Messages

Excellent!  Thank you for the clarification.  I saw step 5, but missed the explanation.  I think this finally solves it for me.  I appreciate everyone's help!

If this is a standard setup for Multi-WAN, which is the guide(s) I followed when I originally configured it years ago, why is it causing this behavior?  I can consistently reproduce the behavior by enabling the gateway group on a rule, and it goes away when I remove it.  Is it a bug?

Logging is enabled for every FW rule and every NAT/Port Forward rule until I get this figured out. 

I had a bit of a "breakthrough" this evening.  I created a new LAN FW rule and put it above my standard outbound permit rule so I would hit this specific FW rule when testing DNS.

Code Select Expand

Protocol Source         Port Destination Port         Gateway         Schedule        Description
IPv4 UDP 10.0.0.170 * This Firewall 53 (DNS) *                 * Laptop to FW DNS
IPv4            *         * *         *         Cable_and_Cellular * Inside out permit

With this rule in place, DNS behaves as it should.  It times out when unbound is disabled, and it resolves when it is enabled.  So I started looking into what was different between this specific rule and my normal inside out permit rule.  The difference, and the trigger for this condition, is the gateway.  If I have the gateway set to default (*), it behaves as it should.  If I set the gateway to my "Cable_and_Cellular" group, it does the weird redirect.  The gateway group exists so that my traffic will failover to my cellular gateway (external to OPNsense) if my main internet fails.  This works flawlessly.  I attached screenshots of my gateway and gateway group configuration.  What about this configuration would cause this behavior?  I don't see anything that would cause it. 

Thank you. Reflection is disabled, and after scanning through the NAT rules in the diagnostics section there is nothing there redirecting port 53. I really thought the diagnostic screen was going to show a translation that I didn't see in the configuration. The mystery continues.

I don't disagree that a NAT port forward on the LAN would produce identical symptoms, and that is exactly how my firewall is behaving.  However, I don't have a port forward rule on the LAN for port 53... at least not one that shows up in the NAT > Port Forward menu.  Is there another location for configuring port forwarding?

The purpose of my DNS port forward on the WAN interface is to redirect inbound DNS requests on the WAN VIP to a DNS server in my DMZ without consuming a public statis IP address for this purpose.  If I disable that rule it stops inbound DNS requests to that server and does not change the redirect behavior what we are troubleshooting on the LAN.  The WAN port forward rule does have logging enabled.

Here is my port forward rules:

Code Select Expand

Interface Proto       Address Ports Address Ports         IP         Ports         Description
WAN         TCP         * * [WAN VIP] 8989         [DMZ Host IP] 80 (HTTP)
LAN WAN UDP         * * [WAN VIP] 42000         [DMZ Host IP] 42000
WAN         TCP/UDP * * [WAN VIP] 53 (DNS) [DMZ Host IP] 53 (DNS) Backup public DNS
WAN         TCP         * * [WAN VIP] 33123         [DMZ Host IP] 33123
WAN         TCP         * * [WAN VIP] 33124         [DMZ Host IP] 33124

Is there a command, like sockstat, which shows all ports the firewall is redirecting?

I'm just as baffled as you.  The behavior makes no sense to me. 

I attached a screenshot of the live log of the DNS request with my static public IP obfuscated.  192.168.254.249 is the IP of OPNsense.  The transaction with the DNS server itself isn't recorded in the log. 

If I use the interface diagnostics to do a DNS lookup, it times out if I specify the FW as the DNS server, but it succeeds if I leave it blank, which uses the general system specified dns servers.  If I enable Unbound, it succeeds if I specify the FW as the server.  The fact that it fails when unbound is disabled is the first part of this scenario that has made sense to me.

I do have a NAT port forward for TCP/UDP 53 on the WAN, but not the LAN.  Disabling that port forwarding rule has no change on the behavior.  There's no other NAT port forwarding rules for port 53.

I feel like in this scenario I could benefit from something similar to the packet tracer feature on older Cisco ASAs.  You could simulate a packet and it would show every nat/fw rule it would hit in the firewall. 

You can check which process is handling DNS with

Code Select Expand

sockstat | grep :53
Are your host overrides enabled?

With regards to Unbound, if you don't have anything enabled in "Query Forwarding" or "DNS over TLS", Unbound will behave as a recursive resolver.
You can actually track what's going in or out of your firewall using the live view and filters (e.g. dst_port is 53, or 853 for DoT).

Thanks for the sockstat command.  When unbound is disabled, nothing is listening on port 53 (but the FW is still handling DNS requests). When unbound is enabled, there's a list of unbound services listening on port 53, as you'd expect.  However, the client behavior is the same. 

Query forwarding and DNS over TLS pages are both blank.

FW live log shows the request from the client to the FW hitting my inside-out rule, so it appears the FW is transparently proxying/redirecting my DNS request to the FW itself.  I have not knowingly configured any functionality like that, and I'm not even sure where/how it would be configured.

I am running an HA pair (CARP) with version 24.7.11_2.

I have been using PiHole for my local DNS server for years, but I'm considering switching to Unbound on my OPNsense box.  I started to tinker with it and I noticed something odd which is preventing me from proceeding.  OPNsense is answering (proxying?) DNS requests from devices on my LAN even when all DNS services are disabled.  Furthermore, if I enable Unbound, the overrides don't work.  A dig trace shows that my PiHole server is answering the request, even though I'm directing dig to OPNsense.  If I do an NSlookup and specify the server as OPNsense, OPNsense answers requests for anything on the internet but fails to answer for any hosts in the override list. 


Is there a setting buried somewhere which enables transparent DNS proxy/relay?  I tried deleting the DNS servers in the general settings, but it continues to process requests from clients.

Did you ever get to the bottom of this issue?  I'm having the same problem on 22.7.10_2.