Messages

solution found: services->unbound dns->general (advanced) : if you select interfaces in the "Outgoing Network Interfaces", the system reach the dns server on every outgoing interface.
Instead if you de-select all of them and "All (reccomended)" appears as choice, only the effective outgoing interface is used.

@bringbacklanparties and now I thank you, because without the "ALL (reccomended)" but specifying the single gateways, the unbound dns was sending outside request on all of those gateways in parallel :)

Again, you are replying with things not relevant for my question.

question 1:

Redirect rule on lan1-lan10 to catch dns: IPv4 TCP/UDP    *    *    127.0.0.1    53 (DNS)    *    *

how can this intercept the internal dns queries if the are directed to the subnet gateway IP and not to 127.0.0.1 ?

question 2:

dns1: 192.168.0.2 failover on 4 wg-tunnels
dns2: 192.168.0.3 failover on 4 (different) wg-tunnels

I think there is something wrong here, I mean that here there should be the authoritative DNS server address.

Again, my issue is not the dns queries from devices but from the firewall itself. All the devices queries are already redirected to the firewall itself.

Hi, the VPNs are all wiregaurd.

I think that what you suggested can work if I have to redirect the dns queries from a device in the subnet, but my intention is to route the unbound queries to the authoritative DNS server.

The queries are coming out from the 127.0.0.1 and there iare no queries going inside gateways but only going out, therefore a firewall rule is not able to redirect but only to block (at least this what I understood so far).

I thought that the only service usable for this was Maxmind. I don't see ipinfo mentioned here https://docs.opnsense.org/manual/aliases.html#geoip

Hi, I have a wan connection + 3 different VPNs (to external provider like nordvpn or similar).

The connection to outside is managed using a different priority of the gateways (each one can be the default gateway).

I use unbound DNS:
- I set to use as "Outgoing Network Interfaces" the wan + the 3 VPNs
- I start the test here dnsleaktest.com
- that site is able to identify the country of each of the three VPNs

Shouldn't Unbound dns use only one connection to authoritative DNS server?

Tried to select only one of the VPNs, and the dns leak test identify only that country (dns server located in that country).
I tried to create a gateway group and use that as outgoing interface, but it was not shown in the drop-down list.

Thank you for helping me understand this.

EDIT: @Franco could you provide a feedback on this? Otherwise I would say this is an unexpected behaviour/bug and I would open a bug on github.

Hi, I do not know if you resolved, but I found today that I had the same issue because of crowdsec blocking the ip 89.149.225.137.
You can go to Services-CrowdSec-Decisions and delete it.

Personally it is the first time, but looking on crowdsec it was marked as aggressive 5 times since July 2025.

Hi, I tried to port-forward request to 8.8.8.8 and other DNS provider done on port 53 to the iinternal gateways of each sub-lan served by Unbound dns.
(I am talking about devices like vacuum robot where I can't change this setting)

It seems that they "don't like" it: is it possible that even if they are using the port 53, the data they are sending are different from DNS queries?
Thank you

On a stale connection, what is the time required by the opnsense to try to restore such connection?
I am talking about a wireguard connection to an external provider like Proton.

In this case it took 4 days (keeping the same publick ip on wan port).
Otherwise it is immediate if I change the public IP on WAN port.

I would like to understand if such timing is defined by the firewall or by provider.

It is the first time that the system is ableto restore a wireguard connection that was marked as stale.

Probably a stupid question, but I am looking for confirmation who is writing the code of the wireguard module used inside the opnsense.

Thank you

sometime proton change the IP entry point! Also, be aware you have to renew the configuration of the wireguard going on the proton vpn website (where you initially created the config file).

Naive question: the cron implemented inside opnsense accept the timing in the format */2 (every 2 minutes/hours/etc...)?

Thanks

Thank you!

Hi,
activating the log option on a firewall rule write the record on the ram or on the disk?

Trying to understand if having that option se to ON could wear in advance the disk.

Thanks