OPNsense – Miscellaneous Hints and Tips

Ping not working from WAN interface

This seemed really strange; in a test configuration, where the “WAN” connection for OPNsense was in fact an existing (but not OPNsense) packet-filtering firewall, the WAN interface was happily being allocated an IP address by DHCP but it wasn’t possible to get a ‘ping’ response from the next-hop Gateway. Looking at the packets on the network, it was clear the ICMP packets were indeed being sent – and responded to – but these replies were never being seen by the ‘ping’ command. As a consequence of ‘ping’ not working, the status monitoring on the WAN interface was failing, considering it to be always ‘down’ – and so not routing any traffic to it.

The solution came via this Reddit post, which says:

Check firewall > settings > advanced. Change the “reply-to on wan rules” to the opposite.

This is referring to the “Disable reply-to on WAN rules” tick-box, for which the additional help text says:

With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. When using bridging, you must disable this behaviour if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.

The OPNsense manual page for this setting is here. It’s not clear how Bridging is related to this – there is a Bridge interface for one of the LAN VLANs; maybe the Tunable configuration settings required for that Bridge change the behaviour for the WAN interface too?

From some further reading, it seems the problem only manifests itself when the next-hop gateway is itself a packet-filtering firewall, so it might not be an issue in a more realistic deployment scenario.

There’s an in-depth discussion in this OPNsense Community posts: Reply-to on WAN by default is bogus

possible DNS-rebind attack detected:

Admittedly it’s a slightly unusual deployment scenario to have one DNS server running in the Outbuildings, referencing another DNS server running in the House – where both the House and the Outbuildings are using RFC1918 ‘private’ IP address ranges. One consequence of this deployment pattern is that the Outbuildings DNS server treats the receipt of an RFC1918 IP address from its upstream DNS server as a “possible DNS-rebind attack” – because dnsmasq is configured (by OPNsense) with stop-dns-rebind in its configuration file.

There’s certainly a requirement for the Outbuildings’ DNS server to return IP addresses for hostnames such as unifi (so UniFi network equipment knows where to find its Controller) which trigger the ‘rebind attack’ error if the response comes from the House’s DNS server.

One option is to add a duplicate, local entry for unifi to the Outbuildings’ DNS server, since that avoids triggering the error (because the entry is ‘local’) – but it means maintaining a duplicate entry on both DNS servers.

Another option is to use the rebind-domain-ok=/unifi/ dnsmasq configuration syntax to specify domain names which should be permitted RFC1918 addresses. Since this construct is not supported by OPNsense’s GUI for dnsmasq, such configuration lines need adding to a custom .conf file placed in directory /usr/local/etc/dnsmasq.conf.d/ While this works OK it’s a bit of a pain to have to maintain entries for all hosts in the House.

A third option is to not to specify stop-dns-rebind in the dnsmasq configuration file (and hence turn off rebind checking completely, for the Outbuildings’ DNS server) – but this line is automatically added to the main dnsmasq.conf file by OPNsense and there is no GUI option to remove it. It appears that the same result can be achieved by adding the following in a custom .conf file – which effectively says that ‘all hosts’ are rebind-domain-ok:

rebind-domain-ok=

A related point is that none of the DHCP host address reservations should have the ‘Local’ box ticked, since doing so declares the specified Domain will only be served by the local DNS server – and never forwarded upstream.

In the end, the all-round better solution turned out to be to centralise DHCP and DNS on the House firewall, using DHCP Relay settings on the local VLANs in the Outbuildings. A side-effect of this is that the DHCP leases returned by the House’s DHCP server automatically reference the House’s DNS server, so there’s only one DNS server that ever returns RFC1918 addresses.

TCP Session Timeout

Kept noticing packets tripping the “Default deny / state violation rule” when on inspection they belonged to legitimate traffic – so they were clearly failing on the ‘state’ element of the check.

There’s an Advanced Setting for the Firewall of “Firewall Optimization” which is “Normal” by default; changing this to “Conservative” seems to be helping to avoid this traffic being blocked unnecessarily.

CC BY-SA 4.0 OPNsense – Miscellaneous Hints and Tips by Marsh Flatts Farm Self Build Diary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.