Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - JeroenS

Pages: [1]

23.7 Legacy Series / Unbound DNS, Host Overrides, Aliases not showing in the interface

« on: February 14, 2024, 09:34:18 am »

Dear Forum Members,

I got a colleague at my desk telling me that things are working, but according to the configuration in OPNsense, it shouldn't.

In our office we have a server running multiple dockers hosting several services for the company. As these services are all available on the same IP address on the network we have given them names to access them easily.

In Unbound you can configure host overrides so for the server we have created the main entry with its IP address and created Aliases for all dockers running on the same machine. (This configuration is create years ago).

Software running currently:
OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

Now when we look in the configuration web interface, we see that the Aliases list is empty.

We checked the /conf/config.xml file, we see the following configuration for Unbound. I have anonymized the configuration. I tried to leave the links between the servers and the aliases as clear as possible. I am human so i may have made a mistake.

Code: [Select]

 <unboundplus version="1.0.8">
      <general>
        <enabled>1</enabled>
        <port>53</port>
        <stats>1</stats>
        <active_interface/>
        <dnssec>0</dnssec>
        <dns64>0</dns64>
        <dns64prefix>64:ff9b::/96</dns64prefix>
        <noarecords>0</noarecords>
        <regdhcp>1</regdhcp>
        <regdhcpdomain/>
        <regdhcpstatic>0</regdhcpstatic>
        <noreglladdr6>0</noreglladdr6>
        <noregrecords>0</noregrecords>
        <txtsupport>0</txtsupport>
        <cacheflush>0</cacheflush>
        <local_zone_type>transparent</local_zone_type>
        <outgoing_interface/>
        <enable_wpad>0</enable_wpad>
      </general>
      <advanced>
        <hideidentity>0</hideidentity>
        <hideversion>0</hideversion>
        <prefetch>0</prefetch>
        <prefetchkey>0</prefetchkey>
        <dnssecstripped>0</dnssecstripped>
        <serveexpired>0</serveexpired>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset>0</serveexpiredttlreset>
        <serveexpiredclienttimeout/>
        <qnameminstrict>0</qnameminstrict>
        <extendedstatistics>0</extendedstatistics>
        <logqueries>0</logqueries>
        <logreplies>0</logreplies>
        <logtagqueryreply>0</logtagqueryreply>
        <logservfail>0</logservfail>
        <loglocalactions>0</loglocalactions>
        <logverbosity>1</logverbosity>
        <valloglevel>0</valloglevel>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <cachemaxttl/>
        <cachemaxnegativettl/>
        <cacheminttl/>
        <infrahostttl/>
        <infrakeepprobing>0</infrakeepprobing>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <acls>
        <default_action>allow</default_action>
        <acl uuid="68592565-3f29-4495-a72a-3f0a7bd96df6">
          <enabled>1</enabled>
          <name>VPN</name>
          <action>allow</action>
          <networks>xxx.xx.xx.0/29</networks>
          <description>xxx.xx.xx.0/29</description>
        </acl>
      </acls>
      <dnsbl>
        <enabled>0</enabled>
        <safesearch>0</safesearch>
        <type/>
        <lists/>
        <whitelists/>
        <blocklists/>
        <wildcards/>
        <address/>
        <nxdomain>0</nxdomain>
      </dnsbl>
      <forwarding>
        <enabled>0</enabled>
      </forwarding>
      <dots/>
      <hosts>
        <host uuid="8da0b498-2c6b-4346-83be-bdf2c33a7c4a">
          <enabled>1</enabled>
          <hostname>Server1</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.6</server>
          <description>Server number 1</description>
        </host>
        <host uuid="3b33854b-b603-46f0-89c3-675ad92f53e9">
          <enabled>1</enabled>
          <hostname>Server2</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.7</server>
          <description>Server number 2</description>
        </host>
        <host uuid="37446fd9-d446-45e5-8915-6c0928de4f30">
          <enabled>1</enabled>
          <hostname>Server3</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.8</server>
          <description>Server number 3</description>
        </host>
        <host uuid="86f9388b-4012-412d-b975-22184b6782e6">
          <enabled>1</enabled>
          <hostname>Server4</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.9</server>
          <description>Server number 4</description>
        </host>
        <host uuid="3ce5fc46-9524-46e9-9ccc-2af6e8e3d21e">
          <enabled>1</enabled>
          <hostname>Server5</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xx.x.4</server>
          <description>Server number 5</description>
        </host>
        <host uuid="2809c99f-6d65-48a6-ac8d-ebe98e9d6faa">
          <enabled>1</enabled>
          <hostname>Server 6</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.10</server>
          <description>Server number 6</description>
        </host>
        <host uuid="c9b41479-e080-4a15-ad00-1d221fcd06ee">
          <enabled>1</enabled>
          <hostname>Server7</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.11</server>
          <description>Server number 7</description>
        </host>
      </hosts>
      <aliases>
        <alias uuid="a6d376d7-ea98-4974-9223-eb28595e0238">
          <enabled>1</enabled>
          <host>3b33854b-b603-46f0-89c3-675ad92f53e9</host>
          <hostname>Ohtername1Server2</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="425ac57f-d4c8-4455-a5ae-3b68f5e05c63">
          <enabled>1</enabled>
          <host>3b33854b-b603-46f0-89c3-675ad92f53e9</host>
          <hostname>Ohtername2Server2</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="805de89c-4009-48ad-a43b-87883bef6ef0">
          <enabled>1</enabled>
          <host>37446fd9-d446-45e5-8915-6c0928de4f30</host>
          <hostname>Othername1Server3</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="c3e606f0-c52b-409e-855a-18857e2a1112">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername1Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="c28c91af-26cc-4c4f-aa23-4bec97a0cc62">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername2Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="8dce8e47-3286-4cf2-adb2-e953cb8a0d6e">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername3Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="c8cf1015-d7ed-4ff1-947c-6ef01d159b91">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername4Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="ad039ccd-8b0b-4bef-b2c0-7166bc2bb573">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername5Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="f4776e15-bb9a-4bdf-be5e-73d95e1c56da">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername6Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="bd23ecae-924b-4045-93d7-79377e144d32">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername7Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="a7f0d6ab-7704-42ad-9d33-54651a0e32a7">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername8Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="0edc5d41-c7cd-43d9-ac29-d3ec247f8fed">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername9Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="12769bf8-6da2-459a-8b07-58562acd9853">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername10Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="67db3a27-c4c9-49d7-965a-b2058cb760a9">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername11Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
      </aliases>
      <domains>
        <domain uuid="d2af4c71-4c90-4864-92d7-85e3d2a30031">
          <enabled>1</enabled>
          <domain>xyz.local</domain>
          <server>xxx.xxx.xxx.2</server>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <description>xyz domain</description>
        </domain>
      </domains>
    </unboundplus>

