HOWTO - Redirect all DNS Requests to Opnsense

[Baender]

If I set it like yours, to allow destination 127.0.0.1 for dns and enter google.de into my browser, the browser fails to load the webpage. At the same time, I look into the live view, and I see that my client sends a dns request to 192.168.1.1 and gets blocked.
This is the fact that makes me suspicious and I therefore assume that 127.0.0.1 cannot be the correct destination under Rules>LAN.

[Patrick M. Hausen]

Not under Rules > LAN.

NAT > Port Forward

Interface: XY (let's pick LAN)
Protocol: TCP/UDP
Source: any
Destination: any
Destination port: 53
Redirect address: 127.0.0.1
Firewall rule associaton: Pass

[Baender]

I think the problem here is that I used the LAN interface as an example, which usually has default rules. Let's assume that I create a new interface. Then there are no rules under Rules>NEW. Everything is blocked per se. I can't even access the Internet. And if I now only create a forward port, with pass, then a client will not be able to connect to Ubound running on the FW. Or am I wrong?

So first I have to create a rule under Rules>NEW that allows a client to contact Ubound. And in this example, this is 192.168.10.1 and not 127.0.0.1, because on the one hand, I can see that the browser runs in a timeout with 127... and on the other hand, I can see it in the live logs, which show the connection from the client to 192.168.10.1 as blocked.

[Patrick M. Hausen]

The port forward will allow the DNS request if configured as I wrote. But of course you will need at least an additional firewall rule to permit the browser to actually access the Internet after the DNS request has been answered and possibly - depending on your global NAT setup (automatic/hybrid/manual) also at least one outbound NAT rule.

[toodementianull]

How do I allow a single device to bypass the DNS redirect? I have AdGuard installed on my phone (192.168.68.118) and use a different set of lists than I do on my local AdGuard Home setup.

[Patrick M. Hausen]

If you have a port forward rule in place to direct your devices to AGH, then place one rule above that one, source "your phone", flag "do not redirect" set.

Or use the AGH UI  ;)

[toodementianull]

If you have a port forward rule in place to direct your devices to AGH, then place one rule above that one, source "your phone", flag "do not redirect" set.

Or use the AGH UI  ;)

Could you be slightly more specific please? I'm new to OpnSense coming from Asuswrt-Merlin and most of the options and descriptions are still foreign to me.

[Patrick M. Hausen]

Show your DNS redirect rule, please.

[toodementianull]

Show your DNS redirect rule, please.

Attached a screenshot

[Patrick M. Hausen]

What did you set as source, why are you using source invert, why is the rule disabled?

Please show your current working DNS redirect rule and then I can help you to exempt your phone. OTOH as I alsow wrote the AdGuard home UI allows disabling filtering for individual clients - why not use that?

[toodementianull]

What did you set as source, why are you using source invert, why is the rule disabled?

Please show your current working DNS redirect rule and then I can help you to exempt your phone. OTOH as I alsow wrote the AdGuard home UI allows disabling filtering for individual clients - why not use that?

I used this tutorial which is exactly what's posted in the OP of this thread.
https://homenetworkguy.com/how-to/redirect-all-dns-requests-to-local-dns-resolver/

The rule is disabled until I can figure how how to allow specific devices to bypass it. Why does that matter anyway? I showed you the full config of the rule. Works fine except that I need to be able to allow a device to bypass that rule. Should I have it setup differently?

AdGuard home UI allows disabling filtering for individual clients - why not use that?

Because that does not solve the issue that I am having. I want to force all devices on LAN to use AGH. That's why I need the rule. But I don't want my phone to be forced to use AGH.

[Patrick M. Hausen]

This rule cannot technically force all devices to use AGH - you have LAN net as destination instead of source, you have a source invert and you did not show your source setting, yet.

Please show all details of your rule.

[toodementianull]

I'm not following. I used the exact setup that's listed in the OP. I accidentally had LAN Net set for Destination. I changed that to LAN Address. I just need to know how to allow a device to bypass this rule.

Interface: LAN
Protocol: TCP/UDP
Destination / Invert: Checked
Destination: LAN address
Destination Port: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT reflection: Disable

[Patrick M. Hausen]

What exactly is the source set to in that rule?

Since I am going to go to sleep now:

1. duplicate the rule
2. set source to "your phone" in the duplicate
3. tick the "No RDR" checkbox in the duplicate
4. make sure the duplicate is above the general redirect rule for all devices in the list

That should do it.

[toodementianull]

What exactly is the source set to in that rule?

Since I am going to go to sleep now:

1. duplicate the rule
2. set source to "your phone" in the duplicate
3. tick the "No RDR" checkbox in the duplicate
4. make sure the duplicate is above the general redirect rule for all devices in the list

That should do it.

Source is set to any. I did not realize I had to hit the "Advanced" button to see the input box for source. I will try what you said. Thank you.