destination, even not OPNsense itself.
The suggested rule in step 5 would allow DNS only to OPNsense befor this.

If DNS resolution on your internal devices works anyway without it, you either didn't state the gateway in step 4 or your internal devices are not configured to use OPNsense for DNS resolution.

For the time being, I can reach OPNsense dashboard even without the rule, if I exactly got what you meant about this point.
As for DNS resolution I set up Unbound for DoT DNS. I also set up NAT rules for DNS redirection and even block DoH DNS queries from LAN clients.
Maybe I missed something here.
Thanks

[(step 5)]

Hi everyone,

I set up a dual WAN failover on my OPNsense machine (it actually runs in a Proxmox VM) by following the official guide here:

https://docs.opnsense.org/manual/how-tos/multiwan.html

It suggests to add an allow rule (step 5) for DNS traffic "to make sure traffic to and from the firewall on port 53 (DNS) is not going to be routed to the Gateway Group". However, I didn't add it and everything works fine nonetheless; no problem with internet traffic.

Could anyone please tell me why?
Thanks

The release notes for 25.7.8 have an important note:

https://forum.opnsense.org/index.php?topic=49869.0

The Unbound blocklists feature formerly known as a business feature is
now a community feature.  Since this required merging both the existing
community one with the business one you need to make sure to reapply the
blocklist settings after the reboot since it will not generate a new and
possibly incompatible format.  Make sure to check your automatically
migrated settings while at it.

Maybe this is it?

My blocklist is disabled at the moment, if I got what you mean.
Thanks

In general it doesn't. I run it at multiple offices and an entire data centre with that setting and no problems at all.

Something about your configuration must be unusual. Still pondering what that might be. Did you change the interfaces setting for Unbound, possibly? Something in private networks?

I read about another user on Reddit who is dealing with the same issue as mine. Anyway, I've never complained about OPNsense, but I have already run across a couple of problems with the last version.

I realized that Unbound, in this scenario (without checking the "use name server" button), works intermittently and unpredictably.

Then probably enable:

Services > Unbound DNS > Advanced > Log SERVFAIL

Ok, I can see something as I ran a query:

Then probably enable:

Services > Unbound DNS > Advanced > Log SERVFAIL

Ok, I started seeing something as I ran a query:



Thanks

Look at the Unbound log files for the cause of the SERVFAIL - how often do I need to repeat this?

I looked at both the Unbound log files and the firewall log. There is nothing meaningful. Even no log entries in the Unbound log files. The firewall lets queries PASS.

Thanks

As I wrote: investigate the cause of the SERVFAIL by looking at the log files.

If I set "Use System Nameservers" in the Query Forwarding settings, it works but I don't think Unboud is working properly this way.
Thanks

Probably local resolution fails entirely. You need to investigate the logfiles to find the cause of that SERVFAIL.

Your browsers continue to work because modern browsers implement their own methods of name resolution.

Yes, I found out that I can browser websites via Firefoxr because I had cloudflare DOT activatet on it.
But if I disabled it, I have the same problem. So, there is definitely something wrong with the DNS requests to Unbound.
But what exactly?

Thanks

 Hi,

OPNsense 25.7.8 runs as a VM in my Proxmox machine. I ran across a strange behavior of Unbound: my hosts behind OPNsense still have internet access and get their DNS queries resolved by Unbound if I simply uses the browser, but if I ping a website, say, google.com in the prompt command it doesn't get resolved.

I saw the logs in Reporting: Unbound DNS, and noticed that the requests from the hosts got dropped:



 Could you please help understand why it happens and how to fix it?

Thanks

Hi everyone,

I have set a virtual LAB UP in eve-ng, I gave the OPNSense 25.1 High High Availability a go for the first time, before deploying them in a production environment.
Here is what I got at the end of the setup:

Node1 (master)


Node2 (backup)


Not an expert here, but I think that WAN and LAN should should be both in master status.
In order to fix it, I also tried to tinker with the advskew: I set 101 on the master and 100 on the backup node, I rebooted but nothing changed.

How can I fix it?
Thanks

Hi everyone,
I have set a Dual-WAN failover up on my OPNsense v. 24.7.8. The WAN1 gets a static IP, while WAN2 is under NAT and gets a dynamic IP.
As long as the WAN1 is up, the external PC connected to OPnsense via a Road Warrior Wireguard tunnel can reach the LAN behind OPNsense, but if WAN1 goes down there is no connection anymore (only the devices behind OPNsense can go to internet via WAN2..as expected).
I set up monitoring on the WAN interfaces as well as "Allow default gateway switching", but Wireguard still doesn't work via WAN2.
Any suggestions please?
Thanks

It would also be possible if both have the same though, but then they need different LAN IPs and you can only connect a single WAN of OPNsense to them, means you need also a switch between the devices.

I don't think that I've understood what you mean above.
Thanks

anyone?

Hi everyone,

I was wondering if it is possible to set up a dual WAN failover where both WANs have the same gateway.
This could be the case if you have two modems/routers and two connection lines from the same ISP (or they could be different for that matter), and you put an OPNsense device behind them to better manage and protect your network.

Is it possible in OPnsense? Could there be some problems?
Thanks