In the Log File of Unbound DNS a lot of entries are shown for all the aliases. Below on of the entries.

Code: [Select]

2024-01-19T22:31:03 Warning unbound PTR record already exists for othername6server7.xyz(xxx.xxx.xxx.11)
What could be the issue that it is not shown? Also, if we create a new alias, will we loose the other aliases?

Looking forward to elaborate on this issue.

Jeroen

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: November 14, 2022, 01:35:04 pm »

This weekend i have updated the firewalls to 2.7.7 including the kernel. It seems to work normally now.
However a reboot is required to get from 100Mbit to auto negotiation again. I am not sure if this was the case beforehand, but every thing seems to be back to normal again.
Thank you for the support!

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: October 12, 2022, 04:00:01 pm »

Hey Franco,

I see that they have reverted the changes today. So hopefully it will not be in 13.2 /14.

Does this mean we have to stick with the 22.7.5-e1000 kernel till 22.7.7 is released?
(I am not really into the release schedules.... still a bit new here and trying to learn)

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: October 11, 2022, 11:28:00 am »

I have updated the kernel to the 22.7.5-e1000 version. Now the link is immediately up and solves the problem with the intel network cards. Thank you Franco and csutcliff for pointing in the right direction.

Looking through the diff here https://reviews.freebsd.org/D34449 it seems that something is implemented to comply with a standard, which has changed after millions of network switches and devices are not doing auto negotiation when they are set fixed to 10 or 100 Mbit, half or full duplex.

The problem with changing this is that the device on the other side must be changed as well. Often this is outside of the control of the person implementing this change.

In our case the ISP has configured a network switch to 100Mbit Full duplex and will not change there procedures as it is identical for all their customers. And this is difficult to change as it will require actual negotiation between people to reconfigure both devices at the same time to auto negotiation in order to keep the connection up with minimum downtime as possible.

