Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - farrina

Pages: [1]
1
I have updated my pfsense installation from 2.4.2-1 to 2.4.3 (these have all been incremental updates from earlier versions) and pfsense now has a problem retrieving package information within Package Manager

I should at this stage advise that I run multiple outbound VPN clients and DNS traffic is forced exclusively down one of the VPN Client (I appreciate its a bit of a chicken/egg situation but I have configured the client to connect by IP rather than DNS resolution).

I am running unbound fully resolving with DNSSEC enabled

The update proceeded normally (something like 97 packages being updated) but on rebooting and logging in via the GUI I was advised to make no configuration changes until the previously installed packages (eg Snort/pfblockerNG) were downloaded and reinstalled.

This eventually timed out without downloading with a notice (under Available Packages) showing "Unable to retrieve package information".

Logging in via the console and running option (13) "Update from Console" reported the following error message

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_3_amd64-core/meta.txz: Network is unreachable
repository pfSense-core has no meta file, using default settings
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_3_amd64-core/packagesite.txz: Network is unreachable
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_3_amd64-pfSense_v2_4_3/meta.txz: Network is unreachable
repository pfSense has no meta file, using default settings
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_3_amd64-pfSense_v2_4_3/packagesite.txz: Network is unreachable
Unable to update repository pfSense
Error updating repositories!

DNS appears to be resolving fine for pfsense.org (but not for https://pkg.pfsense.org)

casper@ghost ~ $ nslookup
> pfsense.org
Server:      127.0.1.1
Address:   127.0.1.1#53

Non-authoritative answer:
Name:   pfsense.org
Address: 208.123.73.69


In attempting to resolve this issue I have tried restoring the configuration backup (taking immediately prior to commencing the upgrade) over the top of the update and when this did not work, undertook a vanilla install of 2.4.3 again with the configuration backup over the top again. I have also tried a vanilla install of 2.4.2 without success.

My problem looks to be very similar to an earlier posting on this forum here

https://forum.pfsense.org/index.php?topic=139276.0

But the solutions suggested do not work for me

I wonder if anyone can assist (or if mods consider appropriate) perhaps move this topic to the DNS forum ?

Cheers

2
DHCP and DNS / Re: Unbound DNS key error
« on: January 13, 2018, 09:13:41 am »
In case anyone else comes across this query I thought I would post an update.

Since posting my original message I have continued to experience intermittent key errors lasting for minutes at a time (with consequent loss of DNS resolution).

Now it may be mere coincidence, but since I enabled Pre-fetch DSN Key Support (Services/DNS Resolver/Advanced Settings I have not experience a repetition of these key error message.

I don't profess to know the reason why this might have resolved my issue.



3
DHCP and DNS / Unbound DNS key error
« on: January 01, 2018, 10:13:23 am »
Hello

I am running 2.4.2-RELEASE-p1 (amd64) and am having periodic failures with DNS (unbound running in I believe resolver mode with DNSSEC enabled).

Looking in the status / system logs / DNS resolver I am seeing at the time of DNS failure the following entries (snipped to avoid repetition)

Jan 1 15:57:42    unbound    80204:3    info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Jan 1 15:57:26    unbound    80204:2    info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN

I am also running pfblockerNG and this updates once a day. The above error seems to commonly occur on the restart of unbound post pflockerNG update, but it can also occur randomly (whilst undound is running).

Usually the error seems to disappear after a short period of time (say 5 minutes) and dsn resolution recommences

I wonder if anyone can assist with any troubleshooting suggestions ?

Cheers

4
DHCP and DNS / Re: DNS Routing issue - pfblockerNG and OpenVPN Client
« on: December 15, 2017, 06:13:05 am »
Hello

Thanks for the link to the German DNSSEC testing website. It confirms that Unbound on my pfsense box is operating in secure mode. Strangely when undertaking a dnslookup all my responses are still qualified as “non-authoritative”.

I have noted your various other tips (for which many thanks) and I shall bear these in mind.

