DHCP lease screen not loading

Gertjan

@skitapa said in DHCP lease screen not loading:

I get the access control errors when connecting, with a browser, to my PfSense device, removing my router from my network surely will make the errors go away

Not pfSense. pfSense works, as you and me use the same version.
Remove the device you use that hits pfSense. For example, use your 'phone' instead to visit the pfSense GUI.
Or use another browser.
Or tell the browser that you use that accept 'Java'/'ajax' stuff. You're using some addon in your browser that blocks something ?

Also : is your connection to pfSense wired ? Wifi ? The IP LAN isn't changing ?
If the connection gets killed, your device isn'"t considered connected ( == authenticated as 'admin' any more and subsequent dashboard updates/refreshes fail. Normally, the browser should get redirected to the login page, and ajax calls from your browser should stop.

skitapa

@gertjan said in DHCP lease screen not loading:

@skitapa said in DHCP lease screen not loading:

I get the access control errors when connecting, with a browser, to my PfSense device, removing my router from my network surely will make the errors go away

Not pfSense. pfSense works, as you and me use the same version.
Remove the device you use that hits pfSense. For example, use your 'phone' instead to visit the pfSense GUI.
Or use another browser.
Or tell the browser that you use that accept 'Java'/'ajax' stuff. You're using some addon in your browser that blocks something ?

Also : is your connection to pfSense wired ? Wifi ? The IP LAN isn't changing ?
If the connection gets killed, your device isn'"t considered connected ( == authenticated as 'admin' any more and subsequent dashboard updates/refreshes fail. Normally, the browser should get redirected to the login page, and ajax calls from your browser should stop.

Hi!

The problem has sorted itself right now. I do not know why it started working all of a sudden. I have done a lot of changes to the domain, IPs and so on.
Because the problem stems from an issue where the webpage is addressing another domain it is very hard to implement a website, or an admin web interface, that is resilient to this as the very idea of PfSense is to be able to change this thing on the fly.

I saw this on a laptop so the errors were over a wireless connection, did not test it from a wired one. If it happens agin I will test it from a wired connection.

viktor_g

Could you test this patch: 401.diff ?

See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

skitapa

@viktor_g I can indeed, but I will wait until I experience the problems again.

That way I can verify that it is the patch that solves the problem and not something else

onzippy

@viktor_g The patch resolved the issue for me.
Status / DHCP Leases page now loads immediately. (had been taking ~40 seconds since the 2.5.2 upgrade).
Thanks.

Gertjan

@viktor_g said in DHCP lease screen not loading:

Could you test this patch: 401.diff ?

Hard coded 8.8.8.8 and 8.8.4.4
So these are now needed because the a (local) DNS is 'unavailable' for pfSense ?

chance

Someone please tell me this is just a testing patch and nobody realistically expects us to have 8.8.8.8 and 8.8.4.4 hard coded and allowed to be contacted by the pfsense box?

hazarjast

@viktor_g Applied the patch but no joy. DHCP Leases page tries to load for over 2 minutes before ending in a 504.

Gertjan

@chance said in DHCP lease screen not loading:

Someone please tell me this is just a testing patch and nobody realistically expects us to have 8.8.8.8 and 8.8.4.4 hard coded and allowed to be contacted by the pfsense box?

I installed the patch - it installs just fine on 2.5.2 CE.
The good news : the patch is just a safety net, and not actually using "8.8.8.8" to resolve.
8.8.8.8 and 8.8.4.4 are just two (worlds most) known IPs used to 'test' if pfSense itself can resolve.
If it can't, the call to following PHP function "gethostbyaddr()" is bypassed. This happens on several places in the GUI code.

The test determines if it can get the reverse PTR of 8.8.8.8 and/or 8.8.4.4.
If it can't, local DNS seems to be not available, and calls to "gethostbyaddr()" will get skipped.

@hazarjast said in DHCP lease screen not loading:

Applied the patch but no joy. DHCP Leases page tries to load for over 2 minutes before ending in a 504.

The patch works.
When NOT installed, everything works fine for me.
When I stop the resolver, and I visit, for example, Status> DHCP Leases, it takes forever to load that page.
When I install the patch, Status> DHCP Leases shows up immediate, with or without the resolver running.

