0

OpnSense + NextDNS + 2 VLAN configs = not working

I'm having an issue putting a separate config on the "kids" vlan. 

I'm *NOT* using unbound DNS. I'm using the CLI version, since I want the kid vlan to filter separately. I have a general config for normal use, and then a config for the kids vlan setup in NextDNS. I've setup both VLANs in OpnSense with their correct DNS settings and scope. 

 

192.168.1.1/24 = main data VLAN

192.168.10.1/24 = Kid VLAN

 

In my OpnSense SSH session, I can test if the appropriate filters work correctly - and they do. 192.168.1.1 should be open/unblocked, and 192.168.10.1 should be blocked. It works just fine via command:

rill pornhub.com @192.168.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 15977
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; pornhub.com. IN      A

;; ANSWER SECTION:
pornhub.com.    5       IN      A       66.254.114.41

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 44 msec
;; SERVER: 192.168.1.1
;; WHEN: Fri Nov 24 16:57:16 2023
;; MSG SIZE  rcvd: 45
root@OPNsense:~ # drill pornhub.com @192.168.10.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9039
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; pornhub.com. IN      A

;; ANSWER SECTION:
pornhub.com.    5       IN      A       0.0.0.0

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 17 msec
;; SERVER: 192.168.10.1
;; WHEN: Fri Nov 24 16:57:20 2023
;; MSG SIZE  rcvd: 45

 

However, on my NextDNS setup, the "Kid VLAN" page shows this error, that it's currently using the main config:

This device is using NextDNS with another profile.This device is currently using ”Main DNS (VLAN1)”.

 

NextDNS config:

report-client-info truediscovery-dnsmdns allhardened-privacy falsebogus-priv trueuse-hosts truetimeout 5smax-ttl 5ssetup-router falsecontrol /var/run/nextdns.sockprofile 192.168.10.0/24=ba2538profile 192.168.1.0/24=c99b8cmax-inflight-requests 256auto-activate truedebug falselog-queries falsecache-size 10MBcache-max-age 0sdetect-captive-portals falselisten localhost:53listen 192.168.1.1:53listen 192.168.10.1:53

Any ideas? I've been trying one thing after another, and it just seems like it's setup correctly - but for some reason OpnSEnse isn't passing through the VLAN10 traffic correctly?

4 replies

null
    • Sean_Figg
    • 1 yr agoFri, November 24, 2023 at 11:02 PM UTC
    • Reported - view

    Not sure why it didn't paste properly:

    report-client-info true
discovery-dns
mdns all
hardened-privacy false
bogus-priv true
use-hosts true
timeout 5s
max-ttl 5s
setup-router false
control /var/run/nextdns.sock
profile 192.168.10.0/24=ba2538
profile 192.168.1.0/24=c99b8c
max-inflight-requests 256
auto-activate true
debug false
log-queries false
cache-size 10MB
cache-max-age 0s
detect-captive-portals false
listen localhost:53
listen 192.168.1.1:53
listen 192.168.10.1:53
      • R_P_M
      • 1 yr agoSun, November 26, 2023 at 2:31 PM UTC
      • Reported - view

       It looks correct from the CLI point of view. What dns IP is the Kids VLAN being served with? Maybe it’s getting 1.1 instead of 10.1?

      • Philippe_Tremblay
      • 1 yr agoSun, December 3, 2023 at 7:28 PM UTC
      • Reported - view

       

      Did you ever figure this out? 

      I'm struggling with a similar issue with my pfSense setup, no matter what, the Kids VLAN always reports being set to the main NextDNS profile ID

    • Sean_Figg
    • 1 yr agoTue, December 5, 2023 at 2:29 PM UTC
    • Reported - view

    Sorry for the late follow up on this. I ended up getting it working - turns out I had the VLAN interface config on my cisco switch set with some IP Helpers that I had done doing some troubleshooting. once I cleared the config, it worked just fine. 

Login to reply

Content aside

  • 1 yr agoTue, December 5, 2023 at 2:29 PM UTCLast active
  • 4Replies
  • 351Views
  • 3 Following