17.1.5 no DNS access for VLANs

[interfaSys]

After the upgrade to 17.1.5, name resolution doesn't work for VLAN members.
Using the tools from the GUI, everything works fine.
The firewall is not blocking the outgoing requests, but it seems the answers never make it back.

VLAN define their own (external) nameservers
VLAN uses OpenVPN link as a gateway.
Nothing special in the logs.
All gateways and services up.
No proxy, no IDS.

What's the best way to debug this?

[franco]

I'm assuming a reboot you tried?
Were you on 17.1.4 prior to this or a lower version?
What does "own DNS" mean?


Cheers,
Franco

[interfaSys]

Yes, a reboot didn't fix it unfortunately. Everything looks green, so I'm not sure where to look for an answer.
This was an upgrade from 17.1.4.
"own DNS" means custom external nameservers are defined for the VLAN under "DNS servers" in DHCP server.

[mw01]

Have a similar problem and no VLAN trunk. 

Upgraded to 17.1.5 from 17.1.4 and lost VLAN traffic.  The VLAN trunk is on igb2.  Cannot access the gateway web interface or ssh but can ping the gateway. 

Can access the gateway web interface from the LAN on igb0.  The dashboard shows all interfaces green.

[soernt.poppe]

After update to 17.1.5 all VLAN Clients did not get the Standard-Gateway via the DHCP Server.

What fixes the issue for me: At the DHCP Server (for the VLAN) I entered in the Gateway IP-Adresse, restart the DHCP Server and did a ipconfig / renew at my windows clients.

I am allmost sure that was not need before the update.

Kind regards,
Sörnt

[mw01]

Tried Sörnt's solution - works for ipconfig /renew but I still cannot access the gateway web interface. Could be policy based rules for openvpn.

[roro]

Hello,
after update DNS not working properly anymore.
Situation.
On one nic there is the DNS server for internal network.
This worked perfect before update.

When I remove that DNS server (in system settings) and let WAN DHCP get the DNS servers.
DNS is working again and internet is possible.

Any solution?

================================

Some DIG output

with own DNS server (worked before upgrade)
seeu:~ # dig fox.be

; <<>> DiG 9.11.1 <<>> fox.be
;; global options: +cmd
;; connection timed out; no servers could be reached

========================
with given DNS-servers (wan dhcp).

seeu:~ # dig fox.be

; <<>> DiG 9.11.1 <<>> fox.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29808
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fox.be.            IN   A

;; ANSWER SECTION:
fox.be.         300   IN   A   204.236.227.206

;; Query time: 310 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 29 19:15:53 CEST 2017
;; MSG SIZE  rcvd: 51

[mw01]

Good news - disabled floating rule to disable SSDP and everything works again with 17.1.5.  This version seems to need  SSDP.

[interfaSys]

Tried:
* adding the Gateway
* removing the DNS
* looking for a SSDP rul (does not exist)

Nothing worked. DNS requests never get an answer.

[djGrrr]

Please screencap the firewall rules page for one of the VLAN interfaces that is giving the problem.

[interfaSys]

I think I've found the problem. Seems like the firewall is not running despite what it says on the Diagnostics page.
The logs I was seeing were from just before the upgrade.
When restarting pf, I get a notification:
There were errors loading the rules: no IP address found for vlan2

So apparently, now the firewall is taken down when such an error is encountered.

vlan2's interface is disabled, so I don't know why the firewall should care though.

[roro]

Hello,
after upgrade to 17.1.6 DNS via VLAN works again for me.
Thanks.

[franco]

There were errors loading the rules: no IP address found for vlan2

Do you have an IP address configuration on VLAN2? Do you have rules that select the address or network of the VLAN?


Cheers,
Franco