Unbound on Opnsense 19.1 - resolves addresses at work, not at home

[boneclock]

Hi. I have a small lab setup on a laptop.  I have OPNsense 19.1 as my router/firewall in a Virtual Box VM running Unbound.  There are multiple VMs running behind it.  When I'm on my work wifi or my phone's hotspot I can browse the web from inside the LAN.  Everything works as expected.

When I connect to my home wifi, I get a WAN IP, but I'm not able to resolve any exterior addresses.  It is a Spectrum ISP.  I don't see any firewall setting blocking 53 in the home router.  Any suggestions on what I should look for?

Thanks!

[Antaris]

May be same network (192.168.0.0/24) on WAN and LAN side of OPNsense ?

[boneclock]

Thanks for your reply.

The laptop LAN is 10.0.100.0/24.  The LAN sees the OPNsense router and the VMs see each other even when they can't get out on the home Charter Communications Spectrum ISP network. The house LAN is 192.168.1.0/24.  OPNsense gets an address.  The residential gateway is an Arris and the router doesn't have a name on it other than Charter Communications.

Thx

[marjohn56]

I assume 'block private networks' on the WAN interfaces is unticked?

[boneclock]

Thanks.  I'll confirm.

[boneclock]

It and block bogon networks are unticked.

[marjohn56]

I'm not really sure how you have your network set up and where you can and cannot gain access to the WAN. Would you like to do a simple schematic showing the network connections and where it works and does not - and of course the IP address ranges at those points.

[boneclock]

Thank you for your offer of assistance.  My setup is on a laptop with VirtualBox 6.0.4.  The setup is:

Code: [Select]

LAN w/ Static V4 IP
-------------------
10.0.100.200/24 |
10.0.100.208/24 |
10.0.100.207/24 |    Static LAN
10.0.100.230/24 |---- LAN ---- 10.0.100.1 OPNsense w/ Unbound ----- WAN DHCP V4 and V6
10.0.100.240/24 |    DHCP V6 and V4
10.0.100.220/24 |
10.0.100.210/24 |
I'm able to navigate from the LAN VMs out to the internet in all locations except my home network.  I've checked from home router and I can't figure out what is so special about why I'm not getting out.

The hostnames don't resolve internally when I'm connected to my ISP's network either.
Where should I look for whatever is blocking me?

Thx!

[boneclock]

unbound config

Code: [Select]

$ more unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /root.hints
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: no
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
serve-expired: no
outgoing-num-tcp: 10
incoming-num-tcp: 10
num-queries-per-thread: 4096
outgoing-range: 8192
infra-host-ttl: 900
infra-cache-numhosts: 10000
unwanted-reply-threshold: 0
jostle-timeout: 200
msg-cache-size: 4m
rrset-cache-size: 8m
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no

# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes

# Outgoing interfaces to be used
outgoing-interface: 192.168.1.92
outgoing-interface: 2605:6000:151b:22a4:a00:27ff:fe90:261


# DNS Rebinding
# For DNS Rebinding prevention
#
# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
#
# IPv4 Addresses
#
private-address: 0.0.0.0/8       # Broadcast address
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 127.0.0.0/8     # Loopback Localhost
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.0.0/24    # IANA IPv4 special purpose net
private-address: 192.0.2.0/24    # Documentation network TEST-NET
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15   # Used for testing inter-network communications
private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
#
# IPv6 Addresses
#
private-address: ::1/128         # Loopback Localhost
private-address: 2001:db8::/32   # Documentation network IPv6
private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
private-address: fe80::/10       # Link-local address (LLA)
# Set private domains in case authoritative name server returns a Private IP address
private-domain: "lan"
domain-insecure: "lan"


# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)
include: /var/unbound/dhcpleases.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf

# Unbound custom options
nameserver 8.8.8.8


# Forwarding
forward-zone:
    name: "."
        forward-addr: 192.168.1.1


remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
$