OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Senten »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - Senten

Pages: [1]
1
24.1 Legacy Series / Re: Firewall IP Aliases sporadically not being resolved
« on: February 05, 2024, 07:17:52 am »
Hi and thanks for sharing your experience!

Was your problem with local dns resolving, too?
Sounds like you are using external dns servers:

Quote from: karlkrnl on February 04, 2024, 03:40:01 pm
I have the same issue with a free duckdns.org domain (the nameservers have high latency)

If so, you likely had a different issue, as my problem only exists with locally hosted RRs in my xyz.local domain.

I tried your suggested setting though but the same error logs are still appearing with every ip alias resolving period.

2
24.1 Legacy Series / Firewall IP Aliases sporadically not being resolved
« on: January 29, 2024, 01:40:54 pm »
Hi there,

I already posted about this issue in the german sub forum but didn't get any response there, so I am reposting in the international section.

Translated from original post:
Quote
Hello dear community,

I recently set up a logging server and through this i stumbled upon the following problem:

The pf firewall randomly does not resolve FQDN firewall aliases. Milliseconds later the same name is resolved correctly:

Code: [Select]
2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
The above logs are filtered for the same Alias (even though others are affected too). The FQDN can be resolved using dig or nslookup just fine without any errors or timeouts or whatsoever.

My system is running OPNsense 23.7.12 24.1_1, the error existed already with 23.7.10 and likely even before that.

The dns server used is the local unbound service.

At System>Settings>General the following settings are *not* checked:
Code: [Select]
DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system

Does anybody here have an idea what the cause could possibly be or what I could take a more detailed look at?

Thank you in advance!

Regards,
Senten

3
23.7 Legacy Series / Re: dns name in alias resolution issues
« on: January 22, 2024, 01:15:22 pm »
Hi there,

I think I have the same issue and posted in the german sub forum about it (unfortunately no anwers yet):

Translated from original post:
Quote
Hello dear community,

I recently set up a logging server and through this i stumbled upon the following problem:

The pf firewall does not resolve FQDN firewall aliases once every ~6 Minutes. Milliseconds later the same name is resolved correctly:

Code: [Select]
2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
The above logs are filtered for the same Alias (even though others are affected too). The FQDN can be resolved using dig or nslookup just fine without any errors or timeouts or whatsoever.

My system is running OPNsense 23.7.12, the error existed already with 23.7.10 and likely even before that.

The dns server used is the local unbound service.

At System>Settings>General the following settings are *not* checked:
Code: [Select]
DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system

In my case I am talking about A/AAAA records and not necessarily CNAMEs.

Is this the same issue as yours? If not so, please tell me so I can open a new thread in the English forum :-)

Regards,
Senten

4
German - Deutsch / Re: Verkabelungshilfe ProxMox/OPNsense
« on: January 18, 2024, 09:49:21 am »
Hallo zusammen,

ich möchte hier einen Vorschlag anbieten, da ich selber eine sehr ähnliche Hardware einsetze.
Meine 4 physischen Ports sind so verschaltet:

Code: [Select]
Port1 [x] -> Trunk, dient als Bridge-Port für vmbr0; Hierüber werden PVE, als auch alle anderen VMs und CTs erreicht
Port2 [ ] -> leer
Port3 [x] -> PCI-Passthrough an OPNsense-VM (WAN)
Port4 [x] -> PCI-Passthrough an OPNsense-VM (LAN | Trunk)

Port1 und Port4 sind mit dem selben Switch verbunden.

Der Zugriff von einem Client zu Proxmox verläuft dann in etwa so:
Code: [Select]
Client(VLAN100) -> Untagged Port -> Switch -> Trunk (OPNsense) -> OPNsense_eth0.100 -> OPNsense_eth0.200 -> Trunk (OPNsense) -> Switch -> Trunk (Proxmox) -> Proxmox_enp2s0 -> Proxmox_vmbr0.200 (Mgmt-IP-Adresse)Ich hoffe ich hab mich da jetzt nicht verhaspelt :D

Durch den PCI-Passthrough sind die Ports3 und 4 exklusiv der OPNsense vorbehalten und mir persönlich gefiel die Idee der Trennung vom Hypervisor und angeblich soll es so auch performanter sein (das habe ich nicht getestet, sondern einfach darauf vertraut).

Grüße,
Senten

5
German - Deutsch / Firewall Aliase mit DNS-Namen werden sporadisch nicht aufgelöst
« on: January 18, 2024, 09:10:35 am »
Hallo liebe Community,

ich habe mir kürzlich einen Logging-Server aufgesetzt und bin dadurch auf folgendes Phänomen gestoßen:

Die pf-Firewall löst sporadisch keine FW-Aliase auf Basis von FQDNs auf. Bruchteile einer Sekunde später funktioniert die Auflösung dann jedoch:

Code: [Select]
2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
Die obigen Log-Zeilen beziehen sich alle auf den selben FW-Alias und der angefragte FQDN ist korrekt.
Wenn ich betroffene Namen per dig manuell auflöse, kommt es niemals zu einem Timeout oder sonstigen Fehler.

