Messages

rebind protections.

Hey EricPerl, you were absolutely right—I checked the Rebind protection networks setting and it was blocking 192.168.0.0/16. I removed that entry, and now it resolves perfectly via Pi-hole. Thanks for pointing me in the right direction!

How does Unbound even know about pve-home.com? Did you specify it in private domains?

I do have pve-home.com and even www.pve-home.com defined under Settings → DNS → Local DNS Records in Pi-hole. When I run:

nslookup pve-home.com 192.168.173.1 (OPNSense)

against OPNsense's Unbound resolver, it still returns NXDOMAIN, Unbound never forwards that query to Pi-hole by default. However, if I point the query directly at Pi-hole:

nslookup pve-home.com 192.168.173.2


I immediately get the correct IP back.

I know I could add a Domain Override in Unbound for pve-home.com, but I'd really prefer to keep all of my DNS record management inside Pi-hole. Is there a way to tell Unbound to forward that zone (or better yet, all queries) straight to Pi-hole without per-domain overrides?

Services --> Unbound DNS --> Query Forwarding --> [ + ]
Server IP: YOUR PI-HOLE IP

Then let clients get the OPNSense Firewall (default) IP for DNS Server.

With this setup, clients will use Unbound on OPNSense for DNS, and Unbound will forward DNS requests to the Pi-Hole.

Hi everyone, thanks so much for all the suggestions! Special shout-out to undistio, your Unbound query-forwarding walkthrough got me 99% of the way there.

What I've done

* Enabled Unbound on OPNsense and set it to forwarding mode, pointing at my Pi-hole (192.168.173.2).
* DHCP now hands out 192.168.173.1 for DNS, and almost every lookup goes through Pi-hole exactly as expected.

Screenshot 1:


---

The one hiccup
When I try to resolve a host defined under Local DNS Records in Pi-hole (e.g. pve-home.com), Unbound answers "no such name" before ever forwarding the query. If I manually add a Domain Override in Unbound to point pve-home.com, it works but I'd really prefer to keep all of my DNS logic inside Pi-hole itself, instead of maintaining overrides in OPNsense. I cant access pi.hole too.

Screenshot 2:


---

My question
Is there a cleaner way to have Unbound always send Pi-hole's Local DNS Records through (instead of returning NXDOMAIN)? Or any other approach that keeps local host definitions entirely within Pi-hole?

Thanks again to everyone who chimed in! Any pointers would be hugely appreciated.

Hello everyone,

Until now, I've been using Pi-hole as the DNS server on my network, and my DHCP configuration in OPNsense was set to provide Pi-hole's IP (192.168.173.2) as the DNS server to all clients.

However, I now want to change this setup because of a limitation with my access points: when guest network mode is enabled, clients can only communicate with the default gateway (192.168.173.1). This prevents them from reaching Pi-hole directly.

Because of this, I'd like to make OPNsense (192.168.173.1) the DNS server for all clients, while still having all DNS queries be filtered and processed by Pi-hole. So essentially, OPNsense should act as the DNS server but forward all queries to Pi-hole internally.

What's the proper way to configure this in OPNsense?
Additionally, do I need to change anything on the Pi-hole side to support this configuration?

Thanks in advance for your help!

Thanks again for all the tips—here's a more detailed update that hopefully clears up the DHCP side:

---

 1) DHCP configuration

* With the built-in I219 (em0) as LAN, I never touched any DHCP settings at all—just plugged my laptop into the port and it always immediately got an IP.
* Switching LAN to the I226 (igc0), I tried exactly the same: straight cable connection, laptop set to DHCP. Nothing. No address.
* I then went into Services → DHCPv4 → LAN, explicitly enabled the server and defined a 192.168.1.100–200 pool, but igc0 still never handed out any leases.

 2) Link speed/duplex

* When I ran `ifconfig igc0`, it showed `media: Ethernet autoselect (1000baseT <full-duplex>) status: active`.
* That was fine for testing against my laptop's USB-C 1 Gbps adapter, but it still didn't pass any DHCP broadcasts. In other words, even at 1 Gbps full-duplex it wasn't forwarding broadcasts off the wire.

 3) Live packet capture

 I watched the pf log via console option 10 while triggering `dhclient` on my laptop—no DHCPDISCOVER ever appeared.

---

Final resolution

I then swapped in with an new adapter: Intel I210-based M.2 adapter (the one I linked earlier) in the very same slot. On first try it came up as `igb0`, negotiated 1 Gbps full-duplex, and immediately served DHCP leases to my laptop exactly as the I219 had.



