"
Thanks viragomann that was exactly the issue. Added route-nopull and everything started working as expected.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Re: Running into issues with sending single VLAN though VPN client Gateway
July 02, 2025, 12:59:11 AM #2
Virtual private networks / Running into issues with sending single VLAN though VPN client Gateway
July 01, 2025, 04:33:31 PM
What I'm trying to do:
Have a single VLAN on my network who's traffic goes though public VPN provider?
Issue I'm running into:
When the VPN is connected the traffic from the VPN VLAN can reach the internet over the VPN (IP resolves to the VPN provider) all other traffic from other VLANs can not reach the internet. Intranet is unaffected.
What I'v done:
I've setup an OpenVPN client VPN -> OpenVPN -> Instances, all settings match ovpn file provided by VPN service. Additional there are no routes configured for local or remote. I've verified the connection success via logs. It successfully creates 2 gateways (System->Gateways->Configuration) one for IPv4 and 6. I "disconnected" both of those gateways so they are not added to the default gateway pool, additionally neither are marked as upstream.
I created 2 new interfaces, VPN_GW and VPN. VPN_GW is assigned to the ovpnc1 created by the OpenVPN client. VPN is a VLAN, it additionally has DHCP enabled via Unbound. 2 firewall rules one to allow intranet traffic to my intranet CIDR. 2nd to allow all IPv4 (TCP/UDP) with gateway set to the to the IPv4 OpenVPN gateway.
Set NAT to hybrid (Firewall->NAT->Outbound) and added 2 NAT rules for outbound VPN traffic. One is for static destination port 500 the second for all. Interface: VPN_GW Source: VPN, net, NAT Address VPN_GW Address.
With all this configured and the VPN connection disconnected traffic on all my VLANs aside from VLAN can reach the intra and internet fine and show as using my ISP IP. When I enable the VPN connection all traffic on those VLANs can no longer reach the intranet (although I can ping my ISP GW IP) intranet is fine. The behavior for the VPN VLAN is as expected with the VPN disconnected intranet traffic fails, with it on it succeeds and shows the VPN IP as the source.
I'm kinda at a loss as to why this is occurring and have tried several things to fix the issue. One thing that has worked is on one VLAN I changed the last pass everything rule to not use the Gateway: default but instead use WAN_GW (the ISP gateway). This worked although I don't understand why as default should be that gateway anyway I'm also hesitant to change several dozen firewall rules to use a specific gateway when everything I've read said default should work.
Additionally I'm confused as to why I can still reach my ISP GW but not anything beyond it. I suspect but can't prove that the traffic may be making it out of my network but can't be routed back to the source for whatever reason. I could set up an external server to see if it is able to receive the inbound connections but have not had a chance to do so.
Any help would be appreciated, I wouldn't be surprised to see it being one small thing I've missed, as is tradition.
Have a single VLAN on my network who's traffic goes though public VPN provider?
Issue I'm running into:
When the VPN is connected the traffic from the VPN VLAN can reach the internet over the VPN (IP resolves to the VPN provider) all other traffic from other VLANs can not reach the internet. Intranet is unaffected.
What I'v done:
I've setup an OpenVPN client VPN -> OpenVPN -> Instances, all settings match ovpn file provided by VPN service. Additional there are no routes configured for local or remote. I've verified the connection success via logs. It successfully creates 2 gateways (System->Gateways->Configuration) one for IPv4 and 6. I "disconnected" both of those gateways so they are not added to the default gateway pool, additionally neither are marked as upstream.
I created 2 new interfaces, VPN_GW and VPN. VPN_GW is assigned to the ovpnc1 created by the OpenVPN client. VPN is a VLAN, it additionally has DHCP enabled via Unbound. 2 firewall rules one to allow intranet traffic to my intranet CIDR. 2nd to allow all IPv4 (TCP/UDP) with gateway set to the to the IPv4 OpenVPN gateway.
Set NAT to hybrid (Firewall->NAT->Outbound) and added 2 NAT rules for outbound VPN traffic. One is for static destination port 500 the second for all. Interface: VPN_GW Source: VPN, net, NAT Address VPN_GW Address.
With all this configured and the VPN connection disconnected traffic on all my VLANs aside from VLAN can reach the intra and internet fine and show as using my ISP IP. When I enable the VPN connection all traffic on those VLANs can no longer reach the intranet (although I can ping my ISP GW IP) intranet is fine. The behavior for the VPN VLAN is as expected with the VPN disconnected intranet traffic fails, with it on it succeeds and shows the VPN IP as the source.
I'm kinda at a loss as to why this is occurring and have tried several things to fix the issue. One thing that has worked is on one VLAN I changed the last pass everything rule to not use the Gateway: default but instead use WAN_GW (the ISP gateway). This worked although I don't understand why as default should be that gateway anyway I'm also hesitant to change several dozen firewall rules to use a specific gateway when everything I've read said default should work.
Additionally I'm confused as to why I can still reach my ISP GW but not anything beyond it. I suspect but can't prove that the traffic may be making it out of my network but can't be routed back to the source for whatever reason. I could set up an external server to see if it is able to receive the inbound connections but have not had a chance to do so.
Any help would be appreciated, I wouldn't be surprised to see it being one small thing I've missed, as is tradition.
