Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: maik3k on December 21, 2023, 04:38:11 PM

Title: Unbound needs Outgoing Network Interfaces set to resolve AAAA via IPv6
Post by: maik3k on December 21, 2023, 04:38:11 PM
Hello,

I am using OPNsense 23.7.10_1-amd64 and have a strange problem with Unbound. If I have set Unbound => General => Outgoing Network Interfaces to ALL (the default), I get a timeout from Unbound with the following query:
Code Select
dig -t AAAA aaaa.v6ns.test-ipv6.com

; <<>> DiG 9.10.6 <<>> @10.1.1.1 -t AAAA aaaa.v6ns.test-ipv6.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

However, if I only add LAN to the Outgoing Network Interfaces, the query is resolved correctly:
Code Select
dig -t AAAA aaaa.v6ns.test-ipv6.com

; <<>> DiG 9.10.6 <<>> @10.1.1.1 -t AAAA aaaa.v6ns.test-ipv6.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47182
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;aaaa.v6ns.test-ipv6.com. IN AAAA

;; ANSWER SECTION:
aaaa.v6ns.test-ipv6.com. 300 IN AAAA 2001:470:1:18::115

;; Query time: 331 msec
;; SERVER: 10.1.1.1#53(10.1.1.1)
;; WHEN: Thu Dec 21 16:28:04 CET 2023
;; MSG SIZE  rcvd: 80


I get a dynamic IPv4 and a dynamic /59 subnet from my provider. IPv6 generally works. How can I find out what is going wrong?
Title: Re: Unbound needs Outgoing Network Interfaces set to resolve AAAA via IPv6
Post by: Maurice on December 21, 2023, 07:50:06 PM
Your primary IPv6 WAN address might be unroutable (this is unrelated to the /59 delegated prefix and IPv6 Internet access from the LAN).

Can you ping anything on the Internet from OPNsense when setting the source address to the primary WAN address?

Cheers
Maurice
Title: Re: Unbound needs Outgoing Network Interfaces set to resolve AAAA via IPv6
Post by: maik3k on December 21, 2023, 08:08:34 PM
Thank you for your answer. Unfortunately, that is not the reason. I can ping from the OPNSense via the WAN IP:
Code Select
ping -S MY_WAN_IPV6 www.google.de
PING6(56=40+8+8 bytes) MY_WAN_IPV6 --> 2a00:1450:400e:805::2003
16 bytes from 2a00:1450:400e:805::2003, icmp_seq=0 hlim=118 time=37.263 ms
16 bytes from 2a00:1450:400e:805::2003, icmp_seq=1 hlim=118 time=19.277 ms
16 bytes from 2a00:1450:400e:805::2003, icmp_seq=2 hlim=118 time=17.602 ms
16 bytes from 2a00:1450:400e:805::2003, icmp_seq=3 hlim=118 time=38.381 ms
What else could it be? It must be some kind of setting. I quickly set up an OPNSense from scratch on another system and connected it to the same modem. The problem does not occur there.
Title: Re: Unbound needs Outgoing Network Interfaces set to resolve AAAA via IPv6
Post by: Maurice on December 21, 2023, 11:38:32 PM
Well, I guess I'd perform a packet capture on both systems and look for differences.
Title: Re: Unbound needs Outgoing Network Interfaces set to resolve AAAA via IPv6
Post by: maik3k on December 22, 2023, 12:28:54 PM
I have actually found my problem. It is due to a buffer bloat fix that I took from this website (https://maltechx.de/en/2021/03/opnsense-setup-traffic-shaping-and-reduce-bufferbloat/ (https://maltechx.de/en/2021/03/opnsense-setup-traffic-shaping-and-reduce-bufferbloat/)). If I deactivate the rules, Unbound works again with IPv6 NS querys. But I don't understand the reason for this at all.
Text only | Text with Images