DHCP leases status timeout

eangel

Hi,

We run a couple of pfSense instances in HA and are having problems with the DHCP leases page. I have seen here that this is not uncommon, but have yet to see a fix for it.
Our setup has a captive portal serving around 2000 devices. The DHCP addresses are from a /16 subnet. The DHCP leases status page always gives a '504 Gateway Time-out'. I have seen that the dhcp.leases file is huge. Around 4MB. I thought initially that this was because of the sites traffic volume, but it turns out the this is also its initial size. From what I understand the dhcp.leases file is somehow populated when the service is started. Possibly something to do with the load sharing DHCP? This also happens in my lab, which has almost no clients.

My question is really if it is possible to fix the DHCP leases status page somehow?

johnpoz

@eangel what version are you running - sounds like this

https://redmine.pfsense.org/issues/11512

eangel

@johnpoz I think you may be right, but I don't quite understand how to fix it. I see mention of a patch, but the bug 2 years old. Shouldn't the fix be included by now?

I'm running 2.6

johnpoz

@eangel I never ran into this because I point to dns that can resolve my clients via PTR, etc. I believe the root of the problem is time out because just can not resolve the IPs via PTR, or huge delays trying to when your using external dns and timeouts for say rfc1918 IPs, etc.

I think there was mention of regression. What version are you using?

eangel

I'm on 2.6

I do see that there may be a problem with DNS as the whole network is behind a rather slow link. I just wish it would work the way it used to. I saw a mention of commenting out the line that does the resolving in the php script. Maybe I'll try that.

Thanks for helping by the way!

johnpoz

@eangel said in DHCP leases status timeout:

behind a rather slow link

Not sure why that should matter lookup a ptr for say 192.168.1.42 ? That should be your local dns, so be it your internet connection is 128k or 1gig that wouldn't matter.

Your never going to resolve rfc1918 IPs via say googledns.. Do you not have pfsense pointing to 127.0.0.1 first for dns? What can resolve your local IPs?

Gertjan

@eangel said in DHCP leases status timeout:

I saw a mention of commenting out the line that does the resolving in the php script. Maybe I'll try that.

Try this first : Repair your DNS

Run a test like this :

[23.01-RELEASE][admin@pfsense.mylocalnetwork.net]/etc: host 192.168.1.2
2.1.168.192.in-addr.arpa domain name pointer bureau2.mylocalnetwork.net.

192.168.1.2 is a known device on my network. It has a (static) DHCP lease, so it's know to the local DNS.

I can see it :
[23.01-RELEASE][admin@pfSense.mylocalnetwork.net]/root: cat /etc/hosts
127.0.0.1 localhost localhost.mylocalnetwork.net
::1 localhost localhost.mylocalnetwork.net
192.168.1.1 pfSense.mylocalnetwork.net pfSense
2a01:cb:dead:19:907:a6dc::1 pfSense.mylocalnetwork.net pfSense
192.168.1.2 bureau2.mylocalnetwork.net bureau2
.....

Another test :

[23.01-RELEASE][admin@pfSense.mylocalnetwork.net]/root: dig @127.0.0.1 -x 192.168.1.2 +short
bureau2.mylocalnetwork.net.

'dig' is using localhost or 127.0.0.1, on port 53, and it asks : what is the host name of the device using "192.168.1.2".
This is a so called DNS reverse request : with a given IP, get the host name.
Normally, a host name is given, , like "facebook.com" and the IP is requested.
There should be an answer.

If I was asking for a device with an unused IP on my network :

[23.01-RELEASE][admin@pfSense.mylocalnetwork.net.]/root: dig @127.0.0.1 -x 192.168.1.200 +short

then I'll receive an answer in micro seconds : no host name known so nothing is shown.

If the resolver (unbound, or for that matter : the forwarder if you used that one) wasn't listening on 127.0.0.1 port 53 (UDP and/or TCP) then the requests will take ages before it times out.

So : is there some one at 127.0.0.1 port 53 ?
By any change, isn't is, for example, restarting all the time (another very known subject) ?

Btw :

This PHP function :

is a wrapper around the identical command line command :

host X

where X is an IP address.
It winds up talking to 127.0.0.1 port 53.
If no one is there, then, yeap, you'll be facing big time outs.
If you have many leases, the entire web page (DHCP leases page) will eventually time out = web server gateway error.

eangel

@gertjan Dam! You are correct!
I had not selected 'localhost' in the list of interfaces to serve with the DNS forwarder. Once I did that and told it not to forward private addresses, the leases status page appears quickly.

Thank you very much for the excellent reply!

rvjr

Wow, thanks guys! This helped me get my DHCP leases page working again. I also had reverse lookups redirected to the domain controller DNS via 'Domain Overrides' on the DNS resolver page. Somehow that did time out. I remove the overrides, and now everything works smoothly. Now I just have to figure out how to repair the overrides, or whether I need the reverse lookups for Active Directory at all. Because they obviously didn't work for a while now, and I didn't see any issues so far...