OPNsense with multiple interfaces - DNS quesion

TimmiORG · April 17, 2023, 12:15:58 PM

Hi OPNsense community,

I have configured a OPNsense with multiple IP interfaces.
Per default the unbound is responding with all IPs if I lookup for the hostname.

It is possible to configure that the the response is only for the IP of the subnet the request is coming from?

Example:
Host: 192.168.100.100
OPNsense: 192.168.100.1

Hostname should only resolve the 192.168.100.1 and not also the external or other internal interfaces.

Hope someone is able to help.

Thanks in advance
Christoph

CJ · April 17, 2023, 05:07:43 PM

Is there a particular problem you're running into? Or is it that you just don't like the look of all of the IPs being returned?

TimmiORG · April 17, 2023, 07:01:13 PM

Hi @CJRoss,

my problem is that that the internal IPs are not available from the DMZ for example.

Best regards
Christoph

CJ · April 18, 2023, 03:17:06 PM

Quote from: TimmiORG on April 17, 2023, 07:01:13 PM
Hi @CJRoss,

my problem is that that the internal IPs are not available from the DMZ for example.

Best regards
Christoph

Don't take this the wrong way, but why do you have things in the DMZ trying to look up OPNSense via DNS?

This feels like an XY problem. https://xyproblem.info/

Can you elaborate on your goal? As much detail and as high level as possible.

TimmiORG · April 18, 2023, 03:43:43 PM

Hi @CJRoss,

I'm checking the availability of services (e.g GUI) from my internal network to the host name of the OPNsense.
I have restricted the listening of the GUI to specific interfaces only and it looks like this is causing it.

I changed the system to listen on all interfaces except WAN. This is allowing my to connect to the GUI also to the other IPs.

So for example I configured the system not to listen on the DMZ network.

Hope this explains what I'm doing.

Best regards
Christoph

CJ · April 18, 2023, 05:10:45 PM

Quote from: TimmiORG on April 18, 2023, 03:43:43 PM
Hi @CJRoss,

I'm checking the availability of services (e.g GUI) from my internal network to the host name of the OPNsense.
I have restricted the listening of the GUI to specific interfaces only and it looks like this is causing it.

I changed the system to listen on all interfaces except WAN. This is allowing my to connect to the GUI also to the other IPs.

So for example I configured the system not to listen on the DMZ network.

Hope this explains what I'm doing.

Best regards
Christoph

Why would you be attempting to access the OPNSense UI from a DMZ? That's a horrible idea and rife with security issues.

You're still in an XY problem. I need higher level details because what you're providing continues to make me think that whatever you're actually trying to accomplish, you're going about it in a horribly insecure way which will only lead to problems in the future.

TimmiORG · April 18, 2023, 05:50:57 PM

OK I don't want to allow access to the GUI from DMZ or any untrusted network. That is why I'm blocking access to the port inside the networks through the FW.

I have multiple internal networks e.g.:
192.168.100.0/24
192.168.200.0/24
192.168.250.0/24

The DNS entry from the OPNsense will result in
192.168.100.1
192.168.200.1
192.168.250.1

The GUI is configured to listen only on the x.x.100.0/24 interface. The request is coming from x.x.100.10
Depending on the IP which get answered on the DNS request I run into the issue that 192.168.200.1 is not responding as the GUI is not listening on this IP.
After adding x.x.200.0/24 to the listening interfaces, even though the IP is blocked from that network I can login from 192.168.100.10 to 192.168.200.1.

Best regards
Christoph

Patrick M. Hausen · April 18, 2023, 05:54:06 PM

Have the UI listen on all interfaces as is strongly recommended.
Use firewall rules to block access to the UI for all untrusted networks.
Permit access to the UI from the trusted LAN or management networks.

As long as the connections is coming in from e.g. LAN and there is a permit rule, it does not matter if the destination IP address is on some other network interface. Neither will any packets leave the firewall out that other network interface.

TimmiORG · April 18, 2023, 06:05:34 PM

HI @pmhausen,

OK I guess my issue was that I did not listen on all the interfaces.
I have restricted the access through rules.

Best regards and thx
Christoph

Kinerg · April 18, 2023, 08:36:51 PM

Quote from: TimmiORG on April 17, 2023, 12:15:58 PM
Hi OPNsense community,

I have configured a OPNsense with multiple IP interfaces.
Per default the unbound is responding with all IPs if I lookup for the hostname.

It is possible to configure that the the response is only for the IP of the subnet the request is coming from?

You can do that with Unbound, take a look at these:
https://www.reddit.com/r/OPNsenseFirewall/comments/u3ibkj/unbound_registration_of_every_interface/
https://www.reddit.com/r/OPNsenseFirewall/comments/qlqvpx/return_different_dns_override_depending_on/

OPNsense with multiple interfaces - DNS quesion

TimmiORG

April 17, 2023, 12:15:58 PM

CJ

April 17, 2023, 05:07:43 PM #1

TimmiORG

April 17, 2023, 07:01:13 PM #2

CJ

April 18, 2023, 03:17:06 PM #3

TimmiORG

April 18, 2023, 03:43:43 PM #4

CJ

April 18, 2023, 05:10:45 PM #5

TimmiORG

April 18, 2023, 05:50:57 PM #6

Patrick M. Hausen

April 18, 2023, 05:54:06 PM #7

TimmiORG

April 18, 2023, 06:05:34 PM #8

Kinerg

April 18, 2023, 08:36:51 PM #9