1
General Discussion / Re: Cannot get forced redirect of DNS to Pihole
« on: January 25, 2020, 11:29:23 pm »It will work if you put a NAT loopback on the outbound NAT. Need to come back later with screenshots (not in the opportunity right now). You could also google on hairpin nat to see if you can come up with the solution yourself.
Hi,
Create a port forward like this (NAT Port forward):
Interface: LAN
Protocol: TCP/UDP
Source: invert -> 192.168.1.22
Source Port: Any
Destination: invert -> LAN ADDRESS
Destination Port: DNS
Redirect Target: 192.168.1.22
Redirect Port: DNS
Nat Reflection: Disabled
Create an outbound NAT translation like this (NAT Outbound):
Interface: LAN
Protocol: any
Source: invert -> 192.168.1.22
Source Port: Any
Destination: 192.168.1.22
Destination Port: DNS
Translation/Target: interface address
This should do the trick. One drawback is that in pihole you will see all redirected traffic coming from OPNsense instead of your client.
When configuring a hard coded DNS like 1.1.1.1 and using nslookup, it still shows that 1.1.1.1 is resolving the DNS, but actually you will find an entry in pihole.
Maybe it can be done in an easier way. Open to suggestions.
Thank you so much for this! It works perfectly. I can now do ''nslookup car.com 1.1.1.1" and it will show up in the pi-hole logs.
Just a note for the noobs like me: when setting a specific IP address like 192.168.1.22 if there is a box next to it, set it to /32. (32 specifies a specific IP address).
Also this seemed to work better if for the out bound NAT rule I set the source port to DNS (53) instead of any. But for the port forward rule I kept it exactly as you said.
As far as the IP address all looking like it came from the router, that is true but only for clients that are not respecting the DHCP settings in the first place and have hard coded DNS servers set, so that is an ok compromise. Most clients show up correctly with the above settings because they have their DNS server set to 192.168.1.22 to begin with.
Thanks again for your help!