Once again many thanks for your interest

5
DHCP and DNS / Re: DNS Routing issue - pfblockerNG and OpenVPN Client
« on: December 14, 2017, 11:19:48 am »
Thank you very much for taking the time to respond to my plea for help and providing the various links.

if I understand it correctly (albeit it at a very basic level!), by operating Unbound in resolver mode, this would result in it (ie my pfsense box) querying DNS root and authoritative servers directly for secure name resolution.

I believe I am presently forwarding DNS queries via Unbound to my VPN providers DNS servers who then undertake the resolution for me. Whilst I am happy that they are not logging my actual queries (unlike my ISP!) unless their DNS servers are operating in DNSSEC mode I presume they (and I) are vulnerable to DNS cache poisoning. So for maximum security, DNSSEC would appear to be the way to proceed.

Turning to some of your specific “starting” questions.

My LAN is presently just a single subnet for all my devices.

I have configured pfblockerNG with a number of DNSBL feeds to block both malicious/advert servers, along with specific “bad” IP addresses. In configuring I found this guide quite helpful

https://forum.it-monkey.net/index.php?topic=22.0

Whilst it is only early days. it appears to be operating well and I am already seeing a lot of entries in the Alert/Log files. Most of these appear to be generated when using my iOS devices (I use NoScript on my desktop computers so that might explain the dearth of alerts from this source). To be honest I am quite shocked at the volume of outbound connections to usage monitoring sites etc. from the various applications installed on my Apple devices.

My VPN provider did instruct me to setup a VPN interface with NAT outgoing (this has been done under the Manual Outbound NAT rule generation mode.

In case it is of any interest. the VPN setup guide can be viewed here https://www.ivpn.net/setup/router-pfsense.html

In Manual Outbound NAT rule generation mode I have two rules for the VPN interface and two for the WAN thus

Interface      VPN
Source         <single internal subnet>
Source Port      Any
Destination      Any
NAT Address      VPN addresses
NAT Port      Any
Static Port      Randomised source

There is also a rule described as “auto created rule for ISAKMP LAN to VPN” configured thus

Interface      VPN
Source         <single internal subnet>
Source Port      Any
Destination      500
NAT Address      VPN addresses
NAT Port      Any
Static Port      Yes

The WAN rules are similar to the above but with the exception the interface is WAN, source is 127.0.0.0/8 and NAT address is the WAN interface.

To be frank, presently the above is somewhat  “over my head”  – I presume it is allowing traffic on the LAN to exit via the VPN and WAN interfaces respectively on a NAT basis.

I have attempted to switch Unbound into resolver mode by making the changes suggested ie

Services -> DNS Resolver -> General settings
-Network Interfaces - I have only my internal interfaces selected (i.e. LAN and VLANs in my case)...you also need to select "Localhost"
-Outgoing Network Interfaces - I only have my VPN interface selected

System -> General Setup
- DNS Server Override and Disable DNS Forwarder are NOT checked
- No DNS Servers are selected

Services -> DHCP Server -> LAN
- No DNS Servers assigned

Whilst following these changes, DNS resolution is occurring, I have run into two issues.

The first one is that responses to external DNS queries appear to be returned lame (ie Non-authoritative) suggesting DNSSEC is not working – see below from a network client.

casper@ghost ~ $ nslookup
> kodi
Server:      127.0.1.1
Address:   127.0.1.1#53

Name:   kodi.Wobble
Address: 192.168.123.122
> hsbc.co.uk   
Server:      127.0.1.1
Address:   127.0.1.1#53

Non-authoritative answer:
Name:   hsbc.co.uk
Address: 193.108.75.106
Name:   hsbc.co.uk
Address: 91.214.6.117
>

Secondly, as soon as my VPN drops, it is unable to reconnect as it cannot resolve the external IP address of its gateway. Presently the only solution to this is to temporarily add Google 8.8.8.8 back in (System General Setting DNS servers) and then remove once the VPN is back up.

Presently I am feeling somewhat overwhelmed and very much like the new kid on his first day of school. I obviously need to undertake some further reading, reflection and tickering.

Once again many thanks for your interest and help.

