Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - soko

Pages: [1]

22.1 Legacy Series / Connectivity Check: Non-recoverable resolver failure

« on: August 01, 2022, 11:48:57 am »

Hi guys,

While trying to identify the issues I'm having with v22.7 since the last couple of hours I've found some strange message back when my VM is on v22.1.10_4:

Health Check is sound:

Code: [Select]

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.1.10_4 (amd64/OpenSSL) at Mon Aug  1 10:35:02 CEST 2022
>>> Check installed kernel version
Version 22.1.9 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.1.9 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

Connectivity Check reports "Non-recoverable resolver failure"

Code: [Select]

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.1.10_4 (amd64/OpenSSL) at Mon Aug  1 10:36:10 CEST 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=53 time=188.715 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=53 time=51.155 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=53 time=69.108 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=53 time=68.161 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.155/94.285/188.715/54.985 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 799 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
ping6: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.1
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
***DONE***

Which I quite not understand as the ping to pkg.opsense.org is OK and I can download https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz from my clients with no problem.

The upgrade to v22.7 works. But afterwards I have several issues there:

"Dnsmasq DNS" does not work anymore (clients don't get DNS resolved). I have to disable it and enable unbound
/ui/core/firmware#status page does take 5 minutes to show values after reboot.
Health Audit is stuck @ "Core package "opnsense" has 63 dependencies to check." at 1 dot of progress for 30 mins.

Are the issues on v22.7 caused by the "Non-recoverable resolver failure" in v22.1?

thx
Soko

20.7 Legacy Series / Single WAN, but Multi Gateway not working

« on: January 23, 2021, 04:12:54 pm »

Hi guys,

I was running OPNsense successfully with one LAN and two WANs (one gateway each) with a Gateway Group for failover according to https://docs.opnsense.org/manual/how-tos/multiwan.html.

Now after a change in my network I'm having the failover gateway in the same WAN-network as the main gateway.

So I thought "No biggy!" and

Added the new gateway to System-Gateway-Single
Swapped in the Gateway-Group the old failover (tier 2) for the new failover gateway
Adjusted the DNS servers in System-Settings-General
Deleted the old failover gateway and the 2nd WAN

But now, once my main gateway fails, the failover gateway is marked "active" but I have no internet on my LAN side.

Does anybody know why?

Here are a little more details....

Original/old/working config:
LAN: 192.168.254.0/24 (OPNsense static 192.168.254.253)
WAN: 192.168.179.0/24 (OPNsense static 192.168.179.253, Gateway 192.168.179.254)
WANFailover: 192.168.253.0/30 (OPNsense static 192.168.253.1, GatewayFailover 192.168.253.2)

New/not-working config:
LAN: 192.168.254.0/24 (OPNsense static 192.168.254.253)
WAN: 192.168.179.0/24 (OPNsense static 192.168.179.253, Gateway 192.168.179.254, GatewayFailover 192.168.179.1)

thanks
Soko

General Discussion / With VLAN I need to manually set MSS. Why?

« on: January 23, 2021, 02:38:17 pm »

Hi guys,

It took me days to figure this out but I'm also curious if someone of you has an hypophosis or even can explain this to me. I usually like very much to understand why something is happening

First my - I admit - a little exotic network configuration:

Switch-GBit-Eth-Port (tagged VLAN 1 + 99) <=> Win10 with Realtek NIC
With Realtek Diagnostic Tool I have installed 2 separate VLAN NICs in Win10. One for VLAN1, one for VLAN99. So everything that uses one of the two NICs gets the corresponding VLAN-ID
OPNsense runs in a VM (VMWare) with two virtual NICs. VIRT1 is bridged to NIC-VLAN1. VIRT2 to NIC-VLAN99
In OPNsense VIRT1/VLAN1 is LAN. VIRT2/VLAN99 is WAN.

So far so good and everything worked perfectly... at the first glance at least.

From a LAN PC I was able to:

Resolve DNS names
Ping (ICMP) into the internet via IP or dns name

But no internet page (browser) was working. Even the one I was able to ping successfully.

Once I've changed in Interfaces->WAN MTU=1500 and MSS=1456 everything worked perfectly.

So I somehow have to manually accommodate the 4 bytes of VLAN tagging. Just changing the MTU to a smaller number (even 1000) didn't help.

Now for someone who knows really much about this things I'm happy to learn and also have the following questions:

Why do I have to do this only on the WAN interface and not on LAN?
Why am I still able to browse to the OPNsense website from a LAN PC if the issue seems to be somewhere between the OPNsense and the switch port?
Or in other words: Why does this issue only occur on internet TCP traffic and not local TCP traffic?

Thanks in advance
Soko

20.7 Legacy Series / Exclusive DNS server for each WAN possible?

« on: December 29, 2020, 03:56:00 pm »

Hi guys,

In short: Can I define a single DNS server for each gateway/WAN which gets exclusively/solely used when the gateway/WAN is the active one in a failover gateway group?

In long:
I'm running a multi WAN setup successfully at the moment. The gateway group uses gateway/WAN=AT111 when available and gateway/WAN=BACKUP when AT111 fails.

This failover works as it should.

In System->Settings->General->DNS-Server I've entered 2 DNS servers. One for each gateway.

www.dnsleaktest.com revealed to me, that both DNS servers are used by Unbound DNS (forwarding mode is enabled).

After reading the help to each setting carefully I'm kinda shocked that this is how it should be?!?

At General->DNS-Server the column header for the gateway says "Use gateway". Which may mean something like"Packages to this DNS server send using this gateway".
But not - as I thought - "When this gateway is active use solely this DNS server".

Also at Unbound-DNS->General it reads: "If forwarding is enabled, Unbound will use the DNS servers entered in System: General setup".
So this also doesn't say something like "I will use only the entry from there that fits the current gateway".

thanks
Soko

PS: The DNS server for AT111 is only reachable through AT111. Thats why I need this feature

20.7 Legacy Series / Different route for streaming (Netflix) possible?

« on: December 26, 2020, 05:42:11 pm »

Hi guys,

I know its possible to setup different rules (based in alias/host/IPs) to route a device through a different WAN than the rest of the network.

What I like to do though is to route Netflix traffic to a different WAN. Is this possible?
So I would like to browse on a computer through the WAN1 and just the Netflix app on it should use WAN2.

Thanks
Soko

PS: I've posted basically the same in the Sensei forum (https://forum.opnsense.org/index.php?topic=20628.0) as I thought this is the way to go... but I can't find out how. So maybe there is a way without Sensei.

Zenarmor (Sensei) / Different route for streaming/Netflix

« on: December 26, 2020, 05:37:16 pm »

Hi guys,

I've just installed Sensei on my OPNsense and understand how I can block different apps like Netflix etc...

What I like to do though is to route just the Netflix traffic through my WAN2, while all other traffic goes through WAN1. I cannot do it IP/host based as the same host should use WAN1 for standard traffic just for Netflix WAN2.

Is this even possible?

Thanks
Soko

Pages: [1]