Is ChatGPT. correct about the firewall setup?

[lorem]

I have been using ChatGPT for two weeks to try to set up my firewall. I am checking if what ChatGPT says is correct.

I want a VLAN going to a wireguard VPN gateway and a backup VLAN going to the WAN gateway. I want the VPN VLAN traffic to use the VPN tunnel DNS server and the non VPN VLAN traffic to use Unbound through the WAN. After working with ChatGPT it has has come to the conclusion that I have two choices.

1. Use Unbound through the WAN for all DNS requests.

2. Use the VPN DNS server for all DNS requests. Accept the non VPN LAN would stop working if the VPN went down. This negates the purpose of the backup VLAN.

Is this true or is there a way to get what I want?

[OPNenthu]

I think this is nuanced and there are multiple ways you could possibly configure the network, but here's one idea.  Some VPN providers offer a standalone public DNS service.  You could configure Unbound as a DoT forwarder to that upstream so that it always sends encrypted DNS requests to the VPN provider whether you are using the tunnel or not.

Here's the info for Mullvad, for instance: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

This is an option only if you are OK with your VPN provider getting to know all your DNS requests and if you find the latency acceptable.

[lorem]

I already have an encrypted DNS service for the non-VPN VLAN so using Mullvad DNS would not improve the situation. I still want all VPN network traffic to only go through the VPN gateway (which is the normal case).

If the VPN network goes down I want to be able to plug a laptop into the non-VPN port and have it work.

I want to know if I am forced to send all networks DNS through either the VPN gateway or not the VPN gateway.

[viragomann]

I want the VPN VLAN traffic to use the VPN tunnel DNS server

So the VPN provider gives you a DNS server to use?
If so you can either just configure the VLAN clients to use it for DNS resolution (also via DHCP) or simply redirect all DNS traffic to it. The latter only works with unencrypted DNS, however, this shouldn't matter here.
In both cases you need to route the DNS traffic to the VPN server, of course, and in both the clients are not able to resolve local host names.

But I cannot think of any possibility to route Unbound upstream requests for one VLAN over the VPN, while the other traffic goes to WAN.

[OPNenthu]

I already have an encrypted DNS service for the non-VPN VLAN so using Mullvad DNS would not improve the situation.

That depends.  The encryption is necessary, but it's not the point.  It's about who gets the data.

The reason to keep your DNS queries with your VPN provider (not necessarily Mullvad, that was just one example/option) is because presumably you have a reputable VPN that has a no-logs policy and you want to keep all your traffic with the same entity.  This would of course improve the privacy posture over a public DoT like Cloudflare, Google, etc.

You'd have to check if your VPN provider has an encrypted DNS and what its policies are.

--

Another option to look into is keeping a separate DNS, like a PiHole, for the VPN network.  You could forward the traffic from the PiHole to the VPN server and you could configure the PiHole to forward queries for local zones to Unbound so you preserve local hostname resolution (and also don't leak them upstream).  I haven't tried this setup and I understand people have had some complications with local zone forwarding in PiHole.

Unfortunately no easy way to do this all within OPNsense itself without some compromises as @viragomann pointed out, but I hope if anyone's figured it out they will enlighten me as well.