Odd Behavior with DNS Port Forward

Started by rman50, April 04, 2025, 09:06:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 04, 2025, 09:06:17 PM
I recently upgraded my OPNsense firewall hardware that I had been running for 5+ years and I am running into a weird issue with DNS port forwarding that I didn't see on my previous appliance. I am running Adguard Home via the repository and I configured port forwarding for TCP/UDP 53 to 127.0.0.1. It works fine but I have a few IoT devices that are sending parallel DNS requests to the firewall LAN address (DHCP DNS address), 8.8.8.8 and 1.1.1.1. Most of the time 2 of 3 requests are responded to and the third on is dropped. In the firewall log I see a block for the port forward PASS rule (if I change to an associated rule I see a drop for that). I checked the Adguard Home logs and I don't see the third request. I never had this issue with my previous appliance so I am trying to figure out what could be different (other than the system being faster). I have done packet captures for those devices and can see the 3 DNS requests hitting the firewall and one will be flagged with DNS response missing. Is there anything that can be tweaked to handle simultaneous UDP DNS port forwards from the same client to 2 different destinations. This is more of cosmetic issue since the client always gets at least 2 responses and nothing breaks. But getting a block for a PASS rule in the log is annoying.
April 05, 2025, 09:40:36 PM #1
https://forum.opnsense.org/index.php?topic=45801.0 ?

There have been a few reports of BLOCK log entries corresponding to allow rules, but I believe this is the main thread.
April 05, 2025, 11:06:03 PM #2
Thanks for pointing out that thread. This makes a lot more sense now with the timing of releases. I don't think I had upgraded my old appliance to 25.1.1 since I was planning on replacing it. That would explain why I never saw this issue before on the old appliance. I built the new appliance with the current release of 25.1 in mid March and noticed the issue immediately.
April 12, 2025, 03:13:13 PM #3
25.1.5 fixed the problem of pass rules logging blocks. But it still looks like pf is having issues with port forwarding parallel DNS or NTP UDP requests for the same client to different destinations. When my Ring wired floodlight cam sends 3 UDP DNS requests in parallel most of the time only 2 of the 3 are answered (one is always my local DNS server and the other is one of the two port forwards). I can confirm the issue with packet captures, Adguard Home logging and NTOPNG DNS Request vs Reply Ratio.

No clue how long this issue has been going on. I only started noticing the problem because of the pass rule block logging that started with 25.1.1. My DNS port forward is to Adguard Home running on the appliance and my NTP port forward is to Chrony running also on the appliance. Luckily this doesn't stop anything from working since the client does get several DNS or NTP responses back just not all of them.

Are there any limitations with pf on parallel UDP port forwards from the same client to different destinations?

If there is any additional information I can provide, please let me know.
April 12, 2025, 07:58:16 PM #4
FWIW, I'm no expert here.
I have one question though: can all requests be distinguished from one another?

By the time the request will hit the server, the destination will have been rewritten.
If 2 of the requests end up looking identical, I wonder if some deduplication logic is triggered.
Print
Go Up Pages1
User actions