Messages

I was not referring to the auto-generated rules

My mistake, I meant the automatically provided ones, not the auto-generated ones. I followed the guide for WAN failover, which said to edit those rules and assign to them a gateway. I have since added another rule after those, without a gateway:

statetype

state-policy

sequence

action

quick

interfacenot

interface

direction

ipprotocol

protocol

icmptype

icmp6type

source_net

source_not

source_port

destination_net

destination_not

destination_port

divert-to

gateway

keep

51

pass

1

0

lan

in

inet

any

lan

0

any

0

v4

keep

61

pass

1

0

lan

in

inet6

any

lan

0

any

0

v6

keep

71

pass

1

0

lan

in

inet46

any

lan

0

any

0

Though this has improved the LAN stability, the Printer still misbehaves, and not in a consistent manner. Sometimes it'll work as desired, but usually stops, so I have to leave it configured with IP addresses rather than names, and accept the degradation.

I'm still inclined to believe it is at least partially caused by the router because it has other odd behaviours like near total failure of IPv6 after a random amount of uptime. Restarting the router, without changing any config, will 'fix' that.

Thanks for replying.

We're not using VLANs and everything is on the v4 same subnet, and v6 prefix, so any firewall rule that blocked only the printer would have to contain address-specific parameters, right? There's nothing like that.

Further tests:

• I gave my own PC static IPs by cloning the printer's reservation in Dnsmasq's Hosts page, one off of the printer's IPs, outside the normal DHCP offer ranges, and my PC still got replies from the OPNsense device.
• Set the resolver address on the printer and PC to a separate server, on the LAN, running BIND9. Both received usable DNS responses.

I can't take Dnsmasq down for any extended period until I have a decent maintenance window, but everything I've seen points to it, so far.

I always create an "allow DNS on this firewall" as a floating rule.

Doesn't 'floating' allow DNS requests from the WAN side? I don't want that, it would obviate the point of having overrides for private addresses on our domain. I already have a similar rule to immediately allow all DNS on the LAN interface, as recommended by the WAN failover guide, because we have a 5G backup connection.

Can you see anything in the packet captures? They're very small.

I have a printer that makes DNS queries like any other device, mainly to reach machines on the LAN, but also to 3rd party services on the Internet. From what I can tell, Dnsmasq on OPNsense flat-out refuses to answer its DNS queries. I've done packet captures on the OPNsense device, to compare requests from my own machine with those of the printer's, and I don't know why they go unanswered. It waits and asks again with the search domain appended again, defensive-programming-style. I don't see anything blocking them when I watch the live view of the firewall when triggering queries from the printer.

Does anyone have any ideas about the cause, or what else I can do to diagnose it?

As a band-aid solution, I've had to configure it to use static IP addresses instead of names to get basic functionality, but that isn't sustainable.

Ah, Ta. I'm aware of the auto-generated rules, and I'm not using VLANs. I added it out of frustration, really.

...which by default allow any to any for any IP protocols on LAN? ;-)

Can you elaborate? I don't understand what you're referring to, specifically.

so doesn't need / shouldn't have a gateway.

It's a big office printer with a support contract, we don't own it. It uses WAN for emailing and FTP upload of scanned documents, NTP, and firmware updates. It probably could be made to function well enough without WAN but, regardless, it has difficulty communicating with other machines on the LAN.

I'm having trouble with it again and have had to configure it to use IP addresses instead of names, e.g. for SMTP. Dnsmasq on OPNsense flat-out refuses to answer its DNS queries. I've done (redacted) packet captures on the OPNsense device, to compare requests from my own machine with those of the printer's, and I don't know why they go unanswered. I don't see anything blocking them when I watch the live view of the firewall.

[everything]

I'm posting this in the hope others benefit from our pain. After a large Toshiba printer/MFC was replaced on our network with a newer model (an e-STUDIO3525AC), it had a great deal of trouble. The previous model had worked fine, and there were no changes to the OPNsense box's config between the two. Despite trying both dynamic and static network configs, IPv4-only, IPv6-only, etc., the new one could not get DNS resolution of any address, could not ping public IP addresses (even directly, like 8.8.8.8), and was generally poor at obtaining and holding onto its network config. It even complained at various points that the network cable wasn't connected. I used OPNsense's Interfaces > Diagnostics > Packet Capture, limited to the printer's MAC, and saw it was fairly chatty. I tested the new printer on a secondary physical network and all was okay, so it was something about the main network.

When I realised I could ping public addresses from my own PC, but not the firewall's, I found this thread about it. I enabled ICMP with this rule on the LAN interface, in order to test ping from the printer again:

Protocol	Source	Port	Destination	Port	Gateway	Schedule
IPv4+6 ICMP	*	*	This Firewall	*	*	*

To my surprise, everything started behaving. I'm not blaming OPNsense; I think the printer was deciding it wouldn't or couldn't do basic communication without the router responding to certain queries, or something. If you're experiencing such issues, they may be being triggered by default firewall policies.

The last two responses are not at all helpful.

Look for:
DHCP Static Mappings

We're all already using those, which is why we'd like to be able to specify aliases for them.

You may use Dnsmasq DNS instead of Unbound. It allows easier configuration of aliases.

It has the exact same issue (I mentioned it in my first reply). The hosts that are already mapped to an IP in DHCP are not present in the Unbound or Dnsmasq lists, so one cannot assign aliases to them. An IP address must be double-specified (once in DHCP and once in the chosen DNS override service) for each host you require aliases for.

This is still a problem. The workaround is adding explicit A/AAAA overrides, which is double-specification, when the entire point of registering the DHCP hosts in Unbound/Dnsmasq is to avoid that. It would be nice to be able to create arbitrary Aliases, but I'm forced to attach them to an existing override.

What if the lists that show overrides in Unbound and Dnsmasq could, in addition to showing regular overrides, show the DHCP hosts as non-editable pseudo-entries so that relevant aliases could be added?