Messages

I think this is related to https://forum.opnsense.org/index.php?topic=27861.0.
If you restart the unbound manually it loads its legacy config.
21.1.5 brought a new UI for unbound. I found that at least overwrites were not migrated correctly.
Have you checked the config of unbound?
btw. if you click apply in the UI it loads the config the new way and you should see the issues again.

[I found the logic behind]

I found the logic behind

The alias are only displayed for the host selected above.
I the same manner you can create an alias, be selecting the host and clicking the + button down in Aliases the right entry gets preselected and the alias is created as expected.

I am unsure if this works as designed, because is it very hard to keep an overview which aliases are configured at all.

A `configctl unbound restart` or a restart of unbound from the WebUI seems to trigger some old code an generate the config from the old entries.

While `opnsene-shell reload` and "Apply" from the UI creates it in the right manner

Just found that a restore from backup limited to "Unbound DNS" is not writing the <unboundplus> part.
The docs already telling that partial restor is something that may get dropped.
May be this need to be removed from the list then to avoid confusion.

Diged a little bit deeper and compared the config backups before the update and after.

Seems that the config for the overwrites has been moved from <opnsense><unbound> to <opnsense><OPNsense><unboundplus>

My tries to create an alias did made it into the config backup:

Code Select Expand


      <aliases>
        <alias uuid="be93fc19-0ae6-43ae-b43c-2e8bb2627f68">
          <enabled>1</enabled>
          <host>73272ebc-54a3-47cf-8ce0-a7a81c8a2a1c</host>
          <hostname>signalcli-api</hostname>
          <domain>wupp</domain>
        </alias>
        <alias uuid="19a41d16-d2a5-4b8f-814b-f39a995fe6c1">
          <enabled>1</enabled>
          <host>9f748e34-fd1a-44a0-a0f7-4357d31c6b1e</host>
          <hostname>signalcli-api</hostname>
          <domain>wupp</domain>
        </alias>
        [...]


But the don't show up in the UI. The uuids for the host exist as host entries.

Hi,

updated from 22.1.4 to  22.2.5 with the Unbound MVC rework.

First the existing overwrites got lost and the new overwrites dialogue was completely empty.

Recreating the overwrites manually I found the I can't add aliases.
See attached screenshot.
The list of hosts is not filled correctly, instead of the hostname or FQDN only the domain is show, which doesn't help a lot to pick the right one.

But even if I fill the dialogue and click save, no alias is show sown in the overview. Unfortunately there is also no error message or such.

Not sure how to troubleshoot further, which logs I should look at.

Bye
  Thomas

Have you tried to reduce the logsize for this specifiv log:

`clog -s 500000 -i /var/log/dhcpd.log`

Should make it fast again. And it should stay until you change the logsize via UI again.

Check the size of `/var/log/dhcpd.log` if it is to large the script will take to much CPU, as the script is parsing this file

Hi,
no new news from my side. Found that my printer won't on IPv6 in any case.

But how is pfsene handling this? May be this can be used here too.

Bye
Thomas

Sorry, I have missed a few parts to explain.


The packet from 81.169.177.200 is coming in via a Wireguard tunnel.
192.168.70.1 is the local ip of the wg0 interface.

I haven't used the routing from the WireGuard plugin, but created an dedicated gateway for this wg0 interfacee with 192.168.70.1 as gateway IP.
This was working well for traffic to the opposite direction. I was able to reach 81.169.177.200 from 192.168.2.21, but not the other way round as described above.

The wireguard interface on the far end has 192.168.70.2 as IP. This was only reachable, if I have configured a route for this IP to the local wg0 interface using the gateway 192.168.70.1

The solution was to change the destination IP for the wg0 interface from the local ip 192.168.70.1 to the IP of the fart end 192.168.70.2.

Now the traffic is passing regardless of the side it was initiated.
The only address I can't make reachable is 192.168.70.2, which doesn't hurt in my case.

Bye
  Thomas

I try to ping host 192.168.2.21 from 81.169.177.200

I see the echo-request (234) with tcpdump on the inboud interface. I see the request and response on the outbound interface.
The session table shows the same.  The inbound session shows 234 packets in and out, but the out session shows twice as packets for the out counter.

Code Select Expand

all icmp 192.168.2.21:3290 <- 81.169.177.200:3290       0:0
   age 00:03:54, expires in 00:00:09, 234:468 pkts, 19656:39312 bytes, rule 507
   id: 030000005e2df8c8 creatorid: 8368a371
all icmp 81.169.177.200:3290 -> 192.168.2.21:3290       0:0
   age 00:03:54, expires in 00:00:09, 234:234 pkts, 19656:19656 bytes, rule 127
   id: 030000005e2df8c9 creatorid: 8368a371

How can I find out why the echo-response is dropped?

Code Select Expand


@127 pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
  [ Evaluations: 2132      Packets: 4173      Bytes: 1021132     States: 80    ]
  [ Inserted: uid 0 pid 82969 State Creations: 776   ]
@507 pass in log quick on wg0 reply-to (wg0 192.168.70.1) inet proto icmp from <schmu_srv03:4> to <wupp_schapp:3> keep state label "501718afceb1c0ed891df29dd33b09bf"
  [ Evaluations: 67        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 82969 State Creations: 0     ]


Hi,

mdns repeater is pretty old and doesn't support IPv6.
Found that at least iPhones won't find their printer, if they are connected via dual stack.
Had to disable IPv6 on my printer to get it working again.

Is IGMP Proxy an option to forward mdns over IPv6?

Bye
  Thomas

Hi,

I have the same issue here but running 18.7.10 with unbound 1.8.3.

Did you made any other change while  troubleshooting?

Thanks
  Thomas.

Hi,

I didn't found a way to add custom networks to the acl localnet in the squid.conf.
Looks like that only networks of directly attached interfaces get added if they are added to "Proxy interfaces".
But adding e.g. an openvpn interface don't add the network to localnet.

Is there a way to add networks to localnet manually.

Thanks
  Thomas

Hi,

is it only me or is it in Version 18.1 that there is not ICMP type logging any more?

my log looks like this:

Code Select Expand

filterlog: 34,,,0,vmx0,match,pass,in,6,0x00,0x00000,255,ICMPv6,58,112,fe80::1:1,ff02::1,
filterlog: 92,,,0,vmx1,match,pass,in,4,0x0,,32,12590,0,none,1,icmp,60,172.20.XX.42,192.168.XX.231,datalength=40

I expect something like request|reply|unreachproto|unreachport|unreach|timeexceed|paramprob|redirect|maskreply|needfrag|tstamp|tstampreply at the end.
Not sure if it was there in the past or I have seen it in a pfsense install. Had to look into ICMP details recently and missed this information.

Can someone confirm that this is the standard behavior or was it different in former versions or is it configurable?

Thanks
Thomas