That tells me the issue wasn't DHCPd or pf at all, but a PHY/driver quirk with the I226-SRKTV under FreeBSD. I'm now running with the I210 card on LAN and everything is rock-solid. If anyone discovers a firmware or driver patch that makes the I226 work properly, I'd love to hear about it—otherwise I'm all set.

Thanks again for your help!

Sorry for the delay and thanks again for pointing me in the right direction.
And to give more context, I'm new to opnsense and I was following a tutorial on YT when I got this issue after a fresh installation.
I did update to the latest BIOS too just in case and still the same as before.
I just took the screenshots you asked for:

 1) `ifconfig igc0` output



You can see:

* flags: UP, BROADCAST, RUNNING, MULTICAST
* status: active
* media: Ethernet autoselect (1000baseT <full-duplex>) (Its connected to my laptop with an usb-c ethernet adapter which is 1gbps anyway)

So the FreeBSD `igc` driver definitely sees the I-226 and brings it up at 1 Gbps connected with the usb-c adapter.

---

 2) Interface assignment

from the initial setup screen when you pick the option to assign interfaces:



I confirmed:

* WAN → em0 (the Intel I219-V)
* LAN → igc0 (the Intel I226-SRKTV)

That matches what you recommended: proper mapping of em0 for upstream and igc0 for my LAN.

---

Next Steps?

At this point I'm convinced it's not a DHCP‐service issue, but rather a negotiation or driver quirk with the I-226 on FreeBSD. Any further suggestions would be hugely appreciated!

---

In the mean time, I looked it up for a new adapter on amazon, and I found someone (in the reviews of the product) using this new adapter (using the I210) on the same mini computer that I have (Lenovo M710q tiny), which might work but its 1gbps and not 2.5gpbs: new adapter link

Hardware & Firmware

Host: Lenovo ThinkCentre M710q Tiny (Type 10MR)
 BIOS: M1AKT5AA (20 Mar 2025)
 Built-in NIC (em0): Intel I219-V SPT-H (1 GbE)
 M.2 NIC (igc0): Intel I226-SRKTV (2.5 GbE adapter in the Wi-Fi slot) Amazon link

OPNsense Version

 25.1 (amd64) installed on internal SSD (Crucial P3 Plus 500Gb)

---

## Problem Description

When I assign the built-in I219 (em0) to LAN, my laptop gets a 192.168.1.x DHCP lease immediately and I can browse to https://192.168.1.1.
When I instead assign the I226-SRKTV (igc0) to LAN:

 The firewall's LAN IP shows correctly as 192.168.1.1/24
 Clients never receive a DHCP lease
 The LAN LED (orange and green blinking)

In contrast, the I219 works flawlessly both as WAN (DHCP from Fritz!Box router) and as LAN (DHCP to clients).

---

 What I've Tried

1. Assigned interfaces via console menu (option 1), set igc0 as LAN, em0 as WAN, and vice versa.
2. Static LAN IP on igc0: 192.168.1.1/24, no gateway.
3. Toggled BIOS ASPM/EEE where available (none exposed for PCIe on M710q).
4. Disabled ASPM in `/boot/loader.conf.local`:

  ```
  hw.pci.enable_aspm="0" 
  ```
5. Disabled EEE via sysctl in `/etc/sysctl.conf`:

  ```
  dev.igc.0.no_eee=1 
  ```
6. Forced link mode at the CLI:

  ```shell
  ifconfig igc0 down 
  ifconfig igc0 media 2500baseTX mediaopt full-duplex 
  ifconfig igc0 up 
  ```

7. Factory reset (console option 4) and full reconfiguration.
8. Tried different cables, direct connect, and even an unmanaged 2.5 Gb switch—no change.

---

 What I Need Help With

1. Why does igc0 never hand out DHCP leases on LAN? Clients never see a carrier.
2. Has anyone used an Intel I226-SRKTV under FreeBSD/OPNsense? Does it require a special driver or firmware?
3. Are there hidden BIOS options (in UEFI Advanced menus) to disable PCIe power-management on the I226?
4. Any further tunables or driver settings that will force true 2.5 Gbps and enable DHCP on LAN?

Thank you for any pointers or config examples—happy to provide logs (`dmesg`, `ifconfig -a`, `/var/log/dhcpd.log`) or test drivers if needed!