I will keep an eye on the reddit threats and the freeBSD diff to see when it will be fixed in the next mainstream release.

I have suggested to the ISP that instead they set their interfaces to 100Mbit Full duplex to enable auto negotiation but only advertise 100Mbit full duplex. This is much easier for their customers as they do not have to configure their device and if the customer upgrades to 1Gbit in the future, they just advertise the 1Gbit as well.

But it is difficult to migrate to this solution, as it will require al their current customers to switch from fixed 100Mbit Full Duplex to auto negotiation. So i doubt they will implement this.

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: October 10, 2022, 10:44:34 am »

That is great news franco.

Do you need the test kernel to be tested on our platform? Is this something i can help with? as i assume it may take some time for the new kernel to be released?

I found the answers in the Reddit page.
https://www.reddit.com/r/opnsense/comments/xw4oiz/comment/ir4qdc8/

This week i will try the update at my firewall at home. If it works i will patch the firewall in the office. and remove the network switch, which is currently converting 100Mbit full duplex fixed to auto negotiation.

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: October 10, 2022, 08:40:08 am »

@lilsense, if both interfaces are set to auto then it works fine.

I have been out of the office for work, but i will check if they are genuine Intel cards as well as have a look at the bug.
If it is the case I will join Reddit as well to get some more attention to this problem.

Many thanks for the support so far.

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: October 03, 2022, 02:16:19 am »

Hi lilsense,

Thank you for helping.
While doing the tests I had both sides configured the same way. Otherwise one of the devices will drop packets.

The thing is when both network switch and firewall to 100Mbit Full Duplex the link does not come up. If I configure my laptop interface to 100Mbit full duplex and connect to the switch the link works. But if I connect the laptop to the interface of the firewall the link is down.

I did not have this problem with 21.1 but occurred while upgrading to 21.7. did it from home at a time no body was in the office. Afterwards I had to go to the office because internet was down.

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: September 30, 2022, 09:09:19 am »

I have done some tests connecting an interface to an unused network switch.
When the switch and firewall are set to auto negotiation everything is fine.
As soon as you set the interface to fixed to 100 Mbit for the switch and firewall the interface stays down.
When you leave the equipment set to auto, and only advertise 10Mbit on the network switch the firewall works.
However changing the network switch to allow voor 100Mbit the interface on the firewall stays on 10Mbit.

It looks like something is not working correctly in the driver, which was not a problem in the 22.1 version.

Can somebody from the OPNsense project give more insight on the changes regarding the Intel network interfaces? Or is it something that is a problem in FreeBSD itself?

22.7 Legacy Series / Re: The Intel network card cannot work in full-duplex mode. In half-duplex mode

« on: September 19, 2022, 10:25:29 am »

Hello Wuwzy and other OPNsense forum members,

In our office we have been running 22.1 for over a year connected to our ISP.
The ISP has fixed the internet connection to 100Mbit Full Duplex and auto negotiation is disabled.
So we had the WAN Intel NIC set to 100Mbit Full Duplex.

After upgrading to 22.7.4 the WAN connection is lost.

I changed the configuration of the WAN interface to default, the internet connection is up again, but with packet loss. As the OPNsense box will try to auto negotiate but fails and will fall back to 100Mbit Half Duplex, while the ISP is configured to 100Mbit Full Duplex.

Clearly this is something that is broken in the upgrade between 22.1 and 22.7.1. And upgrading to 22.7.4 did not solve the issue.

The devices used in this firewall are:

igb0@pci0:1:0:0: class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class = network
subclass = ethernet
igb1@pci0:2:0:0: class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class = network
subclass = ethernet
igb2@pci0:3:0:0: class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class = network
subclass = ethernet
igb3@pci0:4:0:0: class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class = network
subclass = ethernet
igb4@pci0:5:0:0: class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class = network
subclass = ethernet
igb5@pci0:6:0:0: class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'I211 Gigabit Network Connection'
class = network
subclass = ethernet

These devices are onboard and cannot be swapped.

Please let me know if you need more information. Currently i do not know what more useful information to share, but please let me know.

To wuwzy, you can check the network interface type via the commandline when you ssh into the device.
pciconf -lv

Pages: [1]