Topics

1

22.7 Legacy Series / DNSMasq and DNSSEC

« on: August 22, 2022, 01:01:27 pm »

Good morning. Some days ago I opened a topic about UNBOUND not responding or responding SERVFAIL to clients in VLANs even though the same request made from the firewall was responded correctly. None of the responses worked in my installation and I decided to try DNSMasq. With DNSMasq everything worked correctly until I activated DNSSEC. With DNSSEC active I could see the following behaviour:

- From the firewall itself DNS requests worked correctly all the time.
- From VLAN clients, if the url was already in cache (from a previous firewall request, for example), everything worked
- From VLAN clients, if the url was not in cache, the request did not work.

In this last case, I made a packet capture for port 53 in both the VLAN and the WAN and I could see that the request went form the local PC to the firewall, and then from the firewall to the configured DNS servers (1.1.1.1 and 8.8.8.8 in my case) which responded with the A record address requested. The strange thing is that, after that, the firewall responded a SERVFAIL to the client and the response was not cached.

To me this looks in some way similar to the problem I had with Unbound. I have been checking OPNSense firewall log in both interfaces, local VLAN and WAN to see if something was rejected and the problem was some missing rule but nothing was rejected apart from the UDP 1900 that I do not allow.

I do not like to have dns configured without DNSSEC but, for now, is what I have since it does not work otherwise, and I would be grateful if somebody could give a way to make it work.

Thank you in advance.

2

22.7 Legacy Series / OpenVPN configuration

« on: August 19, 2022, 08:32:58 pm »

When I try to set two diffrent LAN segments in my LAN I get the followin error:

'192.168.30.0/24, 192.168.40.0' in 'Red Local IPv4' may only contain valid ipv4 CIDR range(s) separated by commas.


The error in itself is illogic since, as you can see, the ranges are valid ipv4 CIDR. The problem is that, apparently, only ONE range is allowed. and therefore, either there is an error in the coding or in the help and documentation.

Can you set up your client so that all client communications go through the VPN tunnel?

3

22.7 Legacy Series / Unbound DNS not working fron internal interfaces

« on: August 16, 2022, 10:59:30 pm »

I have recently installed OPnSense and I have configured different VLANs and Interfaces. I have also configured a DMZ for a server that has to be accesible from Internet. The WAN interface has static IP and DNS configured in the general settings since I have to keep the broadband router in the middle so that my fiber optics connection and TV keeps working. Everithing is working fine except that I have had to explicitly assign DNS servers to every internal network in the DHCPV4 config instead of keeping the default, that is, the firewall. I am using Unbound, with DNSSec enabled and I have also enabled Forwarding and DNS over TLS without overrrides. However, forwarding is not working because, if I take out the explicit DNS servers from the DHCPV4 assignments in order to use the firewall as DNS, I cannot access Internet from my PCs.  I have even checked packet capture and I do not see anything coming out of the WAN interface.

I have checked and rechecked documentation and Internet postings without success. I think that, if this was an OPNSense error, it would be all over because Unbound with the firewall as DNS for internal networks is the standard configuration, and therefore, I must be missing something in my settings.

Can anybody help me sort this out?.

Thanks in advance.