OPNsense and AdGuard plugin - DNS only works for static DHCP Clients

[paperrhino]

I'm running OPNsense 21.7.8 and I installed Adguard through the mimugmail repository.

My primary goal is to have all my DNS traffic from my LAN to ultimately be handled by Adguard.

The problem: I've set up a pool on the DHCP server where devices that haven't been assigned an IP. Everything else on my network has a static DHCP mapping. Only those devices with a static IP mapping get valid DNS settings. When a new device connects, it cannot resolve any DNS names (local or Internet) until I go into OPNSense and assign it a static mapping under the DHCPv4 settings.

Settings:

I can't remember what tutorial I followed and I've changed so many things fighting this problem I'm not sure that's even relevant any longer.

System -> General -> Networking
    Prefer IPv4 over IPv6: checked
    DNS servers: I've configured several publicaly available (e.g. 1.1.1.1) using the WAN gateway
    All other networking settings are unchecked

DHCPv4
    Enable: checked
    Deny unknown clients: unchecked
    Ignore Clienty UIDs: checked
    Subnet, subnet mask, available range and range set to reasonable values
    Static ARP: checked
    All other settings are blank/unchecked/default values

Static DHCP Mapping:
I'll fill out the MAC Client identifier, IP, hostname, description and check ARP Table Static Entry. All other settings are left blank/defaults.

Unbound DNS
    Enabled: checked
    Listen Port: 5353
    Network Interfaces: LAN, Tailscale
    DNSSEC: checked
    DNS64: unchecked
    DHCP Registration: checked
    DHCP Domain Override: blank
    DHCP Static Mapping: checked
    IPv6 Link-local: checked
    TXT Comment Support: checked
    DNS Cache: checked
    DNS Query Forwarding: checked
    Local Zone Type: transparent

Adguard DNS Settings:
    Upstream DNS Servers:  the Unbound server (i.e. localhost:5353)
    Parallel requests
    Bootstrap DNS Servers: added the Unbound server, I think I left the other entries that were already there
    Private reverse DNS servers: the Unbound server
    Use private reverse DNS resolvers: checked
    Enable reverse resolving of client' IP addresses: checked
    (testing upstreams pass)
    All other DNS settings are the defaults

No clients are stored in the configuration.

Adguard's DHCP is turned off


I've tried so many things over many months but usually either end up breaking everything or not changing this behavior.

Any recommendations or tips would be greatly appreciated.

Thanks!

[cookiemonster]

Probably with firewall rules to push dns queries directed to OPN, to be redirected to Adguard.
Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.

[meschmesch]

Your settings appear to be a mix of everything. Perhaps not everything is needed. At least for testing I would rely on adguard only. My settings are as follows:

System -> General -> Networking

Code: [Select]

    DNS servers: I've configured the local aduard DNS server here 192.168.xxx
    Do not use the local DNS service as a nameserver for this system : checked   
DHCPv4
    I assume that DNS servers can be left blank


Unbound DNS: disabled

Adguard DNS Settings:

Code: [Select]

    Upstream DNS Servers:  for example  Cloudflare
       tls://1.1.1.1:853
       tls://1.0.0.1:853
   
    Bootstrap DNS Servers: same as for upstream DNS servers
    Private reverse DNS servers: blank
    Use private reverse DNS resolvers: unchecked
    Enable reverse resolving of client' IP addresses: checked
    DNSSEC: Check
Firewall: First I created an adguard alias since adguard can listen on multiple IP addresses at the same time. This simplifies things when creating rules in multiple interfaces.

Rule for Firewall:

Code: [Select]

    Allow * destination Adguard-Alias Port 53
    Deny * destination * Port 53  (=block direct attempt to DNS bypassing adguard)
    Allow Adguard-Alias destination * Port 853
    Deny * destination * Port 853
As a safeguard I have also set up a port forward as follows (firewall - NAT - port forward):

Code: [Select]

Forward port 53 for traffic source NOT adguard-alias and dest NOT adguard-alias to adguard-IP

[paperrhino]

Thanks for the replies and sorry for the delay in response.

Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.

I've run it with and without that box checked. I get no change in behavior but I'll leave it unchecked because I agree it's not needed.

