Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - ggzengel

Pages: [1] 2 3 4 5 ... 18
1
After activating ipv6 on one more interface and touching WAN config the NAT error is gone.
Even after reverting the changes.

I think pfsense should boot twice after upgrading.

2
I restarted my pfsense and got only one filterdns and it's working.
Now I will have a look how long it will be stable.

3
I think you should open a bug in redmine.

4
If I understand it right?

You have local DNS entries which appear in /etc/hosts?
And now the first of the external DNS servers is not responding and local IPs (from /etc/hosts) are not resolved in alias table?

Normally nsswitch.conf looks like:
hosts: files dns

What shows yours?

5
I still had these two filterdns running.
I killed both. For the older one it was enough to send kill. The second one needed kill -9 to stop.

I removed the test entry with a FQDN inside and pfsense started a new filterdns.
Now it's not spamming any more. Only on changes (add/delete entries or changing IPs) I see filterdns entries in log.

6
I have messages from filterdns in there. It's not dnsmasq and not unbound.

Even with unbound on an other pfsense I get this:
Code: [Select]
Oct 13 01:59:09 filterdns adding entry 79.1.2.3 to ipfw table for host dummy.dyndns.org
Oct 13 00:59:06 filterdns failed to resolve host dummy.dyndns.org will retry later again.
Oct 12 22:24:47 filterdns adding entry 87.1.2.3 to ipfw table for dummy.dyndns.org
Oct 12 22:24:45 unbound 74165:0 info: start of service (unbound 1.6.6).
Oct 12 22:24:45 unbound 74165:0 notice: init module 0: iterator

7

Quote
edit:  This is forwarder, going to have to forward somewhere ;)  I have not used the forwarder since they enabled unbound.. Well really before that when unbound was just a package.  A resolver is just so much better than a forwarder.  Not sure why anyone still uses it to be honest ;)

I tried to migrate to unbound last year but I had some problems: https://redmine.pfsense.org/issues/6065
Because I have more than 40 Overrides I don't like to try it again on this pfsense.
And there are still some unwanted effects with unbound: https://redmine.pfsense.org/issues/7884

8
Sep 22 22:18:56    dnsmasq    43335    using nameserver 8.8.4.4#53
Sep 22 22:18:56    dnsmasq    43335    using nameserver 8.8.8.8#53
Sep 22 22:18:56    dnsmasq    43335    ignoring nameserver 127.0.0.1 - local interface

What you see here is dnsmasq and not filterdns.
Dnsmasq works on localhost so it could not add itself. This would give a loop.

If filterdns is running it makes it good.
Code: [Select]
Oct 13 10:29:32 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 13 10:29:32 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 13 10:15:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 13 10:15:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 13 10:00:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 13 10:00:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local

But since update it talks too much:
Code: [Select]
Oct 10 01:47:52 filterdns failed to resolve host smtp.domain.local will retry later again.
Sep 22 22:47:42 filterdns adding entry 10.19.4.250 to table smtp_server on host smtp.domain.local
Sep 22 22:42:48 filterdns failed to resolve host smtp.domain.local will retry later again.
Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.4.4#53
Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.8.8#53
Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interface

9
What says Status/System Logs/System/DNS Resolver?

Before update it was working:
Code: [Select]
Sep 22 22:47:42 filterdns adding entry 10.19.4.250 to table smtp_server on host smtp.domain.local
Sep 22 22:42:48 filterdns failed to resolve host smtp.domain.local will retry later again.
Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.4.4#53
Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.8.8#53
Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interface

After update it was working to:
Code: [Select]
Oct 12 20:41:53 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 12 20:41:53 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 12 20:41:46 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 12 20:41:46 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 12 20:41:45 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 12 20:41:45 filterdns failed to resolve host smtp.domain.local will retry later again.
Oct 12 20:26:06 dnsmasq 860 using nameserver 8.8.4.4#53
Oct 12 20:26:06 dnsmasq 860 using nameserver 8.8.8.8#53
Oct 12 20:26:06 dnsmasq 860 ignoring nameserver 127.0.0.1 - local interface

Suddently on Saturday it didn't update this entry any more:
Code: [Select]
Oct 17 13:30:37 filterdns adding entry 216.58.210.3 to pf table Host for host www.google.de
Oct 17 13:30:37 filterdns adding entry 10.19.4.250 to pf table Host for host smtp.domain.local
Oct 14 06:45:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 14 06:30:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 14 06:30:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 14 06:15:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local
Oct 14 06:15:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local
Oct 14 06:00:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local

It only worked today as I added google too.
Yesterday on OCT 16 I tried successfully to ping at smtp.domain.local. So why didn't he update? Did the job crash?

I think filterdns has a problem. I have 2 running and since the second one runs I have a fresh alias table:
Code: [Select]
ps aux | grep filterdns
root   19719   0.0  0.3  21492  3184  -  Is   13:30       0:00.03 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1
root   58949   0.0  0.3  12784  2616  -  Is   Thu20       0:00.35 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1
root   44060   0.0  0.2  14728  2444  0  S+   15:03       0:00.00 grep filterdns

10
Can you test a FQDN you never used before?
Only to see if it's a caching problem.

11
This is a outside located perimeter firewall and is connected with the core network over openvpn.
In the core network are the smtp and the dns servers. The domain.local TLD is forwarded with Domain Override.
This solution (openvpn, dns forward, fqdn alias) is working since years.

I don't know what happened after update that this solution was so much disturbed.
Normally the tables should be reloaded with interface changes and everything should be alright.

1. guess: It didn't refresh the alias table even on saving old entries
2. guess: It look like there was a negative DNS cache entry for the alias tables which didn't expire if it's always used. While booting the FQDN couldn't be resolved.

Perhaps tonight I can reboot the pfsense and will see what happen.

12
Strange:
Since update on Friday until yesterday the firewall was blocking the smtp port.
Yesterday I saved this table entry again in the hope it would work, but it always blocked this port.
Only changing to IP resolved this problem.
Today after trying multiple entries with google it's working again.
Now I have a FQDN entry and the firewall is open again. WTF?

13
Are you using Domain Overrides and query them in your alias table?

14
Can you read?

> Diagnostic->Ping is working.

And it worked before update!

Pages: [1] 2 3 4 5 ... 18