Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
DNSmasq & Unbound supporting a router with parental controls
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNSmasq & Unbound supporting a router with parental controls (Read 609 times)
pasha-19
Newbie
Posts: 34
Karma: 0
DNSmasq & Unbound supporting a router with parental controls
«
on:
January 28, 2023, 10:11:57 am »
I am creating an OPNsense router with parental controls. I am a relative newbie.
I setup static IPv4 ranges for users (small home network) where my two grandchildren have ranges identifiable by subnet mask like Child 1 xxx.xxx.xxx.32/28 and Child2 xxx.xxx.xxx.48/28. Meaming both children for DNS redirection are identified as a group with a single range xxx.xxx.xxx.32/27, I have a child only vlan(s) where the DHCP address range like xxx.xxx.xxx.160/27 is also considered a child.
In terms of scheduling each range can have it's own schedule; allowing each group of children to be scheduled differently.
I also decided to use Firewall > NAT > Port Forward rules on my router to standardize the processing of DNS and NTP requests using services that listen on the interface (gateway) addresses. The services are DNSmasq as a Child's filtered DNS service (overridden to a port other than 53); Unbound as the non-Child DNS over TLS service (using the standard port 53) and NTPD for internal NTP requests.
I have read DNSmasq may become a plugin in the future. My first question is how hard is it going to be to correct this configuration when DNSmasq becomes a plugin instead of a standard service? Since a change will be necessary running two Unbound services using different ports and interface lists and filtered DNS servers would be a preferable solution. This is beyond my current skills and possibly OPNsense's current capabilities to implement.
Currently I have 2 - 3 redirect rules per interface. The first optional rule is for the combined children's net of xxx.xxx.xxx.32/27 for DNS redirection to DNSmasq port when the rest of the interface is redirected to the non-child DNS service using the Unbound port. The standard DNS rule follows to redirect either all (or just the remaining?) DNS traffic to the respective interface (gateway) address on the appropriate port assigned to Unbound port (non-child or split DNS interface) or DNSmasq port (child only interface). The standard NTP rule follows to redirect all NTP requests to the respective interface address using the standard NTP port.
I am relatively sure this is working correctly at this time. I have reviewed the live view firewall log and see the DNS and NTP requests being processed as desired.
My second question is why in Firewall > NAT > Port Forward > NAT IP was it necessary to create Aliases (for readability) that contain the interface (gateway) addresses (I believe are available as "{interface name} address" when creating a rule in Firewall > Rules > Interface)?
These rules could probably be generalized into a total of 3 rules if I could specify an OPNsense defined "(the corresponding interface (gateway) address)" as the NAT IP address (just a suggestion).
«
Last Edit: January 29, 2023, 05:34:05 pm by pasha-19
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
DNSmasq & Unbound supporting a router with parental controls