Mein System läuft auf OPNsense 23.7.12, der Fehler bestand aber definitiv bereits mit 23.7.10 und vermutlich auch davor schon.

Zur DNS-Auflösung wird der lokale Unbound-Dienst verwendet.

Unter System>Settings>General sind die folgenden Optionen *nicht* aktiv:
Code: [Select]
DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system
Hat jemand eine Idee woran das liegen kann oder was ich mir genauer ansehen könnte?

Vielen Dank!

Grüße,
Senten

Edit: Rechtschreibkorrektur

6
23.1 Legacy Series / Re: DNS server advertisemenet via DHCP not using interface ip address anymor
« on: May 03, 2023, 02:36:30 pm »
Quote from: Animosity on May 03, 2023, 02:07:43 pm
It has to do something with AdGuard.

I retried AdGuard on a fresh install on port 53 and checked the box.

DHCP DNS for IPV6 stopped working.

Reinstalled fresh, no AdGuard. DNC DNS for IPV6 worked.

Seems easy to reproduce and test but I really have no use for AdGuard as I just use the same 2 blocklists for Unbound.

That's interesting, because I think I found the issue on my end:

Turned out my client was not using the DHCP lease reserved for it because its' MAC-address changed due to the local Hyper-V service kidnapping the adapter ... .

For some reason my client did not pick up a different DHCP lease with its' now virtual MAC-address but was served only through SLAAC instead.

The RD daemon was not restarted yet though and this might have been the reason, why it still propagated the global system default dns servers.

After deleting the Hyper-V-virtual-switch and regaining the original MAC-address, my client accepted the reserved DHCP lease and was told to use the correct dns servers for IPv4 and v6.

After restarting the RD daemon android clients received the correct dns configuration, too.

Regards,
Senten

7
23.1 Legacy Series / Re: DNS server advertisemenet via DHCP not using interface ip address anymor
« on: May 03, 2023, 11:42:40 am »
I noticed with AdGuardHome 1.9 as primary DNS only the IPv4 address is advertised correctly but IPv6 still falls back to the system default servers:

   DNS-Server  . . . . . . . . . . . : 2620:fe::fe (quad9)
                                       2620:fe::9 (quad9)
                                       10.10.0.1 (AdGuardHome)

Is that a config error on my side or was it maybe overlooked in the 1.9 release?

8
23.1 Legacy Series / SOLVED: DNS server advertisemenet via DHCP not using interface ip address anymor
« on: May 02, 2023, 06:35:45 pm »
Quote from: jp0469 on May 02, 2023, 04:43:42 pm
Did you enable the new checkbox in the Services > Adguard Home page?

Good call! Of course I did'nt   ::)

Problem solved - thanks a lot  ;D

9
23.1 Legacy Series / Re: DNS server advertisemenet via DHCP not using interface ip address anymore
« on: May 02, 2023, 09:42:38 am »
A fix is mentioned in the current change log but the behaviour hasn't changed for my case.

Plugin Changelog
================

1.9

* Fix DNS settings introduced with 23.1.6
* Update to latest version

10
23.1 Legacy Series / Re: DNS server advertisemenet via DHCP not using interface ip address anymore
« on: April 26, 2023, 09:45:54 am »
There already is a github issue for this: https://github.com/mimugmail/opn-repo/issues/153

11
23.1 Legacy Series / Re: DNS server advertisemenet via DHCP not using interface ip address anymore
« on: April 26, 2023, 09:35:40 am »
Hi and thanks for the link.

If I understand correctly the issue is with the AdGuard plugin from the mimugmail repository not being ready for opnsense 23.1.6 and the problem only exists with AdGuard being configured with Port 53.

Setting the advertised dns server ip addresses statically is one workaround.

Usind a different port for AdGuard and forwarding from Unbound/Bind to AdGuard being another one.

A third workaround seems to be using port 53 on both AdGuard and Unbound/Bind and making AdGuard listen to a dedicated virtual IP address with NAT port forward.

Let's hope the AdGuard plugin will get an update addressing this soon :-)


12
23.1 Legacy Series / DNS server advertisemenet via DHCP not using interface ip address anymor
« on: April 24, 2023, 11:27:31 am »
Hi there,

I have updated my opnsense from 23.1.5 to 23.1.6(-amd64) yesterday and after that the DHCP service advertised the globally configured system dns-servers (public ones) instead of the interface ip addresses, as it used to be.

I am running AdGuardHome as the main DNS service and unbound as forwarder with a few local overrides. That means  after the update clients can resolve public names but not the ones i only use locally.

As a result I now have to manually set the interface ip addresses as the dns servers in the DHCP configuration, which i used to leave blank. In order to be able to do that for IPv6 I now have to additionally configure virtual fd00 IP aliases, which I do not need for anything else an actually would like to deconfigure again as soon as possible.

I tried rolling back a snapshot of 23.1.5 and this version does not have the problem.

Is this a bug or expected behavior? I read about some changes regarding bind hooks in the changelog but as I am not running bind I suppose that does not affect me?

Regards and thanks in advance,
Senten

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2