Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Routing opnsense's DNS queries through second WAN with Firewall?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Routing opnsense's DNS queries through second WAN with Firewall? (Read 1515 times)
aida
Newbie
Posts: 31
Karma: 0
Routing opnsense's DNS queries through second WAN with Firewall?
«
on:
April 30, 2023, 03:50:14 pm »
My OPNSense firewall is currently running Unbound. I have two DNS servers, a
local BIND server
which has all my .home.arpa zones, and
an upstream server
via the
Query Forwarding
option. I want to route packets out of a specific WAN port, when they originate from the OPNSense machine itself. I have been able to use policy matching for requests originating from my LAN side successfully. I have had trouble when the request originates from the OPNSense machine, ie Unbound. According to the firewall logs that traffic still tries to route through my primary WAN and
not
my Wireguard tunnel (
IVPN_Gateway_GW
).
Using the "Outbound Interface" is option in Unbound is not what I want because if the Wireguard tunnel goes down, Unbound defaults back to my primary WAN. Also that
prevents me from sending requests to my local BIND instance
. There doesn't appear to be an option to select a "localhost" interface.
The problem appears to be the blue circled rule below which should force DoT traffic originating from the router out
IVPN_Gateway
, ie my second WAN.
I am currently using 3 Outbound NAT rules:
The 1st and 2nd rule route to my Wireguard tunnel which is assigned to "
IVPN_Gateway
". The second rule there simply routes the remaining networks to my primary WAN. Here is what is actually in that rule:
The LAN side of my network both VLANs that are go out the primary WAN, and the others that are go out
IVPN_Gateway
. Here's an overview of that table:
The first rule there simply allows access to the firewall itself (web interface)
The second rule allows access to some hosts on my LAN, for example BMC of my server and other administritive interfaces.
Third and Fourth are are IPv4 and IPv6 rules which route to the respective Wireguard WAN. They also set the respective tag
vpn_only_ipv4
or
vpn_only_ipv6
.
Finally my floating table:
The first two rules are redirect rules that will redirect any traffic destined for port 53 to localhost for both IPv4 and IPv6. This is to prevent some gear on my network which is hardcoded to use 8.8.8.8 for example.
They match with these NAT Port Forward rules which redirect to the local IP
The last two rules simply block anything from entering the WAN inteface that has the above
vpn_only_ipv4
and
vpn_only_ipv6
tag match.
The problematic rule (circled in blue) is:
What I am trying to achieve here is anything that has a destination of 853 (so DoT from the OPNSense) will be directed into
IVPN_Gateway_GW
(when the rule is enabled). Instead what happens is the traffic still tries to go out the WAN port and is blocked.
I want to do the same for my
VPN Provider's DNS servers
which are hosted on 10.0.254.1 - 10.0.254.3. From my LAN side I can correctly query/ping these servers, but I cannot on my OPNSense router as it wants to go out the wrong WAN port.
If anyone has any ideas on how to improve this setup.
«
Last Edit: April 30, 2023, 03:58:02 pm by aida
»
Logged
aida
Newbie
Posts: 31
Karma: 0
Re: Routing opnsense's DNS queries through second WAN with Firewall?
«
Reply #1 on:
June 28, 2023, 02:11:57 pm »
The solution for this was to simply put a routing rule in like
ie route 10.0.254.0/30 which includes 10.0.254.1 - 10.0.254.3 to the gateway.
I'm using NAT rules to redirect DNS queries to 8.8.8.8 to my router's IP. Unbound forwards upstream to the VPN provider's DNS servers.
The DNS servers are static, I don't really have to worry about "other" DNS servers Unbound only has BIND and the VPN provider's servers.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Routing opnsense's DNS queries through second WAN with Firewall?