Troubleshooting client & server DNS resolution issues when using Unbound?

[princ3ssa]

Summary:



Details:

[guest15389]

And the full screen of all your rules?

[princ3ssa]

Summaries:



Did you also want the detailed views?

[guest15389]

So your rules appear in the right order, but I'm still super confused as to why your setup generates both of these rule hits:



There is no reason why your LAN hit would traverse the WAN interface. I have all my logging on as well and a similar DNS rule and I just see the WAN hit.



For some reason in your setup, which doesn't seem obvious to me at the moment, the internal hit is going out the WAN interface. I'm guessing for that reason is why you are seeing the hit, but the return isn't coming back as something is off.

[guest15389]

What does your System->Routes->Status look like?

[princ3ssa]

[chemlud]

Show us your unbound configuration ("General"), especially the "Networking Interfaces" and the "Outgoing Network Interfaces".

[guest15389]

Yeah, your routes and IPs are really off somewhere as your Unbound config is fine.

I don't understand why your WAN interface has a GW of your LAN IP.



Your default gateway should be on your WAN interface.

Example WAN DHPC interface.



Example LAN interface.



Do you have something configured in your Routes->Configuration?

Is your WAN interface a DHCP interface or static? What's the config for that look like?

What's your LAN interface config?

[princ3ssa]

@chemlud as you asked (I think @Animosity022 looked at previous the posting for this info and @Animosity022 I have your answers below):





So @Animosity022 I have 192.168.137.1 as the WAN in this case since it's a test. My ISP only allows 1 IP lease and so I have a router pushing traffic to OPNsense until I can get it functional and replace it with OPNsense. So for now I have: ISP (Public IP) --> Router (192.168.137.1) --> OPNsense (192.168.1.1)


This Router is NOT offering DHCP, it's just static so I configured OPNsense statically (screenshot of WAN config).


Routes->Configuration: No, "No results found!"


LAN config:

[guest15389]

Based on this screenshot though, you have your WAN interface seeing LAN traffic so you have something on your network configured or setup incorrectly in your test environment.



You can validate that by running a tcpdump -i on your WAN interface and capturing the traffic.

[princ3ssa]

It is a little strange. I do see a lot of PIA East traffic on WAN, which is right since that connection is connecting to that.


I do also see some other odd traffic (?) like this NTP traffic:



I guess this confuses me since I still have 192.168.1.20 on the VPN_Recipients alias list. I tested and I still can't get any name resolution:


I then noticed a bunch of other UDP traffic from firefox pour across from .20 (I did have it open, but wasn't resolving):


I will say that while I was watching it I found that a lot of the traffic (nearly all of it after I closed down Firefox and disabled NTP on the Linux machine), was PIA VPN traffic on UDP. I checked this by reverse greping the PIA IP that was being used so that I was only seeing traffic (except for the time/informational header info) for non PIA bound or source traffic.

[guest15389]

Yeah, you have something misconfigured somewhere along the way on your network setup as the WAN should not see LAN traffic.

How do you have the interfaces setup? What are you using to do that?

In a physical setup, the LAN cable is different from the WAN cable so they don't see each other

If you run a tcpdump on the LAN interface, I'm sure you can see the traffic coming in, but since you aren't getting a reply, it's definitely not coming back out.

[princ3ssa]

I'm using Proxmox with an OVS Bridge. So I have The ISP traffic coming in to a Windows 2012 Server that shares this connection out from 192.168.137.1 to a virtual switch (we'll call vswitch1).  This virtual switch is also set up as the WAN port for OPNsense (192.168.137.95). I then have a second virtual switch (we'll call vswitch2) providing LAN connections for the Windows and Linux machines I've been doing the testing on.


I do have another Linux server on vswitch1 (wan 192.168.137.250) that provides Internet access to the rest of my network.


Clearly the Windows 2012 gateway is just temporary. I was using it to test some various scenarios for PIA connectivity that just didn't work out well. My goal is to replace it with OPNsense, but I'd like to actually get OPNsense working properly before I swap it out since we have actual time sensitive work to do and can't afford the downtime right now... 

[guest15389]

Sadly, I've never used proxmon or any of the virtual switching but that seems to be where I would look.

I've setup IP routing using aliases like you have on pfSense and OPNSense through TorGuard VPN using the exact same setup you have.

Your config looks solid and the only things that really strike me as being off is the fact the WAN can see LAN traffic so to me, that points to something in the switch config as the traffic is bleeding over.

The part that also has me is you are seeing it on the LAN interface so it's coming in both the WAN and LAN. I'm not sure if that causes a drop or something else going on.

If you can sort out the virtual switching, I think your config seems solid as there isn't much to it as the guide you posted/went through looks correct.

[princ3ssa]

I'm curious about a test here. Is there a way to save the configuration of OPNsense so that I can load it up on a physical machine attached to my network to see if this is still happening? I've got some extra systems sitting around I could load up OPNsense onto and then see where that goes...