Gateway group: difference in handling between OPNsense and pfSense

Started by afan, January 24, 2021, 07:17:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 24, 2021, 07:17:10 PM Last Edit: January 24, 2021, 07:19:39 PM by afan
Hi,

I'm trying to move my firewall from pfSense to OPNsense but am a bit puzzled regarding Gateway Groups.
In the MultiWAN guide I read that when picking a GW group for a particular network, traffic intended for the firewall itself will be routed wrongly:

QuoteThis rule will utilize the gateway group for all traffic coming from our LAN network. This also means that traffic intended for the firewall itself will be routed in this (wrong) direction. That is why Step 5 is needed for our DNS traffic going to and coming from our DNS forwarder on the firewall itself.

My pfSense is at 10.0.0.1 and has GW groups configured for the interface.
My OPNsense is at 10.0.10.18 currently and has similar GW groups configured.
No particular firewall rules are added for DNS traffic on either system.

Code Select
C:\>nslookup
Default Server:  UnKnown
Address:  10.0.10.22

> server 10.0.10.1
Default Server:  [10.0.10.1]
Address:  10.0.10.1

> google.com
Server:  [10.0.10.1]
Address:  10.0.10.1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:400e:809::200e
          216.58.211.110

> server 10.0.10.18
Default Server:  [10.0.10.18]
Address:  10.0.10.18

> google.com
Server:  [10.0.10.18]
Address:  10.0.10.18

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [10.0.10.18] timed-out

---> Adding a rule to allow DNS traffic on OPNsense <---

> google.com
Server:  [10.0.10.18]
Address:  10.0.10.18

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:400e:80d::200e
          172.217.168.238

>

Can anyone explain why this is the case? What are the advantages of doing it the OPNsense way?
As it comes with annoyances: all services that need to be available on OPNsense need to have a firewall rule added. Not just DNS, but also SSH, Munin-node, ..., and this for all the interfaces/VLANs that exist.
Print
Go Up Pages1
User actions