"
Thank you all for your replies, so it behaves like I was guessing, i.e. hitting the WAN address from inside the LAN. This makes complete sense for the behavior I'm observing and gives me peace to know that the ports aren't open to the internet anymore. It also simplifies some things for me as I can share some services to an isolated "work" VLAN which can look up public DNS records pointing to my WAN address and route them locally without having to set up anything more to make it work.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
General Discussion / Re: How do requests to WAN IP behave from inside LAN?
September 28, 2025, 12:24:04 PM #2
General Discussion / Re: How do requests to WAN IP behave from inside LAN?
September 28, 2025, 12:13:14 PM
<deleted duplicate post>
#3
General Discussion / How do requests to WAN IP behave from inside LAN?
September 27, 2025, 11:40:07 AM
I've had http(s) ports open to access from WAN previously, exposing some services to the internet, and am now closing them as my needs have changed. What I had were rules on the WAN interface allowing ingress on the ports which were forwarded to hosts with reverse proxies.
But what I'm not understanding is that after disabling these ingress rules on the WAN interface I still get a response saying the ports are open when checking using netcat like `nc -zv my.public.ip 443` from local VLANs. Is there some other set of config that could still be providing the ingress, or is the WAN IP automatically routed with some kind of loopback behavior inside the LAN which gives me this result? I tried accessing one of the previously exposed services from my phone on mobile network, and at least from there I can't access the ports anymore, but I would like to understand how I'm getting this open port response internally when pointing to the same WAN IP from the LAN.
But what I'm not understanding is that after disabling these ingress rules on the WAN interface I still get a response saying the ports are open when checking using netcat like `nc -zv my.public.ip 443` from local VLANs. Is there some other set of config that could still be providing the ingress, or is the WAN IP automatically routed with some kind of loopback behavior inside the LAN which gives me this result? I tried accessing one of the previously exposed services from my phone on mobile network, and at least from there I can't access the ports anymore, but I would like to understand how I'm getting this open port response internally when pointing to the same WAN IP from the LAN.
#4
Documentation and Translation / Re: AdGuard Home setup guide
March 02, 2024, 11:29:03 AMQuote from: 9axqe on February 27, 2024, 08:59:13 AM
AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).
Just an idea.
That's excellent, I didn't know AGH could do that with wildcards and exclusions, but it actually can.
I set up AGH to do the same as I've done with dnsmasq so far, and it seems to work correctly, so I'll be uninstalling dnsmasq and the end result is a simplified setup, very nice!
#5
Documentation and Translation / Re: AdGuard Home setup guide
February 27, 2024, 08:55:45 AM
I feel like I need to jump in here and ask for some AdGuard help as well. I'm having issues configuring dnsmasq+adguard on opnsense to be able to distinguish which clients are making which DNS lookups (i.e. retain local client IPs).
I currently have the requests going like `client -> dnsmasq (53) -> adguard (53530)`. The reason why I have dnsmasq is because I own a domain that I route to an internal reverse proxy on the LAN, so dnsmasq is resolving mydomain.com to a local IP and forwarding the rest to AdGuard.
The thread is very long at this point, so apologies if this has already been answered, but how can one go about setting things up so that AdGuard will be able to display the local client IPs in the dashboard, and not just 192.168.1.1 when forwarding via dnsmasq on the opnsense device?
I currently have the requests going like `client -> dnsmasq (53) -> adguard (53530)`. The reason why I have dnsmasq is because I own a domain that I route to an internal reverse proxy on the LAN, so dnsmasq is resolving mydomain.com to a local IP and forwarding the rest to AdGuard.
The thread is very long at this point, so apologies if this has already been answered, but how can one go about setting things up so that AdGuard will be able to display the local client IPs in the dashboard, and not just 192.168.1.1 when forwarding via dnsmasq on the opnsense device?
#6
General Discussion / Re: Retain client IPs with dnsmasq to AdGuardHome
February 10, 2024, 11:14:28 PM
No takers? Is this to say that what I'm looking for can't be done with dnsmasq and/or opnsense?
#7
General Discussion / Retain client IPs with dnsmasq to AdGuardHome
February 07, 2024, 09:30:21 AM
I'm running dnsmasq as my main dns handler on opnsense, because I split dns for some local use cases.
Recently I set up AdGuard Home and noticed that there is only one client ip shown, 192.168.1.1 of the router.
This I assume is due to dnsmasq acting as a dns proxy to adguard for all reguests going out to the public internet.
