Topics

I am back checking in again on OPNSense, I have one feature that I have never been able to get to work correctly that has kept me from making the transition. And that one thing is DNS conditional forwarding to multiple servers. I support multiple remote tunnels with various internal DNS suffixes. Most of these DNS suffix's are managed by multiple redundant servers for example Active Directory Domain Controllers, and a few Samba servers running samba domains. I have been unable to get Unbound or DNSMasq to handle a secondary server. So if remote end reboots domain controller the lookup's start failing even though I have a secondary path available and even after primary DNS name server is back up appear to cache negative result lookup for a while until a restart of service.
The only successful solution I have found that handles this correctly is using Forward Only DNS zones (Conditional Forwarders) in Bind DNS. Though the OPNSense Bind DNS plugin has made a lot of improvements since I last checked in, it still lacks the option to create forward only zones.
Am I missing someway to do this with DNSmasq or Unbound?
In the case of the Samba DNS there is no support for slave zones so a forward zone is the only possibility, and I don't always get permissions granted to slave some zones even if I wanted to use extra overhead to run a slave zone instead of a forward only zone.

I updated my System on Friday from 16.7.13 to 17.1.r1, so far both Saturday and Sunday it has had a Kernel Panic at just after 7:00am Local time. I was able to capture the console output on today's crash.

Code Select Expand


Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 04
fault virtual address   = 0x30
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80bfcd0c
stack pointer           = 0x28:0xfffffe0119c09430
frame pointer           = 0x28:0xfffffe0119c09460
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = resume, IOPL = 0
current process         = 87062 (sh)
[ thread pid 87062 tid 100087 ]
Stopped at      turnstile_broadcast+0x9c:       movq    0x20(%rbx,%rax,1),%rcx
db>


I looked through the crontab -l output and the /etc/crontab file I can't see anything set to run at about that time. But the fact that It did apparently at the same time, make me really suspicious and of course being that the process was sh, it could be any shell script I haven't been able to find a log message on the system indicating what happened.
Unfortunately later today I am going to have to roll it back until next weekend, this is installed at my house, for my home network and mail server, on weekdays I am in the office by 7, so if the system crashes just afterwards my mail server will be offline all day.
Anyone have any ideas on what I could do to try to narrow this down today as to the cause.

I switch my server over from a single port to an LACP 3 port aggregation on the switch. I can talk to all the local IPs and ports just fine, but NAT Reflection isn't working at all. External IP to internal NAT appears to be hit or miss, however this could be a result of certain services talking to other services with NAT reflection.

The server is running FreeBSD the applications are all running from within Jails on the system. When I look at the firewalls ARP table through the interfaces diagnostic page it only shows the base systems ARP entry. However when I ssh to the internal IP of the firewall and list arp entries using arp -a it properly shows the individual jails ARP entries as well.

Looking at tcpdump on the server it appears to show the traffic coming from the firewall and being replied to but the reply never makes it to the client.

Has anyone seen this before?

I am running OPNsense 16.7.3-amd64

Does Anyone have an APU1D4, that's able to pull greater than 30Mbits throughput on it? I have a 60Mbits download speed, but can't get over 30Mbits no matter what settings I change. I am currently running on a Virtual Box installation. So I can do some significant testing, I rebuilt the install, with fresh settings, I have verified cabling is not an issue, ports are negotiating 1000Mbits, with flow control. Both interfaces are tied to a Dell PowerConnect 2724 switch, using VLANS to segregate traffic.

I have 3 VLANs setup on my LAN interface, native VLAN 1, for normal LAN traffic, a VLAN 2 for a GUEST Interface, and VLAN 3 for another, limited interface (same as guest minus captive portal). When I enable the Captive Portal service on the GUEST interface the OPNsense stops forwarding traffic from the OpenVPN tunnel to the LAN interface. I have to disable the Captive Portal and reboot the OPNsense Firewall before it begins forwarding traffic again.
It appears as if the captive portal settings are getting applied to the OpenVPN tunnel interface in addition to the GUEST interface. But of course I don't get an authentication prompt.
The OpenVPN tunnel is a client to another OPNsense firewall which is functioning as the server, I can use the packet capture utility in diagnostics to verify that traffic is passing through the tunnel from the remote end, and hitting the OpenVPN interface of the local OPNsense firewall. But is never forwarded outbound on the LAN interface.
Has anyone else tried to use a captive portal on an OPNsense firewall that also had an OpenVPN client tunnel connection, and or VLANs on the LAN interface to verify whether or not they have seen this issue as well?