OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: Luna on August 03, 2018, 01:34:14 am
-
Hi all,
I use OPNsense for quite some time now (actually since it forked), and it has always been stable. Especially the updates were always perfect: nothing broke and everything kept working as intended. Unfortunately, since 18.7 there are problems.
DNS didn't seem to work right after the upgrade, but we also can't use ping in the LAN anymore and some Linux servers can't update anymore.
I used dnsmasq before, but disabled that since dns didn't work at all with it. I now switched to unbound, which does seem to work. But the thing is: we still can't use ping (I hoped both problems would be fixed). I can't ping private nor public IP addresses, and to make it worse: it's also impossible to ping the router itself from a connected device.
I searched quite a bit on the internet, but couldn't find problems that looked exactly like this one. I see there are quite some problems with 18.7, but I haven't found the same problem (but I could have missed it).
I am no networking or DNS specialist, so I would love to have some help with this problem. Any pointers or ideas where I can start looking for the ping problem?
By the way: although DNS seems to work, I am still not feeling that DNS is completely stable, but I need more time tomorrow to check whether this is true.
-
To fix dnsmasq after the upgrade for 18.1 to 18.7:
Services --> Dnsmasq DNS --> Settings. Change 'Interfaces' from 'ALL' to 'LAN'
With 'ALL' you will see a message in the log about not able to listen on 127.0.0.1, and DNS won't work. Local hosts won't resolve either because of the lack of DNS. Yes, it took me a long while to find. I suspect this could be a bug?
Unbound also worked for me. I think it uses root DNS servers though, and I prefer to use my ISP DNS servers, because they point to local caches for Netflix etc.
-
To fix dnsmasq after the upgrade for 18.1 to 18.7:
Services --> Dnsmasq DNS --> Settings. Change 'Interfaces' from 'ALL' to 'LAN'
With 'ALL' you will see a message in the log about not able to listen on 127.0.0.1, and DNS won't work. Local hosts won't resolve either because of the lack of DNS. Yes, it took me a long while to find. I suspect this could be a bug?
Unbound also worked for me. I think it uses root DNS servers though, and I prefer to use my ISP DNS servers, because they point to local caches for Netflix etc.
Hi and thanks for your response. I already got unbound DNS working. The problem that persists is that no device is able to ping, not even to the router. Do you have any idea how I can troubleshoot that? I don't know if this problem is linked to the DNS issues before, it might as well be a stand alone issue.
-
Do you have any specific LAN firewall rule applied? IE the Default LAN rule should look something like this...
Proto Source Port Destination Port Gateway Schedule Description
IPv4 * LAN net * * * * Default allow LAN to any rule
-
Do you have any specific LAN firewall rule applied? IE the Default LAN rule should look something like this...
Proto Source Port Destination Port Gateway Schedule Description
IPv4 * LAN net * * * * Default allow LAN to any rule
I do have that rule indeed, see the attachment. Can I provide other information that would be helpful in pinpointing this problem?
-
When you are pinging have you monitored the firewall logs to see if you see anything being blocked? Firewall/Log Files/Live View? Are you trying to ping by name or IP address?
-
Actually looking at your rule you have TCP/UDP under protocol instead of ANY.. that doesn't allow ICMP, try to set it to ANY instead and see if that helps...
-
When you are pinging have you monitored the firewall logs to see if you see anything being blocked? Firewall/Log Files/Live View? Are you trying to ping by name or IP address?
That was an excellent suggestion! I couldn't imagine that it was the firewall, since it always worked perfectly. But clearly that was a wrong assumption.
__timestamp__ Aug 3 14:13:34
action block
anchorname
dir in
dst 8.8.8.8
ecn
id 19016
interface igb1
ipflags none
label Default deny rule
length 60
offset 0
proto 1
protoname icmp
reason match
ridentifier 0
rulenr 9
src 10.0.255.1
subrulenr
tos 0x0
ttl 128
version 4
Actually looking at your rule you have TCP/UDP under protocol instead of ANY.. that doesn't allow ICMP, try to set it to ANY instead and see if that helps...
I added 'any' and it works perfectly now. But then I still don't understand how this was changed? I always was able to ping, we did it daily here to troubleshoot systems and stuff.
-
Not sure how it would of changed in the upgrade, but something might of not transferred over properly. Yay for hiccups glad it worked. :)
-
Not sure how it would of changed in the upgrade, but something might of not transferred over properly. Yay for hiccups glad it worked. :)
Thanks a lot for the help!
Cheers :D