Messages

I think this was all hampered by old entries in ARP cache, as the new printer used the same IP address as the old, but obviously has a different MAC. Clearing it made things work again. The weird part is it that it kept happening after it got an IP address and things would work for a while, which suggests that the ARP entries were corrected, then became corrupt again. Very odd since the old printer was no longer on the premises, so couldn't be replying and poisoning ARP.

It has also happened since with at least two other machines. A static IP was assigned in Dnsmasq, the machine would receive its assignment via DHCP but then had no IPv4 connectivity to the Internet, though communicating with other machines on the LAN was okay. The OPNsense ARP table contained an entry for that IP but with a MAC address of a machine that had that address months ago. Clearing the ARP table did not fix it permanently, it came back. The other machine was on the network, but using a different ethernet port with a different MAC, and there was no record on that other machine that it thought it was still assigned that address; all diagnostics show only its expected addresses. I doubt it was responding to ARP queries for its disconnected port with an IP address it no longer knew about.

Similar thing again on the second machine, IP assigned in Dnsmasq statically, DNS leases and ARP table all showing the correct entries, machine itself showing the right addresses. Rebooted OPNsense box after an update, and the ARP table contained the previous entry again. I think it was OPNsense, not the machine, because the machine was wiped and had a new OS install. The previous ARP responses for that IP and the bad MAC would have come from Windows, but the ARP responses with that IP and the good MAC would have come from Linux. Linux could never have known that the other MAC would have been assigned that address.

I got around to switching to Unbound, with query forwarding to Dnsmasq only for the local domain. It seems to work, and packet captures now contain the expected replies. I changed that before making any changes to firewall rules (as per my other issue), so I thought the blame lay with Dnsmasq. I don't know any more because I think ARP was corrupt.

I was not referring to the auto-generated rules

My mistake, I meant the automatically provided ones, not the auto-generated ones. I followed the guide for WAN failover, which said to edit those rules and assign to them a gateway. I have since added another rule after those, without a gateway:

statetype

state-policy

sequence

action

quick

interfacenot

interface

direction

ipprotocol

protocol

icmptype

icmp6type

source_net

source_not

source_port

destination_net

destination_not

destination_port

divert-to

gateway

keep

51

pass

1

0

lan

in

inet

any

lan

0

any

0

v4

keep

61

pass

1

0

lan

in

inet6

any

lan

0

any

0

v6

keep

71

pass

1

0

lan

in

inet46

any

lan

0

any

0

Though this has improved the LAN stability, the Printer still misbehaves, and not in a consistent manner. Sometimes it'll work as desired, but usually stops, so I have to leave it configured with IP addresses rather than names, and accept the degradation.

I'm still inclined to believe it is at least partially caused by the router because it has other odd behaviours like near total failure of IPv6 after a random amount of uptime. Restarting the router, without changing any config, will 'fix' that.

Thanks for replying.

We're not using VLANs and everything is on the v4 same subnet, and v6 prefix, so any firewall rule that blocked only the printer would have to contain address-specific parameters, right? There's nothing like that.

Further tests:

• I gave my own PC static IPs by cloning the printer's reservation in Dnsmasq's Hosts page, one off of the printer's IPs, outside the normal DHCP offer ranges, and my PC still got replies from the OPNsense device.
• Set the resolver address on the printer and PC to a separate server, on the LAN, running BIND9. Both received usable DNS responses.

I can't take Dnsmasq down for any extended period until I have a decent maintenance window, but everything I've seen points to it, so far.

I always create an "allow DNS on this firewall" as a floating rule.

Doesn't 'floating' allow DNS requests from the WAN side? I don't want that, it would obviate the point of having overrides for private addresses on our domain. I already have a similar rule to immediately allow all DNS on the LAN interface, as recommended by the WAN failover guide, because we have a 5G backup connection.

Can you see anything in the packet captures? They're very small.

I have a printer that makes DNS queries like any other device, mainly to reach machines on the LAN, but also to 3rd party services on the Internet. From what I can tell, Dnsmasq on OPNsense flat-out refuses to answer its DNS queries. I've done packet captures on the OPNsense device, to compare requests from my own machine with those of the printer's, and I don't know why they go unanswered. It waits and asks again with the search domain appended again, defensive-programming-style. I don't see anything blocking them when I watch the live view of the firewall when triggering queries from the printer.

Does anyone have any ideas about the cause, or what else I can do to diagnose it?

As a band-aid solution, I've had to configure it to use static IP addresses instead of names to get basic functionality, but that isn't sustainable.

Ah, Ta. I'm aware of the auto-generated rules, and I'm not using VLANs. I added it out of frustration, really.

...which by default allow any to any for any IP protocols on LAN? ;-)

Can you elaborate? I don't understand what you're referring to, specifically.

so doesn't need / shouldn't have a gateway.

It's a big office printer with a support contract, we don't own it. It uses WAN for emailing and FTP upload of scanned documents, NTP, and firmware updates. It probably could be made to function well enough without WAN but, regardless, it has difficulty communicating with other machines on the LAN.

I'm having trouble with it again and have had to configure it to use IP addresses instead of names, e.g. for SMTP. Dnsmasq on OPNsense flat-out refuses to answer its DNS queries. I've done (redacted) packet captures on the OPNsense device, to compare requests from my own machine with those of the printer's, and I don't know why they go unanswered. I don't see anything blocking them when I watch the live view of the firewall.

[everything]

I'm posting this in the hope others benefit from our pain. After a large Toshiba printer/MFC was replaced on our network with a newer model (an e-STUDIO3525AC), it had a great deal of trouble. The previous model had worked fine, and there were no changes to the OPNsense box's config between the two. Despite trying both dynamic and static network configs, IPv4-only, IPv6-only, etc., the new one could not get DNS resolution of any address, could not ping public IP addresses (even directly, like 8.8.8.8), and was generally poor at obtaining and holding onto its network config. It even complained at various points that the network cable wasn't connected. I used OPNsense's Interfaces > Diagnostics > Packet Capture, limited to the printer's MAC, and saw it was fairly chatty. I tested the new printer on a secondary physical network and all was okay, so it was something about the main network.

When I realised I could ping public addresses from my own PC, but not the firewall's, I found this thread about it. I enabled ICMP with this rule on the LAN interface, in order to test ping from the printer again:

Protocol	Source	Port	Destination	Port	Gateway	Schedule
IPv4+6 ICMP	*	*	This Firewall	*	*	*

To my surprise, everything started behaving. I'm not blaming OPNsense; I think the printer was deciding it wouldn't or couldn't do basic communication without the router responding to certain queries, or something. If you're experiencing such issues, they may be being triggered by default firewall policies.

The last two responses are not at all helpful.

Look for:
DHCP Static Mappings

We're all already using those, which is why we'd like to be able to specify aliases for them.

You may use Dnsmasq DNS instead of Unbound. It allows easier configuration of aliases.

It has the exact same issue (I mentioned it in my first reply). The hosts that are already mapped to an IP in DHCP are not present in the Unbound or Dnsmasq lists, so one cannot assign aliases to them. An IP address must be double-specified (once in DHCP and once in the chosen DNS override service) for each host you require aliases for.

This is still a problem. The workaround is adding explicit A/AAAA overrides, which is double-specification, when the entire point of registering the DHCP hosts in Unbound/Dnsmasq is to avoid that. It would be nice to be able to create arbitrary Aliases, but I'm forced to attach them to an existing override.

What if the lists that show overrides in Unbound and Dnsmasq could, in addition to showing regular overrides, show the DHCP hosts as non-editable pseudo-entries so that relevant aliases could be added?