DNS Blocked by Default Rule

Started by paf23, January 08, 2026, 04:31:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 08, 2026, 04:31:07 PM
I have been searching for an answer as to why DNS requests to Unbound from a VLAN interface get blocked by the default deny/state violation rule, even though the source and destination IP's are on the same subnet
I seem to have to create a specific firewall rule to allow devices on the subnet to talk to the DNS server on their own gateway IP?

January 08, 2026, 04:53:36 PM #1
Quote from: paf23 on January 08, 2026, 04:31:07 PMI seem to have to create a specific firewall rule to allow devices on the subnet to talk to the DNS server on their own gateway IP?

Yes. Apart from the LAN interface which comes with a default "allow all" rule on a newly installed OPNsense any additional interface (VLAN or physical) you create does not have any rules at all which means nothing is allowed. You need to create rules for Internet access as well as for all local services the firewall provides.

Only rules for a selected few services like DHCP or IPv6 neighbour discovery are in the "automatic rules" because these are difficult and error prone to get right.

Everything else: DNS, NTP, SMTP, ... needs explicit rules.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 08, 2026, 04:55:05 PM #2
Thanks for the clarification Patrick.
Print
Go Up Pages1
User actions