VM in DMZ Vlan unable to resolve DNS queries.

Started by meddyuk76, March 11, 2025, 10:34:08 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 11, 2025, 10:34:08 PM
I've put some of my VM's in their own DMZ Vlan 192.168.50.** /24
My DNS is obviously on the LAN on 192.168.1.1

I've put a rule in the DMZ Firewall - Source DMZ Net to LAN Net on Port 53 (Pass Any).

Whenever i type Nslookup my VM's cannot contact the server. I'm also not able to update any of my VM's.

I take it that DNS is being blocked by the Firewall but I can't figure out why.

Its a steep learning curve
March 11, 2025, 10:51:19 PM #1
Direction "in"?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 12, 2025, 09:34:29 AM #2
Quote from: Patrick M. Hausen on March 11, 2025, 10:51:19 PMDirection "in"?
Yep, direction In. Just on the DMZ firewall rules
March 12, 2025, 09:42:03 AM #3
Do a tcpdump. I suspect this happens:

- client on the DMZ sends a query to Unbound (you are running Unbound?) using the address on LAN
- Unbound answers using the address on the DMZ interface as the source

Answers like that will be dropped by any modern client.

Best set clients on the DMZ network to use the address of the DMZ interface on OPNsense as their DNS server, not the address on LAN.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 12, 2025, 09:46:28 AM #4
Quote from: meddyuk76 on March 11, 2025, 10:34:08 PMI've put some of my VM's in their own DMZ Vlan 192.168.50.** /24
My DNS is obviously on the LAN on 192.168.1.1

I've put a rule in the DMZ Firewall - Source DMZ Net to LAN Net on Port 53 (Pass Any).
That firewall rule does look ok, a bit wide open to the LAN but it should work.

Have you set the DNS IP 192.168.1.1 in the DMZ DHCP as DNS server?
Deciso DEC740
March 12, 2025, 10:25:30 AM #5
Have you set the DNS IP 192.168.1.1 in the DMZ DHCP as DNS server?
No. Ive set it to 1.1.1.1 and 8.8.8.8

I've got Unbound enabled and Dynamic DNS set up via Cloudflare.

It was all working fine when i had everything on VLAN 1 and all the VM's were running via Vmbr0 (Proxmox Host). Now i've changed IP's and Vlans on the VM's i can ping everything internal and external, i just can't get DNS.
March 12, 2025, 10:50:05 AM #6
Quote from: meddyuk76 on March 12, 2025, 10:25:30 AMHave you set the DNS IP 192.168.1.1 in the DMZ DHCP as DNS server?
No. Ive set it to 1.1.1.1 and 8.8.8.8

I've got Unbound enabled and Dynamic DNS set up via Cloudflare.

It was all working fine when i had everything on VLAN 1 and all the VM's were running via Vmbr0 (Proxmox Host). Now i've changed IP's and Vlans on the VM's i can ping everything internal and external, i just can't get DNS.

Ok, that would work, too of course. All DMZ service use 1.1.1.1 and 8.8.8.8 as their DNS server and don't use OPNsense for DNS at all.

What is the purpose of the rule you mentioned, "DMZ Firewall - Source DMZ Net to LAN Net on Port 53 (Pass Any)"? That allows the DMZ lan to access port 53 on any LAN ip.

What other rules do you have in the DMZ firewall? Do you have an 'Allow All Out' rule?
Deciso DEC740
March 12, 2025, 01:59:18 PM #7
The rules are all 'IN' rules no out rules.

IPv4+6 TCP/UDP   DMZ net   *   DMZ address   53 (DNS)   *   *      Allow access to DNS      
IPv4+6 *   DMZ net   *   LAN net   *   *   *      Access to internet      
IPv4 ICMP   *   *   *   *   *   *      Allow ICMP echo reply messages      
IPv4 TCP/UDP   DMZ net   *   LAN net   53 (DNS)   *   *      DMZ to LAN DNS access
March 12, 2025, 02:28:49 PM #8
Quote from: meddyuk76 on March 12, 2025, 01:59:18 PMThe rules are all 'IN' rules no out rules.

IPv4+6 TCP/UDP    DMZ net    *    DMZ address    53 (DNS)    *    *        Allow access to DNS     
IPv4+6 *    DMZ net    *    LAN net    *    *    *        Access to internet     
IPv4 ICMP    *    *    *    *    *    *        Allow ICMP echo reply messages     
IPv4 TCP/UDP    DMZ net    *    LAN net    53 (DNS)    *    *        DMZ to LAN DNS access
You're right, they are 'in' rules. Is all the traffic from the servers routed through the LAN?

Usually I would expect a rule like:

IPv4+6 *    DMZ net    *    *    *    *    *        Access to internet

Your "Access to internet" rule allows DMZ net access to LAN net, not more and not less.

If all the rules are 'quick' rules then (which they are per default) ...

