Messages

My alias is still not working..
I have this Firewall rule at the top...

with an Alias of:
- Name: Group_30_IPs
- Type: host
- Content: 10.0.30.50-10.0.30.55

Yet it is still being denied on that VLAN.

These are the screenshots of my firewall rules

https://docs.opnsense.org/manual/aliases.html  ;)

I am now getting this error:

Code Select Expand


2023-07-06T15:56:00 Error firewall The DNS query name does not exist: 10.0.20.51:55. [for Group_20_IPHosts]
2023-07-06T15:50:33 Error firewall The DNS query name does not exist: 10.0.20.51:55. [for Group_20_IPHosts]
2023-07-06T15:45:28 Error firewall The DNS query name does not exist: 10.0.20.51:55. [for Group_20_IPHosts]


I thought I can express IP addresses as a range with a colon?

Nevermind I see it has to be written as "10.0.20.51-10.0.20.55"

You created aliases of type URL, apparently. IP addresses need to be of type host.

Thanks, wow I can't believe I missed that. No wonder I've been having so much trouble. Calling the category "URL (IPs)" seems misleading. Perhaps "URL (IP Tables)" would be better.

My Firewall rules with alias is not working.
This is what I am getting:

Code Select Expand


2023-07-06T15:15:03 Error firewall alias resolve error Group_30_IPs (error fetching alias url 10.0.30.53)
2023-07-06T15:15:03 Error firewall error fetching alias url 10.0.30.53
2023-07-06T13:04:30 Error firewall alias resolve error Group_20_IPs (error fetching alias url 10.0.20.51:55)
2023-07-06T13:04:30 Error firewall error fetching alias url 10.0.20.51:55


- VLAN 30 I am using DNSmasq,
- VLAN 20 I am using Unbound.
- Running Opnsense Version 23.1.11   


Otherwise I specifically have to type in every IP address as a "Single host" in the firewall rules for VLAN 30 for it to work. That's a lot of firewall rules...

I can't access the internet.

That's a bit vague. What works and what doesn't work? Ping to upstream firewall, ping to 8.8.8.8, DNS resolution, protocols working and protocols blocked?

Any access to the internet at all including pings, DNS, etc. There is no WAN connection, except it receiving a local ip address from my lan

Yes, of course. That is the point of a bridge.

Great thanks. this worked out perfectly.

[How can I preconfigured the box AND connect it to the internet, while not replacing my existing router?]

I want to preconfigure the OPNsense router first, without replacing my main router at the moment while I work on it. And I would like to go have internet access. 

On the WAN interface:
- have already unchecked block Private Networks.
- have checked allow DNS/PP to be overridden by WAN (or smthg along those lines)

On my WAN port, I get assigned an IP address (192.168.1.30) from my existing router, but I can't access the internet.

How can I preconfigured the box AND connect it to the internet, while not replacing my existing router?

Is it possible to have 2 VLANs (55&66) use Unbound DNS though a VPN Gateway, AND have another 2 VLANs (77&88) use Unbound DNS but through the WAN as normal?

How do I set this up? via FW rules or via the Unbound settings page?
(I could only find listen interfaces on the Unbound settings page, with a place to specify the gateway)

[eth1x2]

Okay, I see. I think I would like to have untagged traffic.

Currently, I bridge the LAN (basically the Administration interface) between eth3 & eth1 (but eth1 is lagged with eth2 = custom name eth1x2)

So basically right now, there is Static ipv4 on the LAN Bridge with DHCP enabled, giving out 10.0.1.1/24 address.
But none, no ipv4 on eth3, or eth1x2, which make up the bridge.
But I can access the LAN from eth3 physical port right now without any problems.

Does that mean that untagged bridged LAN traffic is also entering the LAGG?

You can do almost anything identical on a LAGG than with a normal interface

okay thanks, but still confused on 2 points...

- So just to make doubl-y sure... I can't connect eth1 (one of the lagg0 ports) to my computer directly, right?

- I'll be adding VLANs (4 of them) to the lagg0 interface. Why do I have to set a Static IPv4 DHCP range on the lagg0 interface?

A few tutorial videos do this (like they add 192.168.99.1/24), but they don't explain why.

also in the Lagg interface, do I have to set a Static IPv4 DHCP range, Or can I not set it at all?

what would adding a static ipv4 DHCP range here (in lagg0) do?

[THIS IS CORRECT]

I just got this double checked, and the graphic above I had posted previously is NOT correct.

THIS IS CORRECT in how the processing rules are applied:



Hope this is useful to somebody, image can be re-used anywhere.

[but I'm not interested in blocking, I want to let those requests through.]

However, some clients (or apps running on mobile devices) that use https or tls/quic for their DNS queries will still be able to bypass OPNsense, as they are sending their DNS queries on Port 443 or 853. These can be blocked too, but is a lot more complicated and I am not sure it is 100% feasible either.

Its actually quite simple to block those.

Yeah, I think a lot of guides explain how to block, but I'm not interested in blocking, I want to let those requests through.

I have a reason to set & use the client's own DNS set on the device, for e.g. in the Network settings of the MacBook

Depends what you want...

B)  If there are certain client devices that you want to use a different DNS (other than OPNsense), then set this up DNS entries in the DHCP setting on the OPNsense router itself.
Do not make these DNS settings on the client, else it will work as Option A.

Just be aware that these firewall rules only work for clients that use plain DNS 53 queries - this should be practically all clients.

However, some clients (or apps running on mobile devices) that use https or tls/quic for their DNS queries will still be able to bypass OPNsense, as they are sending their DNS queries on Port 443 or 853. These can be blocked too, but is a lot more complicated and I am not sure it is 100% feasible either.

This! I want this... I will be enabling DNScrypt (DoH) or Unbound DoT at some point, for 2 specific VLANS (77&88(

but at the same time I do want client device that is on 77&88 DNS requests to have precedent for e.g. in the Network settings of the MacBook.

Does anyone have tips on how to do this?

You can connect with just eth1, but the connection has to be configured as a LAGG member on the other side as well. Ethernet packets have to be encapsuled within LACP frames in order to be recognized - on both sides of the LAGG.

Okay, got it, thanks. So basically I can't connect eth1 to my computer directly.

Is it possible to add the admin lan, and therefore the gui access to the router (https://192.168.1.1) to a lag (e.g. lagg0)?

Because when Lagg is being setup, most of us are looking at the gui right? So how can I add the LAN that I am literally accessing now to use the GUI as it cannot be deleted? The firewall admin GUI LAN interface is already assigned... it cannot be re-assigned to lagg0 unless deleted, if I delete then the GUI I'm on disappears... is there a way?

Also when I used the CLI on initial startup to create a lagg I assigned:
eth0 --> WAN
eth1, eth2 --> lagg0
eth3 --> OPT1
lagg0 --> LAN

but when I connected my cable to the eth1 port, I could not reach the LAN via https://192.168.1.1 at all. I wonder if this is because I cannot connect BOTH 2 cables to eth1 & eth2 ?

I thought if I can just connect one cable to eth1 it should be fine, I can still access the firewall