How to enable Unbound DNS for IPsec clients?

[tobia]

Hi

I'd like my IPsec clients to use the builtin Unbound DNS server, same as the LAN clients do, to get access to the same name resolution settings and overrides.

But the Unbound config page (services_unbound.php) does not list the IPsec interface under Network Interfaces, only regular interfaces: All, DMZ, LAN, WAN, Localhost. Even if I choose All, the file /var/unbound/access_lists.conf is created with specific access-control rules that exclude the IPsec address range. I tried adding an additional rule under Custom options:

Code: [Select]

access-control: 192.168.40.0/24 allow
but it results in a syntax error. Maybe Unbound wants the access-control rules to be all together? If I manually add the rule to /var/unbound/access_lists.conf, then it works and my IPsec clients can use the DNS server, but of course that file gets rewritten at every Apply.

I tried messing around with NAT rules, but could not get anything to work.

What is the correct way to let IPsec clients use the builtin Unbound DNS?

[mircsicz]

They enter the LAN, so LAN should be fine ...

But I've added access list entry's for each of the subnet's so that should work for you too! ;-)

[tobia]

Mobile clients don't "enter" the LAN (192.168.10.* in my case) they have their own separate network (192.168.40.*) which can access LAN and DMZ through firewall rules.

I've added access list entry's for each of the subnet's

How did you do that?

If I try Custom Options in the GUI it gives an error; if I manually edit access_lists.conf I lose the changes at every restart.