Gateway Group for Unbound?


  • Banned

    I seem to remember seeing somewhere that there are a lot of implicit rules in pfSense that don't show up in the GUI (at least by default) in order to let many services work without configuration (DHCP, etc).

    EDIT: The rules found at https://hostname.domain:port/status.php#FirewallGeneratedRuleset

    I was wondering if there was a way to edit these rules, specifically in order to apply a gateway group to Unbound.

    I know that I can select the outbound interfaces for Unbound, but I'm not sure how that works (how does it decide which interface to use when >1 is selected?).

    I would like to have a gateway group for Unbound to push all DNS requests out through VPN but with a failover to WAN if the VPN goes down:
    VPN1 = Tier 1
    VPN2 = Tier 1
    WAN = Tier 2

    Is this possible in some way?



  • You can't use gateway groups on pfSense locally generated traffic such as outgoing DNS traffic from Unbound, it doesn't work because the traffic never enters an interface where it could be tagged for alternate routing. Only the default routing table is used for pfSense locally generated traffic.

    The outgoing interfaces option in Unbound is just an interface by interface on/off switch whether to use the interface at all for outgoing traffic, it doesn't allow any redirection of DNS queries, they will still follow the system routing table.


  • Banned

    Well, that's too bad. Thank you for your response!

    Any chance of getting more control of pfSense generated traffic in the future?



  • Not in foreseeable future, it's a limitation of the FreeBSD OS that prevents redirection of traffic that is already marked as going out via a specific network interface.


  • Banned

    I see, thank you again!


  • Banned

    Would it be feasible to write a script that could change this.

    Something along the lines of checking the status of specific gateways, and if x gateway is down then change the unbound.conf file to y interface. Then run this on cron every minute?

    I don't know how to do it myself, but was wondering if it was possible, and if possible would it be overly time intensive or complicated?



  • Won't work because unbound.conf doesn't actually tell the daemon how to route the outgoing traffic unless it's a domain specific override with a set authoritative server for the domain. Any non-specific outgoing traffic is still going to follow the system's routing table.

    Edit: It's actually worse, regardless of how you set up unbound it's still going to use only the system routing table. The use of the outgoing interface option in Unbound is a bit dubious in pfSense/FreeBSD, it's possible that it actually does something on other operating systems but I can't come up with a working example for pfSense/FreeBSD where the options would have any effect. Maybe the options are for complex setups where you want to avoid sending the queries over a certain link.



  • Just use floating rule:
    Quick [v]
    Interface WAN
    Direction Out
    Proto tcp/udp
    Destination port 53
    Gateway - Your port group.


  • Banned

    Really? Quick rules are evaluated before hidden rules?



  • I can't say for sure, but it definitely works: I have a setup where all outbound DNS queries from pfSense itself are forwarded through specific gateway, with no forwarders configured.


  • Banned

    Hmmm, I tried that and set it to log but the traffic just goes out of the interfaces I have set in unfound