To summarize my requests go: client -> dnsmasq (53) -> adguard (53530) -> wan
Is there a way to configure dnsmasq and AdGuard so that requests passing through dnsmasq retain the client ip information which can then be properly displayed by AdGuard Home dashboard?
Recently I set up AdGuard Home and noticed that there is only one client ip shown, 192.168.1.1 of the router.
This I assume is due to dnsmasq acting as a dns proxy to adguard for all reguests going out to the public internet.
To summarize my requests go: client -> dnsmasq (53) -> adguard (53530) -> wan
Is there a way to configure dnsmasq and AdGuard so that requests passing through dnsmasq retain the client ip information which can then be properly displayed by AdGuard Home dashboard?
#8
General Discussion / UPnP device discovery across VLANs
November 06, 2023, 09:02:30 AM
I'm trying to set up a streamer on a separate IoT network in my LAN so that the Symfonium android app can cast via UPnP to that device from a trusted network, keeping the streamer isolated from other devices but still accessible for casting.
Symfonium is the casting app, with a Wiim Pro streamer and a subsonic media server source. The media server and Symfonium phone is on VLAN "Trusted", and the Wiim Pro is in another VLAN "IoT".
The problem I'm having is that both the android apps for Spotify and Wiim can reach the steamer across my VLANs (I have set up mDNS multicast across the networks), however Symfonium is unable to find the streamer as a UPnP device if the phone is connected to the trusted network. If I connect the phone Wi-Fi to the IoT network, then Symfonium immediately finds the streamer and can cast audio.
I'm wondering what network configuration is needed, or even possible, in order to have UPnP traverse across VLANs?
Additional information:
I have temporarily enabled full network access between the VLANs to minimize any other sources of error. I also have firewall rules opening traffic to 224.0.0.251:5353 both ways between the VLANs to support mDNS multicast, along with a mDNS-repeater between the networks.
Summary
Spotify and Wiim apps can discover the streamer device across VLANs
Symfonium can not discover the streamer across VLANs
Symfonium can discover the streamer if connected to the same VLAN
Firewall rules are in place to support cross-network discovey with mDNS
All other traffic between the two VLANs is currently open in order to mitigate other sources of error.
Symfonium is the casting app, with a Wiim Pro streamer and a subsonic media server source. The media server and Symfonium phone is on VLAN "Trusted", and the Wiim Pro is in another VLAN "IoT".
The problem I'm having is that both the android apps for Spotify and Wiim can reach the steamer across my VLANs (I have set up mDNS multicast across the networks), however Symfonium is unable to find the streamer as a UPnP device if the phone is connected to the trusted network. If I connect the phone Wi-Fi to the IoT network, then Symfonium immediately finds the streamer and can cast audio.
I'm wondering what network configuration is needed, or even possible, in order to have UPnP traverse across VLANs?
Additional information:
I have temporarily enabled full network access between the VLANs to minimize any other sources of error. I also have firewall rules opening traffic to 224.0.0.251:5353 both ways between the VLANs to support mDNS multicast, along with a mDNS-repeater between the networks.
Summary
Spotify and Wiim apps can discover the streamer device across VLANs
Symfonium can not discover the streamer across VLANs
Symfonium can discover the streamer if connected to the same VLAN
Firewall rules are in place to support cross-network discovey with mDNS
All other traffic between the two VLANs is currently open in order to mitigate other sources of error.
#9
General Discussion / Re: How to set up Unbound DNS wildcard override with exception?
September 19, 2023, 11:53:34 PMQuote from: newsense on September 17, 2023, 11:02:09 PM
It's likely you'll have DHCP reservations for VPN clients so might as well provision the public resolver in the reservation profile
I'm not following, how does DHCP affect what DNS lookups I can make from inside my LAN?
#10
General Discussion / Re: How to set up Unbound DNS wildcard override with exception?
September 17, 2023, 10:40:41 PM
Nobody?
#11
Virtual private networks / Re: WireGuard client connects but can't access internet
September 16, 2023, 09:43:07 AM
I think I found the issue. I had accidentally set the egress rule from the Wireguard network to internet invert the source, i.e. it said "! Wireguard net -> allow egress to internet", which didn't work of course.
#12
Virtual private networks / Re: WireGuard client connects but can't access internet
September 11, 2023, 08:35:37 AMQuote from: Patrick M. Hausen on September 10, 2023, 01:09:32 PM
Use tcpdump on all relevant interfaces to observe where packets start to fail.
