I have actually tinkered with this myself recently, and ultimately implemented the following, which turns out to be working very well.My objective was also to catch and redirect all DNS queries towards pi-hole, which in return uses OPNsense as Unbound DNS resolver.Course of action:First, I created a new VLAN dedicated for my pi-hole. This is not required, but I decided to do so because of security considerations. The VLAN is firewalled, is not allowed to pass traffic to any other VLAN, and is only allowed to use TCP/UDP 53 outbound to ANY (as I am querying the root servers directly using Unbound) for DNS, and using HTTP/HTTPS to connect to the internet, to fetch updates.Then I installed pi-hole, and selected the interface IP of the pi-hole VLAN as upstream DNS server.That way, pi-hole will filter ads, but uses Unbound on OPNsense to do the actual lookup.You could also install Unbound on the pi-hole itself and offload everything there, but I decided not to do so.I then fine-tuned everything to my needs (blocklists, black/whitelisting, etc.), and considered that part done.Next, I wanted to be sure that all DNS queries are sent to the pi-hole, for my VLANs I have setup.For that, I used a NAT Port Forward rule, which is configured as follows: https://imgur.com/NzJUFPGDetails of this rule are:- Interface - select your required interfaces to which this rule applies- TCP/IP version - IPv4- Protocol - TCP/UDP- Source - do not select- Destination/Invert - do not check- Destination - Any- Destination port range - DNS- Redirect target IP - Your pi-hole IP address (I created an alias for it)- Redirect target port - DNS- Pool Options: Default- Description - Redirect and pass DNS- NAT reflection - Disable- Filter rule association - Pass (I decided to choose pass, as this will reduce the amount of separate pass rules you need to create per interface)I have also created an identical second rule, that is disabled, with the only difference that it contains the local loopback (127.0.0.1) address as Redirect Target IP, which is the firewall itself. This is a method of last resort, in case the pi-hole breaks down, or is unavailable for whatever reason. I simply switch on this NAT rule and disable the other one, and remain up and running.You need to be aware though that in case this is applied, advertisements are no longer blocked, unless you utilize the Unbound built-in blacklisting capabilities (Services > Unbound DNS > Blacklist). For peace of mind you could simply enable a fallback blacklist there, but I didn't care at this point in time. Perhaps some point of improvement towards the future .Last, but not least, let's test this out in practice, by going to https://dnsleaktest.com/. If all goes well, and you have applied the setup like I have depicted, you will see the WAN IP of your ISP there. If you have selected different DNS upstream servers, you will see these appearing here. Simply change the DNS server on one of your LAN devices, and run the test again to see if the redirection works.I hope this is helpful to others!
3. Go to Firewall/Rules/LAN and create a firewall rule to PASS from your PiHole to the LAN ADDRESS on port 53 and place it below the above Associated Filter Rule. PROTO SOURCE PORT DESTINATION PORT> TCP/UDP PIHOLE IP ANY LAN ADDRESS 53(DNS)
2. Go to Firewall/NAT/Port Forward and setup rule like below. INT PROTO SOURCE PORT DESTINATION PORT NAT IP NAT PORT <-> LAN TCP/UDP ANY ANY !LAN ADDRESS 53(DNS) (PIHOLE IP) 53(DNS) 172.16.1.5Be sure to create the Associated Filter Rule with the above Port Forward and place it at the top of your LAN Rules.
> TCP/UDP PIHOLE IP ANY LAN ADDRESS 53(DNS)
<-> LAN TCP/UDP ANY ANY !LAN ADDRESS 53(DNS) (PIHOLE IP) 53(DNS)
i did the same as mg82, created a vlan pure for pi-hole.those vlans cant talk to each other, only the redirect allow dns traffic to pihole: (see attachment)then a create under NAT: port forward, for every interface that need to use pi-hole a rule (see attachment)The rule it self is elso in the attachment.i didn't touch anything in NAT and DHCP, those are Default.Pi-hole itself use unbound.
Thank you! Do you have destination/invert checked for the port 53 redirect NAT rules? You are explicitly blocking all traffic from the pihole to the LANs with no exceptions, so I assume that the NAT destination/invert rule takes care of that and that it is is higher up in the order that the rules get processed. Otherwise, I can't see how the clients get their DNS responses back. Did I get that right?
I have this working with 20.1.9_1, followed the steps listed below:https://www.reddit.com/r/OPNsenseFirewall/comments/97vikk/opnsense_and_pihole_a_guide_to_obscuring_your_dns/
