Messages

I have narrowed it down to, it has to be my firewall rules that are wrong. because if I ad 76.76.10.2 to /etc/resolve.conf in both OPNsense and Proxmox, I get dns and can ping cloudflare, and can update both units.

how is a/the firewall rule supposed to be when you trying to use a local dns server?
lets say, I have 7 Vlans:
vlan1 -> OPNsense
vlan2
vlan3 -> one AdGuardHome dns server LXC on proxmox
vlan4
vlan5
vlan6
vlan7 -> one AdGuardHome dns server LXC proxmox

I want all of my vlans to use those two ADGH-dns servers.  I would be much obliged if you could help me with these Firewall rules.

I have set up AdGuard Home on 2 lxc containers in proxmox, and it seems to be working great. until I try to check for updates to OPNsense and Proxmox host itself. then I have no DNS it looks like.
I cannot ping i.e. cloudflare.com but pinging 1.1.1.1 gives a expected result.

- AdGuard Home dns server #1 is set up on Vlan 192.168.10.40:53 (Proxmox lxc debian12 unprivileged container)
- AdGuard Home dns sercer #2 is set up on Vlan 192.168.200.40:53 (Proxmox lxc debian12 unprivileged container)

- OPNsense is 192.168.1.1:444 "physical device" (KEA-DHCP) (cannot ping i.e. cloudflare.com from the shell)
- Proxmox is 192.168.200.1:8006 (pve node shell - cannot ping i.e cloudflare.com )
- Unbound is listening on 192.168.1.1:53530 ( I dont want to use Unbound, but cant get it to work without doing it this way)

but my other vlans work, even the containers or other clients on the sub-nets 192.168.1.0/24 and 192.168.200.0/24 works and get DNS/dhcp, why would OPNsensee and proxmox not be able to connect to the ADGH dns servers?

I came over this tutorial for PI-hole in my trouble shooting journey, and it seems like that set up is identical to  mine, the only difference being I'm using ADGH.
https://homenetworkguy.com/how-to/install-pi-hole-on-proxmox-and-use-opnsense-unbound-dns-as-upstream-dns/

I would really appreciate help from you if you see my mistake and can help me get it fixed.

This is my set up =

Code Select Expand


# ADGH setup:
settings --> DNS settings;
# Enter one server address per line. Learn more about configuring upstream DNS servers. Here is a list of known DNS providers to choose from:
https://dns.controld.com/personalcode
https://security.cloudflare-dns.com/dns-query
192.168.1.1:53530
[code/]

# Bootstrap DNS servers
[code]
76.76.2.2
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10
[code/]

# Private reverse DNS servers
[code]
192.168.1.1:53530
[code/]

# OPNsense setup:
[code]
Services --> Unbound DNS --> General;
- Enable unmbound - ticked
- Listen Port - 192.168.1.1:53530
- Enable DNSSEC Support - ticked
- Enable DNS64 Support - ticked
- Register ISC DHCP4 Leases - ticked
- Register ISC DHCP Static Mappings - ticked
- Local Zone Type - transparent
[code/]

# Services --> Unbound DNS --> Advanced;
[code]
- Prefetch DNS Key Support - ticked
- Harden DNSSEC Data - ticked
- Aggressive NSEC - ticked
Rebind protection networks - 
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
233.252.0.0/24
::1/128
2001:db8::/32
fc00::/8
fd00::/8
fe80::/10
[code/]

# Services --> Unbound DNS --> Query Forwarding;
[code]
- Domain - open
- Address - 192.168.10.40
- Port - 53
--
- Domain - open
- Address - 192.168.200.40
- Port - 53
[code/]

# Firewall Rules;
[code]
Firewall --> Alias;
- Enabled - ticked
- Name - ADGH_DNS_Servers
- Type - Host(s)
- Categories - DNS
- Content - 192.168.10.40, 192.168.200.40
- Statistics - unchecked
- Description - ADGH-DNS-servers(2)
[code/]

# Firewall --> Groups;
[code]
- Name - Adgh_DNS
- Members - LAN,VLAN10,VLAN20,VLAN30,VLAN40,VLAN100,VLAN200
- (no) GUI groups - unticked
- Description - Rerouting ADGH DNS on all networks
[code/]

# Firewall --> NAT;
[code]
- Interface - Adgh_DNS
- TCP/IP version - IPv4
- Protocol - TCO/UDP
- Source - Advanaced
- Destination/Invert - ticked
- Destination Adgh_DNS net
- Destination port range from-to - DNS
- Redirect target IP - ADGH_DNS_Servers
- Redirect target port - DNS
- Pool Option - Round Robbin
- NAT refelction - Dissabled
- Filter rule association - Rule Redirect DNS request to internal DNS resolvers
[code/]

# Firewall --> Rules --> Floating;
[code]
- Action - Pass
- Quick - ticked
- Interface - Adgh_DNS
- Direction - in
- TCP/IP Version - IPv4+IPv6
- Source - Asgh_DNS net
- Destination - ADGHH_DNS_Servers
- Destination Port Range from-to - DNS
[code/]

[Hopefully this makes (OPN)sense to some of you, and I would be very appreciative if you could help me get this set up correctly!!]

I need help with understanding/configuring port forwarding with regards to using Caddy as reverse-proxy.

I have tried posting on Reddit but no luck, so hopefully all you smart people can educate me a little.

My OPN sense box lives on 192.168.1.0/24

My proxmox server lives on .200 and along with all my VM's exept for Caddy-server which lives in an ubuntu server VM on vlan .10 but proxmox is still the host.

I use CloudFlare as my dns domain name registrar and would like to only allow CloudFlare's IPs to access Caddy and then my services I want expxosed using HTTPS.

I have followed every tutorial out there and read up on the documentation, but I'm not getting any smarter. I have concluded with it has to be my firewall rules since SSL handshake failed, but "browser" is working "cloudflare" is working but "Host" gets error.

The services I want to gain access to from outside my network is TrueNAS, Nextcloud and Immich so far.

- I only want CloudFlare IP's to be able to reach Caddy for revers proxying
- I need Caddy wich lives on 192.168.10.10 to be able to get access to 192.168.200.1/24
- I would like to be able to use the "domain-name" from inside my network to gain access to these services as well.
- I would  like to be able to have HTTPS behind Caddy as well.

I had this all working with Kemp LoadMaster, but since Kemp Is throttled and you cannont update/patch Kemp's free  version I would like to switch over to Caddy.

I know there is a plugin on OS but in my head it is safer to have the Reverse_Proxy on a separate Vlan and My server's/apps on a separate Vlan from the RP. and also have The firewall on a separate Vlan.

Hopefully this makes (OPN)sense to some of you, and I would be very appreciative if you could help me get this set up correctly!!

I thought I had Figured this out, but sadly that's not the case...