HOWTO - Redirect all DNS Requests to Opnsense

[yeraycito]

Other configuration:   https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

[RamSense]

i have those redirect and block rules operating.
I thing that zenarmor/semsei is operating before those firewall rules(?)

[ChrisChros]

Is someone else facing problems with DNS redirection an Google Nest mini?
My Google Home mini is working as expected with the redirecting rules but the Nest mini not. The Nest is not able to establish an internet connection and stops working.

I tried with port forward rule only as well a combination of outbound and port forward, no luck with the Nest mini.

Any suggestions to fix this problem?

UPDATE:
So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".

[hushcoden]

I'm also trying to understand how this works and I have created the NAT-> port forward rule (attached) and the rule 1 has automatically been created.

The issue I have with my Google Chromecast is that it only works if I have rules 2 and 3, but my understanding was that I didn't need any addional rule, can someoen shed some light?

Tia.

[tiermutter]

Destination has to be negated ( ! ) as you want to redirect traffic whichs destination is NOT lanNet/ThisFirewall.

LAN    TCP/UDP    *    *    ! This Firewall    53 (DNS)    10.13.12.2    53 (DNS)    Redirect DNS to this Firewall
LAN    TCP/UDP    *    *    ! This Firewall    53 (DNS)    fd00:10:13:12::2    53 (DNS)    Redirect v6 DNS to this Firewall

[hushcoden]

@tiermutter
I guess you're referring to the port forward rule, right? In that case, it's been negated (see screenshot) - ! LAN address - or you mean something elese?

[tiermutter]

huh?! Sorry... watched the secreenshots on the smartphone, looks like I mixed up something.

I remember I had problems using loopback IP for redirect to, thats why I use the LAN interface IP instead.

[hushcoden]

Ah no worries, I will change the loopback address with the address of my firewall and will see if any better, will keep you posted.

Thanks.

[hushcoden]

Yes, after changing the loopback address also my Goolge chromcast is working 

[ChrisChros]

@hushcoden
Can you please share a picture of your now working rules.

[hushcoden]

Two attachments, one for the port forward and one for the LAN rule, which is automatically created.

[tiermutter]

Don't forget the rules for IPv6, if it's not disabled... 

[ChrisChros]

comprehension questions, what is the difference between "127.0.0.1" and "This Firewall"?

[tiermutter]

Im not really sure, but I think "this firewall" contains all interface IPs of the firewall. All client traffic passing the firewall will be destinated to this firewall / an interface IP or to another network, but can never be destinated to a loopback address.

[skyfighter]

Hi, many thanks for this HowTo, works flawlessly for me.
Would it be possible to add a similar Redirect rule for NTP service port 123 so that Opnsense NTP server will only be used?