Firewall rule inversion change broke DNS redirect NAT rule in 25.1.6

[bbin]

I have DNS redirect rules set up for specific interfaces.  It seems that the update to 25.1.6 ("firewall: prevent source/destination inversion when multiple nets are selected") is preventing the NAT redirect from triggering.

[franco]

No, it's only a validation for filter rules, not NAT rules.

https://github.com/opnsense/core/commit/3472a5d44


Cheers,
Franco

[bbin]

Thanks franco.  I've created a bug report with a more accurate title (https://github.com/opnsense/core/issues/8619).  Not clear on the root cause, but I can at least consistently replicate the changed behavior.  Prior to 25.1.6 I was able to redirect DNS traffic destined to unapproved DNS servers to my pihole.  After 25.1.6 the NAT rule isn't triggering and traffic to port 53 outbound to external servers is occuring.

[bbin]

Appears to have been user error on my part.

When using a NAT redirect rule back to pihole, the IP address tracked in pihole will be the opnsense IP. I did not have the opnsense IP in the client list for which adlists are being applied.

For anyone else using NAT redirect rules for DNS: if you are using a DNS filtering solution (pihole, adguard, etc) and also using ACLs in the solution to control which devices have add blocking applied, make sure the IP address for your opnsense device is added to the appropriate client lists in the DNS filter.

I've closed the ticket.