#3
General Discussion / Re: Unbound DNS returning DHCP4 host IP even with Override set
September 21, 2024, 07:01:36 PM
I finished transitioning from .net to .com so the original issues isn't quite relevant any more. Although another instance of Overrides seemingly not having the highest priority as come up.
Yes some interfaces on Opnsense have static (internal servers: IDM, NAS, etc) but some are dynamic (laptop, guests, etc). While having DNS resolution for the laptops etc is not strictly required it is a nice to have since resolving them by hostname is quicker if I need to SSH into them etc. Also I'd prefer to not have to manually add every computer / device to a static mapping.
Now OPNsense.domain.com. Which annoyingly even with an override the DNS lookup results in all of the gateways being returned instead of it's management IP.
Blank, so it uses the system default of domain.com
domain.com
I'm not sure why DHCP entries are trumping overrides, it seems like override should be resolved first but that does not seem to be the case. As for opnsense resolving to all it's gateways I was able to solve that issue. I simply unchecked the "Do not register system A/AAAA records".
While that fixed it, I would still have expected overrides to have returned first, otherwise this note on the overrides page is not correct. "Entries in this section override individual results from the forwarders. Use these for changing DNS results or for adding custom DNS records. Keep in mind that all resource record types (i.e. A, AAAA, MX, etc. records) of a specified host below are being overwritten." It is cearly not override ALL records, just most.
QuoteI'm a bit confused about your "DHCP static" and "DHCP4 Lease".... do you have static mappings for some server instances, but others getting DHCP addresses from a pool and specifying their own preferred hostname? or...?
Yes some interfaces on Opnsense have static (internal servers: IDM, NAS, etc) but some are dynamic (laptop, guests, etc). While having DNS resolution for the laptops etc is not strictly required it is a nice to have since resolving them by hostname is quicker if I need to SSH into them etc. Also I'd prefer to not have to manually add every computer / device to a static mapping.
QuoteWhat is your system Domain Name? (System -> Settings -> General -> Domain Name)
Now OPNsense.domain.com. Which annoyingly even with an override the DNS lookup results in all of the gateways being returned instead of it's management IP.
Quote# nslookup opnsense.domain.com 192.168.40.1
Server: 192.168.40.1
Address: 192.168.40.1#53
Name: opnsense.domain.com
Address: 192.168.100.1
Name: opnsense.domain.com
Address: 192.168.20.1
Name: opnsense.domain.com
Address: 192.168.40.1
Name: opnsense.domain.com
Address: 192.168.1.1
Name: opnsense.domain.com
Address: 192.168.1.250
Name: opnsense.domain.com
Address: 192.168.10.1
Name: opnsense.domain.com
Address: 192.168.30.1
QuoteWhat is the Domain Name for the DHCP service? (Services -> ISC DHCPv4 -> [interface] -> Domain Name)
Blank, so it uses the system default of domain.com
QuoteWhat is the Domain Name for the Static Mappings? (it's an optional setting for each one)
domain.com
I'm not sure why DHCP entries are trumping overrides, it seems like override should be resolved first but that does not seem to be the case. As for opnsense resolving to all it's gateways I was able to solve that issue. I simply unchecked the "Do not register system A/AAAA records".
While that fixed it, I would still have expected overrides to have returned first, otherwise this note on the overrides page is not correct. "Entries in this section override individual results from the forwarders. Use these for changing DNS results or for adding custom DNS records. Keep in mind that all resource record types (i.e. A, AAAA, MX, etc. records) of a specified host below are being overwritten." It is cearly not override ALL records, just most.
#4
General Discussion / Unbound DNS returning DHCP4 host IP even with Override set
September 19, 2024, 07:46:18 AM
I'm in the process of migrating some servers to a different domain (changing from .net to .com internally) while doing this I need to stand up two instances with the same hostname but different domain names.
I have unbound registering DHCP4 Leases as well as DHCP static mappings. But I also have overrides for both host.domain.net and host.domain.com. And search domain is set to domain.net
server.domain.com was resolving to the WAN IP so I added an override for it so it would resolve to the LAN IP with no issues.
server.domain.net was resolving to the IPs of both server.domain.net (DHCP static) and server.domain.com (DHCP4 Lease) in order to try an correct this issue, since i still need to migrate data to .com I tried adding an override for server.domain.com. However this did not fix the issue. Ever though the override only has the IP address for the .net instance it is still returning both IPs. I have start and stopped unbound dozens of times ( Flush DNS Cache during reload = true) but it still continues to resolve to both IPs. I've flushed the cache on the machine I'm checking the DNS entries from without success either.
Looking for any ideas anyone might have on getting Unbound to actually respect the override.
I have unbound registering DHCP4 Leases as well as DHCP static mappings. But I also have overrides for both host.domain.net and host.domain.com. And search domain is set to domain.net
server.domain.com was resolving to the WAN IP so I added an override for it so it would resolve to the LAN IP with no issues.
server.domain.net was resolving to the IPs of both server.domain.net (DHCP static) and server.domain.com (DHCP4 Lease) in order to try an correct this issue, since i still need to migrate data to .com I tried adding an override for server.domain.com. However this did not fix the issue. Ever though the override only has the IP address for the .net instance it is still returning both IPs. I have start and stopped unbound dozens of times ( Flush DNS Cache during reload = true) but it still continues to resolve to both IPs. I've flushed the cache on the machine I'm checking the DNS entries from without success either.
Looking for any ideas anyone might have on getting Unbound to actually respect the override.
Pages1
