OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: interfaSys on April 26, 2017, 11:48:14 am

Title: 17.1.5 no DNS access for VLANs
Post by: interfaSys on April 26, 2017, 11:48:14 am
After the upgrade to 17.1.5, name resolution doesn't work for VLAN members.
Using the tools from the GUI, everything works fine.
The firewall is not blocking the outgoing requests, but it seems the answers never make it back.

VLAN define their own (external) nameservers
VLAN uses OpenVPN link as a gateway.
Nothing special in the logs.
All gateways and services up.
No proxy, no IDS.

What's the best way to debug this?
Title: Re: 17.1.5 no DNS access for VLANs
Post by: franco on April 26, 2017, 06:43:06 pm
I'm assuming a reboot you tried?
Were you on 17.1.4 prior to this or a lower version?
What does "own DNS" mean?


Cheers,
Franco
Title: Re: 17.1.5 no DNS access for VLANs
Post by: interfaSys on April 26, 2017, 07:42:54 pm
Yes, a reboot didn't fix it unfortunately. Everything looks green, so I'm not sure where to look for an answer.
This was an upgrade from 17.1.4.
"own DNS" means custom external nameservers are defined for the VLAN under "DNS servers" in DHCP server.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: mw01 on April 28, 2017, 03:01:31 pm
Have a similar problem and no VLAN trunk. 

Upgraded to 17.1.5 from 17.1.4 and lost VLAN traffic.  The VLAN trunk is on igb2.  Cannot access the gateway web interface or ssh but can ping the gateway. 

Can access the gateway web interface from the LAN on igb0.  The dashboard shows all interfaces green.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: soernt.poppe on April 28, 2017, 07:04:26 pm
After update to 17.1.5 all VLAN Clients did not get the Standard-Gateway via the DHCP Server.

What fixes the issue for me: At the DHCP Server (for the VLAN) I entered in the Gateway IP-Adresse, restart the DHCP Server and did a ipconfig / renew at my windows clients.

I am allmost sure that was not need before the update.

Kind regards,
Sörnt
Title: Re: 17.1.5 no DNS access for VLANs
Post by: mw01 on April 29, 2017, 01:36:53 am
Tried Sörnt's solution - works for ipconfig /renew but I still cannot access the gateway web interface. Could be policy based rules for openvpn.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: roro on April 29, 2017, 07:20:18 pm
Hello,
after update DNS not working properly anymore.
Situation.
On one nic there is the DNS server for internal network.
This worked perfect before update.

When I remove that DNS server (in system settings) and let WAN DHCP get the DNS servers.
DNS is working again and internet is possible.

Any solution? :D

================================

Some DIG output

with own DNS server (worked before upgrade)
seeu:~ # dig fox.be

; <<>> DiG 9.11.1 <<>> fox.be
;; global options: +cmd
;; connection timed out; no servers could be reached

========================
with given DNS-servers (wan dhcp).

seeu:~ # dig fox.be

; <<>> DiG 9.11.1 <<>> fox.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29808
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fox.be.            IN   A

;; ANSWER SECTION:
fox.be.         300   IN   A   204.236.227.206

;; Query time: 310 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 29 19:15:53 CEST 2017
;; MSG SIZE  rcvd: 51
Title: Re: 17.1.5 no DNS access for VLANs
Post by: mw01 on April 30, 2017, 01:43:47 pm
Good news - disabled floating rule to disable SSDP and everything works again with 17.1.5.  This version seems to need  SSDP.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: interfaSys on May 02, 2017, 09:54:40 am
Tried:
* adding the Gateway
* removing the DNS
* looking for a SSDP rul (does not exist)

Nothing worked. DNS requests never get an answer.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: djGrrr on May 02, 2017, 03:54:18 pm
Please screencap the firewall rules page for one of the VLAN interfaces that is giving the problem.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: interfaSys on May 02, 2017, 04:09:38 pm
I think I've found the problem. Seems like the firewall is not running despite what it says on the Diagnostics page.
The logs I was seeing were from just before the upgrade.
When restarting pf, I get a notification:
There were errors loading the rules: no IP address found for vlan2

So apparently, now the firewall is taken down when such an error is encountered.

vlan2's interface is disabled, so I don't know why the firewall should care though.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: roro on May 06, 2017, 11:59:11 am
Hello,
after upgrade to 17.1.6 DNS via VLAN works again for me.
Thanks.
Title: Re: 17.1.5 no DNS access for VLANs
Post by: franco on May 08, 2017, 06:49:49 am
There were errors loading the rules: no IP address found for vlan2

Do you have an IP address configuration on VLAN2? Do you have rules that select the address or network of the VLAN?


Cheers,
Franco