Actually : @viktor_g :

What about adding a global pfSense notification, the one that show up on the top of main dashboard page, that tells the admin that local DNS is not working ?

hazarjast

@gertjan I have neither the forwarder nor resolver enabled (I use NextDNS daemon DNS). With the patch applied 'DHCP Leases' still loads for an eternity before finally returning a 504. Screenshots attached below. Perhaps there is something additional required for the patch to work which I am missing?
🔒 Log in to view
🔒 Log in to view
🔒 Log in to view

hazarjast

This post is deleted!

hazarjast

UPDATE
It seems this issue exists when using DNS Resolver (Unbound) or when using an external DNS server like NextDNS CLI daemon. In my case I reverted the patch provided in this thread and switched back to using DNS Forwarder for local lookups with NextDNS for external lookups. This allowed the DHCP Leases page to load more consistently without 504s although randomly it still takes longer to load than before I upgraded to 2.5.2. Really hoping the root issue is found and remediated in the next release. Until then at least this is no longer a showstopper for me.

For anyone using something like NextDNS wanting a reference configuration, I am using the configuration at the end of the thread here. Below are my DNS Forwarder (dnsmasq) settings in pfSense for reference (do not use strict binding if IPv6 is required):
🔒 Log in to view

hazarjast

Forgot to include that under General Settings I selected 'Use local DNS (127.0.0.1), ignore remote DNS Servers' in conjunction with the DNS Forwarder selections:
🔒 Log in to view

This is probably implied but, for transparency, DHCP DNS server is set to the LAN IP of pfSense which is running the NextDNS CLI daemon:
🔒 Log in to view

ssp

In CE 2.6.0, I get the 504 time out. I comment out this line in /etc/inc/system.inc, and it loads instantly even with a few thousand IPs leased:
$hostname = gethostbyaddr($item['ip']);

Yes using a DNS forwarder because of many internal systems that we need hostnames mapped to. Everything is on one device with our gateway firewall functions, dhcp, dns forwarding.

In the status screen at /status_dhcp_leases.php, the "Hostname" column seems to be indicating something against most leases, corresponding to their device's internal name (computer name, etc.).

Could someone kindly explain why a DNS lookup would even be happening for DHCP leases? Aren't all the devices internal?

Gertjan

@ssp said in DHCP lease screen not loading:

Could someone kindly explain why a DNS lookup would even be happening for DHCP leases? Aren't all the devices internal?

These are your leases : /var/dhcpd/var/db/dhcpd.leases
As you can see, the client host name is present. This is the name that the device gave to pfSense, and isn't necessarily the name pfSense gave it. That is, the name you gave it when you created a static DHCP lease.

gethostbyaddr() is used to get the registered DNS host name using the IP, found in the lease.

The (your) issue is : the DNS isn't working.
What gethostbyaddr() does : it uses /etc/resolv.conf to get the address of the 'nameserver', normally 127.0.0.1. Then it connects to 127.0.0.1 port 53 and does the DNS request.

So, does your DNS forwarder listen on 127.0.0.1 - or whatever IP you found in /etc/resolv.conf ?

ahsunh

@ssp As far as i observed PfblockerNG python mode cause issue for dhcp lease page loading please test if you use python mode in PfblockerNG devel version.
Without Python mode it works fine as expected.

ssp

@gertjan Thank you for explaining that!

I use DNS Forwarder in pfSense. It listens on LAN port 53. I have the "Do not forward private reverse lookups" checked. I have a few host overrides which map to a few of our internal hosts. That's it. System - General Setup - DNS Servers list the OpenDNS servers that we use (these are reflected in /etc/resolv.conf). I suppose those would not respond to reverse IP lookups anyway.

Not sure what I would do differently. The getaddrbyhost is not a functionality I would need. Have not changed settings for years but DHCP leases page stopped loading last few CE versions.

Gertjan

@all :

See here :

https://www.php.net/manual/fr/function.gethostbyaddr.php

If you create a file called dns.php here /usr/local/www/

<?php
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);

echo $hostname;
?>

you will be able to access pfSense, login first, and then you visit
https:/your-pfsense.tld/dns.php

This should shows the fully qualified host name on the page, like :

🔒 Log in to view

Btw : the function gethostbyaddr()isn't a PHP thing. It's a core Winows/Linux/MacOS/FreeBSD/OpenBSD system function and should work.

There are exceptions, but read : https://www.php.net/manual/fr/function.gethostbyaddr.php again : it won't work if DNS on the device ( pfSense ) is 'broken'. This function is capable of returning 'nothing' about a long wait time. The GUI ( web server, that uses PHP to execute the function ) seems to hang, or even time out with an "503".

When you visit the command line, option 8, and type :

host 192.168.1.6
where 192.168.1.6 is the IP of your the device you use the visit pfSense :

[2.6.0-RELEASE][admin@pfsense.yourpfsense.tld]/usr/local/www: host 192.168.1.6
6.1.168.192.in-addr.arpa domain name pointer Gauche2.yourpfsense.tld.