I tried packet capture between two sets of interfaces.
First from WireGuard to Trusted, here I can successfully ping an IP in the Trusted network and packet capture shows me the packets as expected.
Then I tried WireGuard to WAN interface and netcatting 1.0.0.1 port 53, in this case netcat fails to reach the destination and packet capture doesn't catch anything either.
I'm not sure else I can look at, what path are the packets expected to take from the WireGuard interface?
#13
Virtual private networks / Re: WireGuard client connects but can't access internet
September 10, 2023, 12:42:04 PMQuote from: Patrick M. Hausen on September 10, 2023, 12:09:22 PM
Do you have a matching outbound NAT rule on your WAN interface?
Yes, there is an auto-created outbound NAT rule for all networks, including the WireGuard one.
#14
General Discussion / How to set up Unbound DNS wildcard override with exception?
September 10, 2023, 11:42:26 AM
I have a situation where I want to do this:
Resolve *.example.com to 192.168.10.10
Resolve vpn.example.com to 1.1.1.1
I.e. I use example.com for all services in my LAN *except* for my VPN which I want to resolve from a public dns server instead.
How do I properly set this up?
I have *.example.com as a host override, but that resolves vpn.example.com to 192.168.10.10 as well
I have tried these additional settings to try to make an exception for vpn.example.com:
So is there a way to actually do this with Unbound DNS or do I need to move this to the AdGuard Home plugin DNS, dnsmasq or something else?
Resolve *.example.com to 192.168.10.10
Resolve vpn.example.com to 1.1.1.1
I.e. I use example.com for all services in my LAN *except* for my VPN which I want to resolve from a public dns server instead.
How do I properly set this up?
I have *.example.com as a host override, but that resolves vpn.example.com to 192.168.10.10 as well
I have tried these additional settings to try to make an exception for vpn.example.com:
- Set query forwarding for vpn.example.com to 1.1.1.1 -> host override takes precedence
- Set a domain override for vpn.example.com to 1.1.1.1 -> host override takes precedence
- Set an additional host override for vpn.example.com to 192.168.1.1 -> causes DNS slowdown/loop (even if pointed to some dummy address like 66.66.66.66)
So is there a way to actually do this with Unbound DNS or do I need to move this to the AdGuard Home plugin DNS, dnsmasq or something else?
#15
Virtual private networks / WireGuard client connects but can't access internet
September 10, 2023, 11:02:02 AM
I've followed the Wireguard Road Warrior setup guide and HomeNetworkGuy's guide for the same thing to set up my Wireguard server and clients. I have my client able to connect to the server, but I can't reach the internet.
What I have so far is:
My WG client isn't able to ping 192.168.1.1 for DNS (I'm looking to use the Unbound DNS server with query forwarding to the AdGuard Home plugin for ad filtering). I'm not sure if I'm supposed to be able to, or if this should go through 192.168.100.1 (192.168.100.0/24 is my WG network). I'm also not able to ping 1.1.1.1 from the WG client, which I don't quite understand since I have a rule that allows traffic to all non-private networks and both guides state that NAT egress rules should be automatically created?
Currently I have all firewall rules set up on Wireguard interface, nothing on the "Wireguard (Group)" entry in the firewall rules list, this is empty and I'm not sure what to do with it as it's not mentioned in any of the guides.
What I have so far is:
- Wireguard interface with assignment
- Client / server Wireguard configuration working, client is able to connect
- Firewall rule for the Wireguard network set to allow access to port 53 on the Wireguard address
- Firewall rule for the Wireguard network set to allow access to all non-RFC1918 networks
- Firewall rule for the Wireguard network set to allow access to my "Trusted" network
My WG client isn't able to ping 192.168.1.1 for DNS (I'm looking to use the Unbound DNS server with query forwarding to the AdGuard Home plugin for ad filtering). I'm not sure if I'm supposed to be able to, or if this should go through 192.168.100.1 (192.168.100.0/24 is my WG network). I'm also not able to ping 1.1.1.1 from the WG client, which I don't quite understand since I have a rule that allows traffic to all non-private networks and both guides state that NAT egress rules should be automatically created?
Currently I have all firewall rules set up on Wireguard interface, nothing on the "Wireguard (Group)" entry in the firewall rules list, this is empty and I'm not sure what to do with it as it's not mentioned in any of the guides.
