IPV6 redirect to unbound DNS bug

[williamjjp]

Hi All,

I think Opnsense is great, so kudos to the devs. I'm am fairly new to it, I found a small inconsistency which I'm pointing out to help others.

When configuring NAT port forward rules to redirect all DNS traffic on port 53 from LAN clients to the DNS unbound local resolver, there is an inconsistency in how the corresponding firewall rules behave between IPv4 and IPv6. For IPv4, the redirect target is the loopback address and invert destination must be enabled on both the NAT port forward rule and its corresponding firewall rule for the redirect to function correctly. For IPv6, where the redirect target is a ULA virtual IP address assigned to an interface, enabling invert destination on the corresponding firewall rule prevents the redirect from working — it should be left unchecked. The NAT rule itself still requires invert destination for both protocols. This inconsistency is not documented and may cause confusion when replicating IPv4 DNS redirect configurations for IPv6.


(I'm aware DNSmasq also allows this redirect function I just prefer having it in firewall rules.)