DNS servers: I've configured the local aduard DNS server here 192.168.xxx Do not use the local DNS service as a nameserver for this system : checked
Upstream DNS Servers: for example Cloudflare tls://1.1.1.1:853 tls://1.0.0.1:853 Bootstrap DNS Servers: same as for upstream DNS servers Private reverse DNS servers: blank Use private reverse DNS resolvers: unchecked Enable reverse resolving of client' IP addresses: checked DNSSEC: Check
Allow * destination Adguard-Alias Port 53 Deny * destination * Port 53 (=block direct attempt to DNS bypassing adguard) Allow Adguard-Alias destination * Port 853 Deny * destination * Port 853
Forward port 53 for traffic source NOT adguard-alias and dest NOT adguard-alias to adguard-IP
Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.
Your settings appear to be a mix of everything.
Thanks for the replies and sorry for the delay in response. [quote]Before just removing the forwarding option in Unbound might work. If it does, then there is some firewall rule that is preventing or missing to allow that traffic from lan clients out to 1.1.1.1 in the example. You don't need to use forward dns as it defeats the purpose of having a dns filter like adguard.[/quote]I've run it with and without that box checked. I get no change in behavior but I'll leave it unchecked because I agree it's not needed. If it were a firewall rule issue, wouldn't it not work all the time? I wouldn't think that the fact that clients with a static DHCP mapping in the ARP table would work and clients that are dynamically assigned their IP would not given I've no rules that specifically address the IPs in the range of the dynamic pool. In either case DHCP is serving out the OPNsense/Adguard as the DNS.I did review my firewall rules and I don't see anything unexpected but there might be something going on here so I'll have to study it more closely. I tried this test.I connected to the WiFi with a client without a static mapping (it's as easy as turning on randomized MAC on my phone). As usual it would not resolve anything. But this time I tried to bring up Adguard's admin page using it's IP and port and it timed out. So something does seem to be blocking access to Adguard itself. The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.[quote]Your settings appear to be a mix of everything.[/quote]Not surprising since I've been fighting this for months. But in the interest of getting back to a clean slate I've mirrored your settings to the best of my ability, including adding the firewall rules and NAT. I still get the same results. Though now none of my internal host names are resolving now which is a separate problem I can overcome in time.After looking and applying my rules are as follows (not posting the automatically generated rules):[code]Type Protocol Source Port Destination Port Gateway ScheduleAllow IPV4 TCP/UDP * * AdGuard 53 (DNS) * *Block IPV4 TCP/UDP * * * 53 (DNS) * *Allow IPV4 TCP/UDP * * AdGuard 853 * *Block IPV4 TCP/UDP * * * 853 * *Allow IPv4 * LAN net * * * * *Allow IPv6 * LAN net * * * * *
The only thing I can think of is if for some reason "LAN net" doesn't include the IPs in my dynamic pool of addresses (10.10.1.200-10.10.2.254). The IPv4 "Default allow LAN to any rule" allows "LAN net". I tried "LAN address" but that broke everything.
2022-04-19T11:58:33-06:00 Error dhcpd icmp_echorequest 10.10.1.220: Invalid argument