Force use OPNsense DNS server for every device

[Vexz]

I installed AdGuard Home on my OPNsense and now I want to force every device in my LAN to use it for DNS queries. One of my devices uses Google's DNS server ( 8.8.8.8 ) probably because it's hard coded somewhere. The DNS server in DHCP settings is set correctly.
I've been trying around to create a port forward NAT rule that forces every packet with destination port 53 to go to my AdGuard Home but it just won't work no matter what I try. When I (for example) set Cloudflare's DNS servers in my IP configuration on my Windows machine it always skips AdGuard Home.

So how do I have to configure this NAT rule to make it work for IPv4 and IPv6?

[tiermutter]

That is because not every DNS request uses port 53... There is also DoT and DoH. Maybe this will explain it: https://forum.opnsense.org/index.php?topic=30066.msg145197#msg145197

[Vexz]

That is because not every DNS request uses port 53... There is also DoT and DoH. Maybe this will explain it: https://forum.opnsense.org/index.php?topic=30066.msg145295#msg145295

Yes, I know that. But I specifically saw an entry in the live view destined to 8.8.8.8 with port 53. So I want every packet with destination port 53 to be destined to AGH on my OPNsense.

[tiermutter]

So how does your config looks like? NAT and FW rule...

[Vexz]

My OPNsense has 8 NICs.

Code: [Select]

igb0: WAN
igb1 - igb7: LAN (bridge called "Switch")
NAT (Port Forward)

Code: [Select]

Interface: Switch (info see above)
Proto: TCP/UDP
Source Address: *
Source Ports: *
Destination Address: !RFC1918
Destination Port: 53
NAT IP: OPNsense (Alias with the OPNsense's IPv4 + IPv6 of "Switch" bridge)
NAT Ports: 53
Firewall Rule for Switch (automatically generated)

Code: [Select]

Protocol: IPv4+IPv6 TCP/UDP
Source IP: *
Source Port: *
Destination: OPNsense (Alias explained above)
Destination Port: 53

[tiermutter]

RFC1918 is an alias? What does it contain? Try out setting "!This Firewall"

[Vexz]

RFC1918 is an alias? What does it contain? Try out setting "!This Firewall"

Yes. I thought it's self-explanatory.

Alias "RFC1918":

Code: [Select]

192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
100.64.0.0/10
127.0.0.0/8
I already tried "!This Firewall" but got the same result.

[tiermutter]

Yes. I thought it's self-explanatory.

Yes it is, but its not clear whats really inside

Set the OPNsense IP as redirect target IP instead of an alias. Now I see, that the alias contains an v6 address, this will not work. You have to configure two redirect rules, one for v4 and one for v6.