Messages

This is all so wrong that even the opposite is not correct... start from scratch with search terms "stateful firewall", "in" and "out" for sense fw rules etc. pp....

What do you mean by "this is all wrong"? if you refer to the Block all except allowed_servers rule, I know it shouldn't be like this, it was just a temporary solution because the PASS rules don't work.

.

This is the firewall log (I filtered only requests to/from the IP that is allowed using the pass rule), and a screenshot of the ping from CMD

Yes, I found that also to be true: OpnSense firewall rules are essentially worthless because they do not work at all!

8)

No, seriously, you essentially give no information:

1. You do not show your rules, if they are inbound or outbound, what order and whatnot.
2. You do not specify any networks or interfaces or from what client you try to reach what.
3. I can only assume that 100.100.100.100 is a stand-in for a real address - as such, it is a bogon address which may get filtered by a checkbox ("Block bogon networks") in the interface section.

Is the PASS rule above the BLOCK ALL rule? Show a screenshot of the Interface + rules...

The 100.100.100.100 IP was just for example, it can be any IP, like in the screenshot.
I have a router that has two interfaces, one for its LAN and one for its WAN.
The LAN Subnet is 192.168.1.1/24
The WAN Subnet is 192.168.100.1/24

I want to block all communications to the WAN except certain IPs.
In the screenshot, I blocked everything except the allowed_servers alias (this rule works perfectly), but the pass rule doesn't work... I don't know why

By the way, I disabled the "block private networks" rule in the WAN settings, and I removed the "default deny" rule.

Hi,
I'm trying to use the OPNsense firewall. When I use Block rules everything works as expected (for example if I block everything except 100.100.100.100, all of the traffic will be blocked except this IP).
But when I block everything and use the pass rule to allow 100.100.100.100, the packet is allowed (as I can see in the logs), but I get no response. The pass rule is set to quick and I can see it in the logs. I made a pass rule to allow the specific IP to communicate inbound (not only unbound), but there is no log for the inbound packet (it's like the router "absorbed" it in the unbound rule).

Thank you in advance!

Oh, agree, this is a problem if there is no way to disable this search list on clients. In this case, I do not see options for the case of DNSCrypt.
Speaking of API: It seems to me that for unbound API is available: https://docs.opnsense.org/development/api/core/unbound.html

Oh, I don't know how I missed that. Thank you!

A quick option that comes to mind is to add a *.* 127.0.0.1 record to the overrides. should work like a blacklist, but will answer with 127.0.0.1 instead of nxdomain for all addresses except for other specified overrides.

still not sure if i fully understood your purpose

I have a system that I built that should be connected to an opnsense router with an isolated network. The users need to be able to add to the router the DNS server IP for the network and some hosts overrides. This should happen using my system only (users shouldn't have access to the router).
So the best option for me is the Unbound DNS, but the problem is that the Unbound DNS has no API. The only plugin that has API and can help me with this is the DNSCrypt-Proxy (at least for my knowledge, I haven't found other useful plugins).

The 127.0.0.1 solution won't help me because when you try to nslookup a domain, it will firstly try to search for the domain.local, and because the router will respond with 127.0.0.1 the machine will try to access the 127.0.0.1 ip address instead of searching for the domain (again this is for my knowledge maybe there is some other solutions that haven't come to my mind).

Hi
so you have servers configured but you blocking all outbound connections?
i think this is expacted behaviour then
DNSCrypt can not connect to servers and logs "NOT_READY" (its not a DNS response type. its internal DNSCrypt status)
https://github.com/DNSCrypt/dnscrypt-proxy/commit/daa1f3d3b1df53c600b274face546a2b0e9fa59c

i dont think that DNSCrypt have a "cloaking-only" mode (to return NXDOMAIN for all requests except overrides)

I've tried to empty the servers list, but the DNSCrypt-Proxy won't run. I thought about connecting it to the Unbound DNS but I don't know if it will be supported in the DNSCrypt-Proxy. (The problem is that I have to use the DNSCrypt-Proxy and not other DNS services because I need to use it with API - and other services won't provide me such API).

UP.

Hi, I'm using the DNSCrypt-Proxy plugin with the opnsense router.
I set the router firewall to block access to the internet so my DNS is local only.
The problem is that when a DNS request for non-existing domain is made, instead of replying immediately that this domain does not exist, the DNSCrypt-Proxy doesn't respond at all. In the logs I see response code NOT READY, but in the nslookup request I don't get any response (just timeout after 2 sec).
Is there some configuration that I can do so the plugin will response with error code immediately instead of timing out?
Thanks in advance!