6
DHCP and DNS / DNS Routing issue - pfblockerNG and OpenVPN Client
« on: December 13, 2017, 06:01:15 am »
Earlier this year having decided to route all external traffic from my home network via a permanent router based OpenVPN client to an external VPN provider I switched to using pfsense.

I am based in the UK and have an external VDSL FTTC  WAN residential connection using a Draytek 130 modem. Whilst reasonably technically proficient, this is a big step up from the average consumer gateway product and I am acutely conscious of my ignorance!

My pfsense box also operates as the DHCP server for my single subnet.

When connecting to my OpenVPN provider I am allocated a dynamic internal IP address on their network and my Status/System Logs/Open/VPN log shows the internal DNS server address to be used (typically x.x.x.1 on the same subnet as my dynamically allocated internal VPN IP address).

In configuring my OpenVPN client setup (and following the providers instructions) I  added this internal DNS server IP to the DNS server field 1 in Services/DHCP/Servers

Under System/General Setup/DNS Server Settings (again following provider instructions) I added the standard Google DNS servers

8.8.8.8         WAN_PPPOE WAN
8.8.4.4         WAN_PPPOE WAN   

Testing from client subnet devices showed no DNS leaks (although my pfsense box is able to use the standard Google DNS servers from within Diagnostics/DNS Lookup)

This setup has operated reliably for the last 6 months.

Latterly (fed up of battling constant adverts) I have installed a pfsense package pfblockerNG and this is where all the fun commenced (and is the reason for my visit to these forums).

What I am attempting to achieve is the following

1. Continue to route all external network traffic via the VPN connection

2. No DNS leaks outside of the VPN

3. Using the pfsense DNS Resolver service to utilise the blocking functionality provided by pfblockerNG for all local DNS queries and forward upstream queries to my VPN providers DNS.

Currently I have a working solution, albeit DNS resolution is relatively slow (up to 3 seconds) achieved by:

A.  Selecting only Open VPN Interface within  Services/DNS Resolver/General Settings/Outgoing Network Interfaces

B.  Enabling Services/DNS Resolver/General Settings/DNS Query Forwarding

C. Removing external VPN DNS server details from  Services/DHCP Server/Servers

D. Adding external VPN DNS server details with relevant VPN interface gateway selected to System/ General Setup/DNS Server Settings

However on testing there are external DNS leaks. This puzzled me as I thought that in specifying only OpenVPN interface, as in step (A) above, this would prevent any forwarded queries from DNS Resolver routing outside of the VPN interface gateway.

To negate the leak I have had to remove the Google DNS entries from System/ General Setup/DNS Server Settings leaving the VPN server as the sole external DNS provider.

Obviously in doing this I will have an immediate problem if the VPN drops as external DNS resolution will fail and a reconnect will be problematical (chicken and egg!).

To try and negate this scenario (and as my VPN provider allows multiple connections) I have configured a second always on VPN interface to an alternative gateway in another country and added the associated VPN internal DNS to the System General DNS Settings field.

DNS Leak testing shows that no further DNS leaks with only the two VPN providers DNS being used.

Whilst working, this is undoubtedly a “botched” solution and in my ignorance I wonder if anyone could assist with a more elegant solution (or point out my “newbie” configuration mistakes).

I have summarised below the various current settings which I believe may be relevant to my query.

Pfsense 2.4.2 (running on a Quad core Intel Celeron CPU N3160 @ 1.60GHz with 8GB RAM)

Services/DNS Resolver

Network Interfaces   → All
Outgoing Network Interfaces      → vpn1 & vpn2

DNSSEC support         Enabled (ticked)
Forwarding Mode         Enabled (ticked)
DHCP Registration         Disabled (unticked)

System/ General Setup

DNS Server Settings

Internal IP Address of vpn1      Gateway for vpn1 Interface selected
Internal IP Address of vpn2      Gateway for vpn2 Interface selected

DNS Server Override   DHCP/PPP   Disabled (unticked)
Disable DNS Forwarder      Enabled (ticked)

Services/DHCP Server

Enable DHCP server on LAN    enabled (ticked)
Servers            all blank (WINS & DNS)

Other Options
Gateway       

Pages: [1]