If it were a firewall rule issue, wouldn't it not work all the time? I wouldn't think that the fact that clients with a static DHCP mapping in the ARP table would work and clients that are dynamically assigned their IP would not given I've no rules that specifically address the IPs in the range of the dynamic pool. In either case DHCP is serving out the OPNsense/Adguard as the DNS.

I did review my firewall rules and I don't see anything unexpected but there might be something going on here so I'll have to study it more closely. I tried this test.

I connected to the WiFi with a client without a static mapping (it's as easy as turning on randomized MAC on my phone). As usual it would not resolve anything. But this time I tried to bring up Adguard's admin page using it's IP and port and it timed out. So something does seem to be blocking access to Adguard itself.

The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.

Your settings appear to be a mix of everything.

Not surprising since I've been fighting this for months. But in the interest of getting back to a clean slate I've mirrored your settings to the best of my ability, including adding the firewall rules and NAT. I still get the same results. My intent though was to use Unbound to resolve the host names for my local machines. 

Though now none of my internal host names are resolving now (as expected) which is a separate problem I can overcome in time.

After looking and applying my firewall rules are as follows (not posting the automatically generated rules):

Code: [Select]

Thanks for the replies and sorry for the delay in response.

[quote]Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.
[/quote]

I've run it with and without that box checked. I get no change in behavior but I'll leave it unchecked because I agree it's not needed.

If it were a firewall rule issue, wouldn't it not work all the time? I wouldn't think that the fact that clients with a static DHCP mapping in the ARP table would work and clients that are dynamically assigned their IP would not given I've no rules that specifically address the IPs in the range of the dynamic pool. In either case DHCP is serving out the OPNsense/Adguard as the DNS.

I did review my firewall rules and I don't see anything unexpected but there might be something going on here so I'll have to study it more closely. I tried this test.

I connected to the WiFi with a client without a static mapping (it's as easy as turning on randomized MAC on my phone). As usual it would not resolve anything. But this time I tried to bring up Adguard's admin page using it's IP and port and it timed out. So something does seem to be blocking access to Adguard itself.

The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.

[quote]Your settings appear to be a mix of everything.[/quote]

Not surprising since I've been fighting this for months. But in the interest of getting back to a clean slate I've mirrored your settings to the best of my ability, including adding the firewall rules and NAT. I still get the same results.

Though now none of my internal host names are resolving now which is a separate problem I can overcome in time.


After looking and applying my rules are as follows (not posting the automatically generated rules):

[code]
Type    Protocol          Source     Port    Destination    Port         Gateway    Schedule
Allow   IPV4 TCP/UDP *              *        AdGuard       53 (DNS) *               *
Block   IPV4 TCP/UDP *              *        *                  53 (DNS) *               *
Allow   IPV4 TCP/UDP *              *        AdGuard       853         *               *
Block   IPV4 TCP/UDP *              *        *                  853         *               *
Allow   IPv4 *            LAN net     *        *                  *            *               *
Allow   IPv6 *            LAN net     *        *                  *            *               *

I don't see anything unexpected (beyond I probably should define the source for the new rules I added above).

[cookiemonster]

The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.

If this is not a typo, then it is most likely the reason for most of your problems. It is the wrong way to setup a pool of ips range. Unless I'm mistaken and OPN can actually merge the two network segments.
Just change it to 10.10.1.200-10.10.1.254 and things should start working.

[paperrhino]

Thanks for the reply.

I've played around a bit with that field, even going as far as setting both of those rules to allow any source for both IPv4 and IPv6 (though I'm pretty sure all my machines are running v4). This generated no change in behavior. Those machines that are served up an address from the DHCP pool still cannot connect while those with a static mapping can connect. I've left the rules with * for now.

Looking around some more I did notice a couple of other potential sources of problems. I had not realized that I've added some static mappings in the dynamic pool range. So my client was being assigned an IP address that was mapped to a different device that wasn't connected (one gets a lot of mappings when a mapping needs to be added for every guest's device). I fixed the pool so there is no overlap but that didn't fix anything. Thought it worth mention just in case it's relevant.

I looked at the DHCPD logs and there is an odd error that appears when the device tries to connect.

Code: [Select]

2022-04-19T11:58:33-06:00 Error dhcpd icmp_echorequest 10.10.1.220: Invalid argument
I wonder if that's the ping the phone makes when it first connects to see if the internet can be reached.