[HOWTO] Redirect all IPv4 and tracked IPv6 DNS requests to OPNsense w/ Unbound

[Ground_0]

I wanted to compile one place for this commonly discussed topic, spread throughout the web. There are many sources and threads here, as well as Reddit and other home networking sites with different information, some of it out of date or incomplete. And, nearly all other information is woefully inadequate in regard to dynamic tracked IPv6.
I invite those more knowledgeable than myself (ostensibly, everyone) to a constructive discussion. I am sure the methodology can be optimized or improved.

Why redirect DNS requests with port forwarding/Firewall rules?
Mainly, as a method to ensure all devices on a given network use the DNS you have chosen through OPNsense.

Here is what I have proved to work.
For IPV4:
Goto Firewall/NAT/Port Forward
Add new (+)

Interface: LAN
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: any
Source Port Range: from any to any
Destination / Invert: Checked
Destination: LAN address
Destination port range: From DNS to DNS
Redirect target IP:  Single Host or Network
                              127.0.0.1
Redirect target port: DNS
Description: Redirect DNS to local
NAT reflection: Use System Default
Filter rule association: Add associated filter rule (which will become Rule Redirect DNS to local)
OR
Filter rule association: Pass*
* Specifying Add associated filter rule (Redirect DNS to local) will automatically create a firewall rule in Firewall/Rules/LAN
This can also be set to 'Pass', in which case, there will NOT be an associated Firewall rule; Pass and port forward will be handled in one place.

For tracked IPv6:
There seems to be a few ways to do this. Unlike IPv4's 127.0.0.1, IPv6's corresponding ::1 will not work as a redirect target IP address.
This can be solved by creating an alias which points to the dynamic tracked LAN IPv6 address and redirecting to it.**
Copy the last 4 hextets from your tracked LAN interface. This can be found in multiple places, for instance, the table at Interfaces/Overview/LAN/IPv6.
For example, if your tracked LAN IPv6 address is 2000:3000:d000:e000:AAAA:BBBB:CCCC:DDDD/64 copy AAAA:BBBB:CCCC:DDDD

Goto Firewall/Aliases
Add new (+)
Enabled: (checked)
Name: lan_ipv6_alias
Type: Dynamic IPv6 Host
Content:  ::AAAA:BBBB:CCCC:DDDD  (The last 4 hextets of your current LAN IPv6 tracked address. Notice the leading double colons! :: )
Interface: LAN
Description: lan ipv6 alias

Goto Firewall/NAT/Port Forward
Add new (+)

Interface: LAN
TCP/IP Version: IPv6
Protocol: TCP/UDP
Source: any
Source Port Range: from any to any
Destination / Invert: Checked
Destination: LAN address
Destination port range: From DNS to DNS
Redirect target IP: lan_ipv6_alias
Redirect target port: DNS
Description: Redirect IPv6 DNS to local
NAT reflection: Use System Default
Filter rule association: Add associated filter rule (which will become Rule Redirect IPv6 DNS to local)
OR
Filter rule association: Pass*
* Specifying Add associated filter rule (Redirect IPv6 DNS to local) will automatically create a firewall rule in Firewall/Rules/LAN
This can also be set to 'Pass', in which case, there will NOT be an associated Firewall rule; Pass and port forward will be handled in one place.

If you did NOT use 'Pass' for Filter Rule Association:
You will need the corresponding Firewall rules for IPv4/v6 to be moved above the default 'allow any' rules-
Firewall/Rules/LAN
For IPv4:
Check the 'Redirect DNS to local' rule and move above 'Default allow LAN to any rule'
For IPv6:
Check the 'Redirect IPv6 DNS to local' rule and move above 'Default allow LAN to any rule'

**As an alternative to an alias, it has been suggested that a virtual IP can be used to point to ::1
This can be done by assigning fd00::53 (or any ULA address) to the loopback interface:
Interfaces/Virtual IPs/Settings
Modify the port forwarding rule to redirect to the virtual IP (e.g. fd00::53) rather than the lan_ipv6_alias.
Restart the Unbound service to bind to the new loopback virtual IP address

I have carefully checked my work, but please feel free to point out any errors.

Information gleaned from P.M Hausen, Cypher 100, Z1ng and others. Thank you.

[g7s]

My apologies If I break any rules for replying so late.

I will kiss your eyes my brother! Much appreciation for the posting.

[Ground_0]

My apologies If I break any rules for replying so late.

I will kiss your eyes my brother! Much appreciation for the posting.

Wow, what an honor to have been helpful to you.

[MagikMark]

Just a clarification.  Most guide uses "NAT Reflection:  Disabled".  What is the difference if you use system default?

[tuaris]

Tried it myself, and yes, it works.  But why does this NAT port forward method work? Isn't the TCP/IP protocol expecting a reply back from the assumed "real ip" address of the DNS server?

Will this same trick work with SMTP?

Also, what's the reason for the Firewall Filter rule?  That seems unnecessary (and I confirmed it works without it).  Yet, I am not redirecting DNS to the firewall, but to a different host on the LAN.

[Ground_0]

Just a clarification.  Most guide uses "NAT Reflection:  Disabled".  What is the difference if you use system default?

Perhaps someone more knowledgeable than myself can give a better answer.
The OPNsense default is enabled.
I decided to leave this at the default setting, since NAT Reflection seems, to me, to be generally rather handy in most scenarios.

[Ground_0]

.. what's the reason for the Firewall Filter rule?  That seems unnecessary (and I confirmed it works without it).  Yet, I am not redirecting DNS to the firewall, but to a different host on the LAN.

Setting the NAT to 'pass', should, indeed, work without an automatically generated floating rule, and is simpler.
I decided to put both options in the tutorial.
For myself, I use the floating rule because I sometimes go months at a time between fiddling with the firewall, and having a rule staring me in the face under Firewall/Rules/LAN is a good reminder as to what is going on.
Someone might correct me on this, but if I am not mistaken, having a floating rule also seems to allow an extra degree of granularity; I judged each option to be equally useful and correct, and left it up to user preference.