Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - opnseeker

Pages1
#1
26.1 Series / Re: OpnSense 26.1.1 Destination NAT doesn't seem to redirect as expected
February 10, 2026, 05:59:40 PM
Some additional info that may be relevant:

IoT interface is not part of the Interface Group used to redirect traffic to PiHole.

NAT rule redirecting IoT traffic to Unbound is right after the NAT rule redirecting traffic to PiHole.

One question that comes to mind is when the DNAT rules are executed in relation to the firewall filter rules and in what order.
#2
26.1 Series / OpnSense 26.1.1 Destination NAT doesn't seem to redirect as expected
February 10, 2026, 05:51:17 PM
I have been using OpnSense since 2023 and I come to appreciate the effort put into creating such useful and usable software.

I upgraded to 26.1.1 and it is mostly working except I have a few issues with move from the previous port forwarding to Destination NAT.

I understand that the firewall rules have been decoupled from the NAT redirection rules and I took care of updating and moving them into the new rules section.

At this point I have one major issue and other minor ones.

Major issue - redirection seems to completely fail - redirect rule to direct DNS traffic to Unbound for one of the VLANs is ignored as described below.

Primary DNS works as follows:

Client (Interface Group VLANs) -> Pihole (53) -> DNSMAsq (OpnSense: 53) -> External resolver

The above is done using an already existing (still working) DNAT rule that forwards all DNS (53) traffic to PiHole (53) and it seems to continue to work. This is done using an interface group as not all VLANs use PiHole.

For the remaining interfaces/VLANs, DNS works as follows:

Client (remaining VLANs) -> DNSMasq (OpnSense: 53) -> External Resolver

No redirection is used here as DNSMAsq currently runs at port 53 on all interfaces of the OpnSense router. the default DNS address assigned by OpnSense works as is.

The non-working DNAT (redirection) rules is for one of the VLANs (IoT) that uses DNSMsq to use Unbound at 53053 as follows:

DNS Path anticipated:

Client (IoT VLAN) -> Unbound (Opnsense:53053) as recursive resolver

Interface: IoT
Version: IP4/IP6
Protocol: TCP/UDP

Source: any
Source Port: any

Dest: any
Dest Port: 53

Target IP: Numeric IP of the interface where Unbound is running - same as IoT interface on OpnSense
Target port: 53053

I also added a corresponding Firewall rule to allow traffic from IoT VLAN to Unbound (Opnsense 53053).

The issue:

All devices on IoT VLAN still use DNSMasq as ipleak.net shows the external resolver. Using Unbound as recursive resolver should show OpnSense WAN address as the resolver address on ipleak.net.

Conclusion:

The redirection is simply being ignored. If redirection is done but some other problem is causing the traffic not to reach Unboud, DNS should fail and ipleak.net should show DNS errors.

Other minor issues exist which caused other problems but they can wait for another time (there are workarounds).

Any help and guidance will be greatly appreciated.
Pages1