Help with AdguardHome dns servers, no longer able to update proxmox or opnsense

[av8r]

I have set up AdGuard Home on 2 lxc containers in proxmox, and it seems to be working great. until I try to check for updates to OPNsense and Proxmox host itself. then I have no DNS it looks like.
I cannot ping i.e. cloudflare.com but pinging 1.1.1.1 gives a expected result.

- AdGuard Home dns server #1 is set up on Vlan 192.168.10.40:53 (Proxmox lxc debian12 unprivileged container)
- AdGuard Home dns sercer #2 is set up on Vlan 192.168.200.40:53 (Proxmox lxc debian12 unprivileged container)

- OPNsense is 192.168.1.1:444 "physical device" (KEA-DHCP) (cannot ping i.e. cloudflare.com from the shell)
- Proxmox is 192.168.200.1:8006 (pve node shell - cannot ping i.e cloudflare.com )
- Unbound is listening on 192.168.1.1:53530 ( I dont want to use Unbound, but cant get it to work without doing it this way)

but my other vlans work, even the containers or other clients on the sub-nets 192.168.1.0/24 and 192.168.200.0/24 works and get DNS/dhcp, why would OPNsensee and proxmox not be able to connect to the ADGH dns servers?

I came over this tutorial for PI-hole in my trouble shooting journey, and it seems like that set up is identical to  mine, the only difference being I'm using ADGH.
https://homenetworkguy.com/how-to/install-pi-hole-on-proxmox-and-use-opnsense-unbound-dns-as-upstream-dns/

I would really appreciate help from you if you see my mistake and can help me get it fixed.

This is my set up =

Code: [Select]

# ADGH setup:
settings --> DNS settings;
# Enter one server address per line. Learn more about configuring upstream DNS servers. Here is a list of known DNS providers to choose from:
https://dns.controld.com/personalcode
https://security.cloudflare-dns.com/dns-query
192.168.1.1:53530
[code/]

# Bootstrap DNS servers
[code]
76.76.2.2
9.9.9.10
149.112.112.10
2620:fe::10
2620:fe::fe:10
[code/]

# Private reverse DNS servers
[code]
192.168.1.1:53530
[code/]

# OPNsense setup:
[code]
Services --> Unbound DNS --> General;
- Enable unmbound - ticked
- Listen Port - 192.168.1.1:53530
- Enable DNSSEC Support - ticked
- Enable DNS64 Support - ticked
- Register ISC DHCP4 Leases - ticked
- Register ISC DHCP Static Mappings - ticked
- Local Zone Type - transparent
[code/]

# Services --> Unbound DNS --> Advanced;
[code]
- Prefetch DNS Key Support - ticked
- Harden DNSSEC Data - ticked
- Aggressive NSEC - ticked
Rebind protection networks - 
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
233.252.0.0/24
::1/128
2001:db8::/32
fc00::/8
fd00::/8
fe80::/10
[code/]

# Services --> Unbound DNS --> Query Forwarding;
[code]
- Domain - open
- Address - 192.168.10.40
- Port - 53
--
- Domain - open
- Address - 192.168.200.40
- Port - 53
[code/]

# Firewall Rules;
[code]
Firewall --> Alias;
- Enabled - ticked
- Name - ADGH_DNS_Servers
- Type - Host(s)
- Categories - DNS
- Content - 192.168.10.40, 192.168.200.40
- Statistics - unchecked
- Description - ADGH-DNS-servers(2)
[code/]

# Firewall --> Groups;
[code]
- Name - Adgh_DNS
- Members - LAN,VLAN10,VLAN20,VLAN30,VLAN40,VLAN100,VLAN200
- (no) GUI groups - unticked
- Description - Rerouting ADGH DNS on all networks
[code/]

# Firewall --> NAT;
[code]
- Interface - Adgh_DNS
- TCP/IP version - IPv4
- Protocol - TCO/UDP
- Source - Advanaced
- Destination/Invert - ticked
- Destination Adgh_DNS net
- Destination port range from-to - DNS
- Redirect target IP - ADGH_DNS_Servers
- Redirect target port - DNS
- Pool Option - Round Robbin
- NAT refelction - Dissabled
- Filter rule association - Rule Redirect DNS request to internal DNS resolvers
[code/]

# Firewall --> Rules --> Floating;
[code]
- Action - Pass
- Quick - ticked
- Interface - Adgh_DNS
- Direction - in
- TCP/IP Version - IPv4+IPv6
- Source - Asgh_DNS net
- Destination - ADGHH_DNS_Servers
- Destination Port Range from-to - DNS
[code/]

[av8r]

I have narrowed it down to, it has to be my firewall rules that are wrong. because if I ad 76.76.10.2 to /etc/resolve.conf in both OPNsense and Proxmox, I get dns and can ping cloudflare, and can update both units.

how is a/the firewall rule supposed to be when you trying to use a local dns server?
lets say, I have 7 Vlans:
vlan1 -> OPNsense
vlan2
vlan3 -> one AdGuardHome dns server LXC on proxmox
vlan4
vlan5
vlan6
vlan7 -> one AdGuardHome dns server LXC proxmox

I want all of my vlans to use those two ADGH-dns servers.  I would be much obliged if you could help me with these Firewall rules.

[newsense]

Do you have any DNS servers defined in System - General ?

If not add either 1.1.1.2 or 9.9.9.11 and try updating OPNsense again