DNS override with source IP "hides" DNS server from LAN

[8191]

Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel