DNS not working in VLAN

Started by PaulePils, August 29, 2023, 10:50:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 29, 2023, 10:50:16 PM
Hello  :) ,

recently, I did a complete fresh install of my opnsense following this guide: https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/
I wanted to start all over again after my previous setup got quite nasty and I didn't fit to my needs anymore.

For my webservices I have a proxmox server (LAN) with different LXCs and VMs (VLANs)
My problem is that all the services in the VLAN have DNS problems....
For example, I created the rules for the DMZ like in the screenshot. If the allow-any rule in the end is enabled, I can ping, dig, nslookup, traceroute, ... from within the VLAN (makes sense because everything is allowed)
If it is disabled then the clients can't even ping the firewall (ping 192.168.1.1 --> 100% paket loss) or do some other network diagnostics
Quote
dig www.google.com
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> www.google.com
;; global options: +cmd
;; no servers could be reached

I did quite some research but I didn't find an answer that worked for me. I don't know what I am missing and I am starting not to see the forest for the trees....
August 30, 2023, 09:12:53 AM #1
Hi,

one part is missing here:
What is the DMZ network's IP range and which IP do you use as DNS?

Note: As the uppermost rules do allow traffic to DMZ IP that does not mean they allow traffic to any other OpnSense IP.
August 30, 2023, 05:33:20 PM #2
LAN: 192.168.1.1 --> IP of OPNsense
DMZ: 192.168.10.1 --> DHCP Range x.100 - x.200 // Webservices in Range < .100
Internal: 192.168.20.1 --> Same DHCP config

QuoteNote: As the uppermost rules do allow traffic to DMZ IP that does not mean they allow traffic to any other OpnSense IP.
Hmmm... okay this is new to me as it was never mentioned in any tutorial. I thought this is a basic setting  ???
Should I add a rule with Destination "This Firewall" or rather DMZ net to IP OPNsense any port? Or only the ports that I really need?
August 30, 2023, 06:15:31 PM #3
If you're using Unbound and that is set to default which is to listen to all interfaces, it will be listening on 192.168.10.1 which translates to DMX Address and the first rule will allow it and will work.
From your post that when you enable all traffic, I imagine what happens is that only then instead they reach the dns service on 192.168.1.1.
Are you using Unbound, which port, how is setup? and if not, the equivalent for your DNS current setup.
August 30, 2023, 11:34:28 PM #4
Hi,

"this firewall" in rules might be an approach. But my question refers to: what dns was provided via dhcp? That IP address needs to be passed in the firewall rules.

So if DNS is your LAN IP in all VLANS then make sure you have port 53 allowed to pass to your LAN IP or this firewall.

You can also push DMZ IP in DMZ but then make sure unbound is listening there and (again) you have 53 allowed to DMZ IP.
August 31, 2023, 05:39:38 PM #5
I use Unbound and is listening on the default port 53.

QuoteNote: As the uppermost rules do allow traffic to DMZ IP that does not mean they allow traffic to any other OpnSense IP.
After that info I created a rule: DMZ net + port any -> OPNsense_IP + port 53
It works this way but I am unsure if this "safe"?
Print
Go Up Pages1
User actions