Messages

nevermind, a NAT rule was changing it. I created a manual NAT rule to counter act this. ugh sorry everyone

I've got a rule to block TLS traffic port 853 from LAN (not from the firewall itself though) to any port 853 but it never gets triggered because a default automatically generated rule is letting it all through.

The odd thing is though that the source IP isnt right. Thats my WAN IP you see there.

LAN IP of opnsense = 192.168.8.1
LAN IP of testing computer = 192.168.8.10

So Im guessing its some NAT issue? I only have one manually created NAT rule and thats a port 53 redirect. I tried disabling it and no change, it is logging and doesnt appear in my logs as being triggered, which not surprising as Im using TLS to test here.

dig google.com @8.8.8.8 +tls

is the command Im using to test the rule on a seperate computer on the LAN.

Im using Kea DHCP and Unbound DNS. If within Unbound you enable Register static mappings and Register ISC DHCP4 Leases and the DHCP client decides to have a hostname ending in a '.' for example 'xboxone.' then Unbound tries to register 'xboxone..mydomain.com' which isnt valid obviously and crashes unbound. Pretty simple little DoS lol. imo Kea DHCP and Unbound should both be checking that. Thoughts?