"IPv4 TCP/UDP   DMZ net   *   LAN net   53 (DNS)   *   *      DMZ to LAN DNS access"

... won't be reached at all since the 'Access to internet' rule does also cover DMZ net to LAN net 53/udp.

Confusingly with these DMZ rules the clients in the DMZ zone can't access the internet, expect if they all go through a router on LAN.

Maybe I overlook something.
Deciso DEC740
March 12, 2025, 05:36:31 PM #9
I thought I would try a NAT Port Forward from DMZ to DMZ Net (DNS) but that's not worked either. I'm trying to get the VM's to at least update, so that I can confidently deploy another VM and start the next project which is HomeAssistant.
March 12, 2025, 05:44:17 PM #10
If you can't connect (or ping) from the DMZ net then it's as I thought it to be.
You gotta change the

IPv4+6 *    DMZ net    *    LAN net    *    *    *        Access to internet     

to

IPv4+6 *    DMZ net    *    *    *    *    *        Access to internet

for the reason I wrote before.

I havent' really understood your DNS part. You wrote that you use 1.1.1.1 and 8.8.8.8 but there do you set them? For OPNsense to use as DNS forwarder (in System > Settings > General) or you enter these two in the DMZ net DHCP server in the 'DNS Server' field?
Deciso DEC740
March 12, 2025, 09:09:32 PM #11
I can ping external addresses from the vlan, I just can't reach linux repositories and can't resolve NSlookups as the server 127.0.0.1:53 is unreachable.

The DNS part is where I am slightly confused, as there are numerous places you can put entries.

I have used 1.1.1.1 and 8.8.8.8 in the DMZ DHCP DNS server entries.

I have also used 1.1.1.1 and 8.8.8.8 in Unbound DNS TLS entry.

Thanks for your ongoing advice/help - it's appreciated!
March 12, 2025, 11:38:50 PM #12
Quote from: meddyuk76 on March 12, 2025, 09:09:32 PMI can ping external addresses from the vlan
I don't really understand how you can get to the internet with these rules. And since that's not clear to me, I'm of not much help with the DNS.

Can you do a traceroute -n 1.1.1.1 so it shows what way the package takes?
Deciso DEC740
March 13, 2025, 10:29:52 AM #13
QuoteI don't really understand how you can get to the internet with these rule

You were right, i changed the rule from LAN Net to Any and it connects. I'm able to update my Ubuntu repo's
March 13, 2025, 01:11:08 PM #14
Quote from: meddyuk76 on March 13, 2025, 10:29:52 AMYou were right, i changed the rule from LAN Net to Any and it connects. I'm able to update my Ubuntu repo's
Uuff, ok. My world does make sense again :)

About DNS: OPnsense reacts to DNS queries from local clients, that is what Unbound does. And with the DNS Server field in the DHCP server you tell the DHCP server what IP the clients should receive as the to-query DNS server. If you don't set anything in OPNsense that is going to be Unbound from OPNsense, on the IP address of the interface.
If you set the DNS Server field in the DHCP server to something else, like 1.1.1.1, then the clients will use that DNS server. Nothing wrong with it but that way you don't see what the clients look up and if you enable blocklist on OPNsense they won't have any effect, or the caching of DNS query answers.

Setting 1.1.1.1 and/or 8.8.8.8 in System > Settings > General tells OPNsense/Unbound where to forward DNS queries from clients. If you don't enter any IPs Unbound will ask the DNS root servers.

For your DMZ is would be easiest if you let the DMZ server use OPNsense/Unbound as the DNS server. For that you don't have to create any rules and it's the default in the DHCP server settings. And per default Unbound listens to all interfaces for DSN queries, also the DMZ.

DMZ firewall rules: right now the DMZ can access the LAN (or any other network you will create), most of the time you want the DMZ to isolated from the rest of the network.
The nature of the 'in' direction (seen from the router, 'in' means incoming from LAN or DMZ) rules is that you restrict access from the source. If you want DMZ devices to only be able to access the internet, you would modify the

IPv4+6 *    DMZ net    *    *    *    *    *        Access to internet

... rule to something like

IPv4+6 *    DMZ net    *    'not LAN net'    *    *    *        Access to internet

Which translates to: Allow DMZ net access everything except LAN net.

Best practise is to create an alias for the network, like an alias for 'trusted_networks' in which you add the LAN net' and in the firewall rule you replace the 'not LAN net' with 'not alias trusted_networks'.
That way if you add another internal LAN2 to which DMZ should not have access to, you just add it to the alias trusted_networks and the DMZ will automagically not be able to access it.

The above rule would be the last rule in the list. And if you need a server in the DMZ to access a server in the LAN network, you add a rule above the before mentioned rule, e.g.

IPv4+6 TCP    'Some DMZ server IP    *    'A backend Server in LAN'    80    *    *        Access Web Server in LAN
Deciso DEC740
Print
Go Up Pages1 2
User actions