Netgate SG-1000 microFirewall

Author Topic: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore  (Read 1365 times)

0 Members and 1 Guest are viewing this topic.

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #30 on: October 17, 2017, 03:26:36 pm »
I restarted my pfsense and got only one filterdns and it's working.
Now I will have a look how long it will be stable.

Offline ChrisCCC

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #31 on: February 06, 2018, 08:55:20 am »
Hi All,

I know this is an old topic, but I too, have noticed this issue occurring since an upgrade to 2.4.2. This definitely wasn't an issue previously, and very few config changes have been made since the upgrade.

I don't fully understand the process used to build these FQDN aliases, but I'll provide as much info as possible, in the hope it helps narrow down the root cause.

I've created a test Alias, called Host_Test, containing the FQDN 'www.test.com'.

- Viewing the table entry for this alias shows an empty table.

- DNS servers for the firewall are set to 8.8.8.8 and 8.8.4.4. DNS forwarders or resolver are not in use.

- DNS resolution for this hostname is working fine for both DNS servers under status -> DNS Lookup.

- Runninng 'ps -A | grep filterdns' shows there is a process running called filterdns.

- If I view the log under System -> DNS Resolver, I can see that on the date of the upgrade (I assume on first boot after) there are entries such as the below, for all almost all FQDN aliases configured on the firewall. There have since been no events logged in this log.

filterdns      failed to resolve host s186.fmp12-hosting.co.uk will retry later again.

This firewall has an HA partner, which doesn't seem to be experiencing the problem. Based on the total lack of logs since the primary firewall's initial boot, I'm wondering if the root cause is the process hanging (I assume 'filterdns' is the relevant process). Is it possible to safely kill and restart this process, or are there other considerations when doing this?




Offline ChrisCCC

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #32 on: February 06, 2018, 09:10:23 am »
Quick followup. It looks like the process was hung. It's currently working after running "killall -9 filterdns" then saving and applying an Alias to restart the process.

What's potentially concerning is how soon after bootup this process seems to have stopped responding. Not sure if this is a one off for me, or something peculiar that's happening since the upgrade. I'll update this post if I notice the issue reoccur, especially after the next reboot.

Offline Valeriy

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +7/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #33 on: February 08, 2018, 05:34:34 pm »
I can confirm the issue and workaround by ChrisCCC
(Filter DNS service hangs, killall - 9 filterdns and then Filter reload (in pfSense GUI) solves the issue.)


I got the same problem after upgrade to 2.4

Currently running snapshot [2.4.3-DEVELOPMENT (amd64) built on Sun Jan 07 20:44:55 CST 2018]




Things to consider (in no particular order), that might be causing it:

- I have substantial amount of hostname records in different  Firewall aliases (hundreds)

- After a while some hosts become obsolete (i.e. hostname does not resolve to IP address)


- sometimes DNS servers might not be responding quickly (for such a big volume of DNS queries, perhaps)

I guess something is broken in filterdns algorithm after release 2.4: either after incorrect response from DNS server or absense of response causes it to hang.

Offline snarfattack

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #34 on: February 09, 2018, 07:26:01 am »
Thanks for the workaround... this bug is driving me nuts too. Killing filterdns fixed the issue, at least temporarily for me. After a couple updates, it'll fail again.

Offline Valeriy

  • Jr. Member
  • **
  • Posts: 52
  • Karma: +7/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #35 on: February 16, 2018, 02:49:04 pm »
It drove me crazy too, I wish I could have read this thread before I spent a few hours looking what is wrong.

Also,
https://forum.pfsense.org/index.php?topic=141441.15 is same topic.
Maybe Moderators can merge it?