DNS resolution blocked behind Livebox Orange – OPNsense DEC2687

[MHD]

📦 System context

    Hardware: OPNsense DEC2687 (official appliance)

    License: Business Subscription (active)

    Version: OPNsense 24.10.7 (latest)

🌐 Network setup

    Internet via Livebox Orange (192.168.2.1) – DHCP

    Secondary WAN via Bouygues – fallback (Tier 2)

    Multi-WAN configured using a gateway group WANGROUP

    Default gateway is the WAN interface from Orange (WAN_DHCP)

⚙️ OPNsense configuration

    Unbound DNS enabled with forwarding to public resolvers (8.8.8.8, 1.1.1.1)

    Floating firewall rule to allow This Firewall on UDP port 53 via WANGROUP

    Outbound NAT set to automatic

    No firewall or NAT rule appears to block outbound DNS

❌ Symptoms

    ✅ ping to public IPs (e.g. 8.8.8.8) works

    ❌ No DNS resolution works:

        drill, dig, or host to any resolver (8.8.8.8, 1.1.1.1) → fail

        Even dig @192.168.2.1 (Livebox itself) → no response

        Even with TCP (+tcp) instead of UDP → fails

    Manually editing /etc/resolv.conf to force public DNS → no change

    Disabling Unbound DNS → no effect

    pkg update and firmware updates fail with "host does not resolve"

🧠 Most likely cause

    The Livebox Orange blocks or intercepts all outbound DNS traffic, including TCP.
    It likely acts as a DNS proxy and prevents the firewall from using any external resolver.

✅ What has already been tested

    Proper floating rule with gateway assignment ✅

    Unbound forwarding and custom servers ✅

    NAT working ✅

    Tried using only Livebox DNS (192.168.2.1) ❌

    Tried using dig @8.8.8.8 google.com +tcp ❌

    No DNS traffic succeeds in any form from OPNsense

🙏 What I'm asking

As an OPNsense Business customer using official hardware, I'd like to know:

    Has anyone successfully deployed OPNsense behind a Livebox Orange?

    Does the Livebox really block outbound DNS (UDP and TCP)?

    Is DoH via cloudflared the only viable solution?

    Is bridging the Livebox the only clean fix? If so, how do I proceed (e.g. external ONT or modem)?

Any help from the community or the Deciso support team is greatly appreciated.

[EricPerl]

You ought to be able to check that you can reach public DNS servers through the Livebox from any host connected to the Livebox directly.
The Livebox shouldn't be aware of the type of host that's on its LAN. Regular PC, OPN, ...

Once that's verified, you can come back to your OPN setup.
It does not seem you've gone very far.
I suggest you restart from scratch (especially if you've tinkered with internal config files) and verify proper operation with a single WAN.
Snapshot that config and redo multi-WAN. Retest.

Earlier today, I was in comm with another French member.
He indicated that his box (pretty sure it's Orange as well) was in bridge mode. Yet it still offered RFC1918 IPs (presented by him as some form of DMZ)...
And port forwards on OPN work, despite the fact that nothing is done on the box.
I'm a little skeptical but I think we're done for the day. It's late in France.

[EricPerl]

A quick search confirms that "bridge mode" on recent Liveboxes is not really bridging (but no firewall + DMZ. Maybe 1:1 NAT?):
https://communaute.orange.fr/t5/mes-services-Orange/Livebox-en-mode-bridge/td-p/1773410/page/3

This said, replacing the Livebox altogether appears to be supported. The setup might not be simple.