@ahsunh said in DHCP lease screen not loading:

Without Python mode it works fine as expected

This mode asks for something special :

🔒 Log in to view

which means you have to remove the check from :

🔒 Log in to view

which means that, when your LAN devices ask for a lease, their known hosts names will not get written in the "local DNS device list".
There is a very old issue with this option. It works fine on small network, by de select it when you have many DHCP client devices on your network. See the 'thousands' other forum posts about the 'why' part.

When you ask for the reverse of an IP that isn't known in the local DNS cache/lost :

[2.6.0-RELEASE][admin@pfsense.yourpfsense.tld]/usr/local/www: host 192.168.1.100
Host 100.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)

This NXDOMAIN should be given immediately, without any delay.

Btw :
Make an entry for every device that you want to know by host name and IP under
Services > DHCP Server > LAN > DHCP Static Mappings for this Interface

and keep this option selected :

🔒 Log in to view

( be default, it is ).

@ssp said in DHCP lease screen not loading:

I use DNS Forwarder in pfSense. It listens on LAN port 53.

and 127.0.0.1 I hope ^^

@ssp said in DHCP lease screen not loading:

(these are reflected in /etc/resolv.conf)

What's in it ?

@ssp said in DHCP lease screen not loading:

I suppose those would not respond to reverse IP lookups anyway.

I hope not.
If you would ask : who is 192.168.1.1 to them they ( upstream resolver ) would know that your system has a huge issue. As it boils down to asking to a stranger " can you tell me what my name is ? ".
It makes no sense to reverse resolve a RFC1918 ( local IPs ) using an upstream resolver.

@ssp said in DHCP lease screen not loading:

Could someone kindly explain why a DNS lookup would even be happening for DHCP leases? Aren't all the devices internal?

When a device asks for a lease, it will communicate some confirmation about itself.
One of it is the name your device thinks it's called.
It could be an empty ( non ) text.
Or something like "android-d90b45910562a5e0" (for those who never bothered setting a 'name' for their device).
Or iPhone-X-Gertjan if you've set one.

But, you can use a "static MAC DHCP" entry, and name the device differently. This way, whatever the devices was telling about it's host name isn't use for DNS. It's you, the admin, that decides how the device is called in the network.
take note that for some device you can't set the hos name anyway. For example, I've multiple credit card terminal here, and their host name is hard coded.
So I created a static MAC DHCP lease : "TPE-Restaurant" "TPE-Bar and "TPE-Hotel"0

What you also need to know :
The DNS resolver doesn't know about DHCP, doesn't know what DHCP is.
On the other hand, the DHCP server maintains and hands out DHCP leases : it knows what device with what MAC address use what I for which duration.

So, some "glue code" was written that converts the local leases, stored here /var/dhcpd/var/db/dhcpd.leases (see the file for yourself ) into another file that the local dns resolver (or forwarder) understands. For the resolver, that will be /var/unbound/dhcpleases_entries.conf
For every new incoming lease handed out by the DHCP server, the "glue code" is started, leases are converted, and the local dns (resolver or forwarder) are signalled : "hey, there is new info available, please re read the files on disk as I changed one of them".
For the resolver, this boils down : restarting it.
DNSMasq : the forwarder, I don't now.

That's why I prefer to stop this "restating"as during the restart of the resolver, DNS is temporally unavailable to the entire network, pfsense and all connected devices on all LANs.
It's not an issue if you have one or two devices that are wired up to pfSense, and ask a new lease every day or so.
But if you have many devices, and many radio based ( known as wWifi ) devices, the DHCP requests are really accelerating.
Having DNS restarted ( again : the resolver, the forwarder, I don't now) this becomes noticeable.
And then came pfBlockerNG-devel. People start to to add huge lists of DNSBL's. These lists have to be re read also by the resolver on every (re) start up. restarting of the resolvers becomes slooooow.
Slow, and very frequent means : DNS is often ko.
And that's not good at all, connected people really start to notice this.

ahsunh

@Gertjan Hello dear please let us know the most simplest solution for handling this issue of DHCP lease page status.
and yes you are right issue comes on WIFI channel where huge blocks of IP are available.
working with DNS resolver not forwarder.

Gertjan

@ahsunh
Start by un-checking :

🔒 Log in to view

This will stop unbound from restarting far less frequent.
You can check this for yourself : count the word "start" at the Status > System Logs >System > DNS Resolver page :

🔒 Log in to view

Yours must be restarting a lot, like many times per hour.