• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFSENSE + 23.01

General pfSense Questions
5
16
1.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Jimbohello
    last edited by Apr 7, 2023, 2:24 PM

    Since upgrade from 23.01
    all my alias rule does not work on port forward using dynamic dns autorisation.
    ex : allias : "PASS" ( xxxxxxx.dyndns.org )

    PORT FORWARD from "PASS" on port 443.
    if i change to ip instead of dynamic dns, traffic goes.

    before this upgrade everything was working as expected !

    i have multiple PFSENSE + Appliance ! same problem

    THANK'S

    G J 2 Replies Last reply Apr 7, 2023, 3:07 PM Reply Quote 0
    • G
      Gertjan @Jimbohello
      last edited by Apr 7, 2023, 3:07 PM

      Where

      @jimbohello said in PFSENSE + 23.01:

      xxxxxxx.dyndns.org

      stands for your WAN IP ?

      So you have a firewall where the "source" is your WAN IP ?
      Or you use the alias in destination ?

      Oh wait : "xxxxxxx.dyndns.org" is the host name of the device that want to connect to your pfSense ? Right ?

      I created a alias called 'home' with the DynDNS host name of my WAN IP.
      I checked with the Status > System Logs > System >DNS Resolver logs, and saw it was resolved to my (WAN) IP.
      But I could have used any host name (don't use fakebook.com or so, that will not work).

      Also : Diagnostics > Tables and I selected the name of my alias : 'home' : I saw the IP , so it was resolved.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      J 1 Reply Last reply Apr 7, 2023, 3:46 PM Reply Quote 0
      • J
        Jimbohello @Jimbohello
        last edited by Apr 7, 2023, 3:37 PM

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • J
          Jimbohello @Gertjan
          last edited by Jimbohello Apr 7, 2023, 3:47 PM Apr 7, 2023, 3:46 PM

          @gertjan
          failed to resolve host
          more than 200 failed to resolve host

          https://www.reddit.com/r/PFSENSE/comments/105dbm9/issues_with_dynamic_dns_on_2301dev/

          G 1 Reply Last reply Apr 7, 2023, 4:12 PM Reply Quote 0
          • G
            Gertjan @Jimbohello
            last edited by Gertjan Apr 7, 2023, 4:16 PM Apr 7, 2023, 4:12 PM

            @jimbohello said in PFSENSE + 23.01:

            https://www.reddit.com/r/PFSENSE/comments/105dbm9/issues_with_dynamic_dns_on_2301dev/

            Jan 6 21:25:26php-fpm844/services_dyndns_edit.php: Dynamic DNS (pfsense.xxxxxxx.us) There was an error trying to determine the public IP for interface - wan (ix3 ).

            That's not an DynDNS problem.
            It's worse.

            Here : http://checkip.dyndns.org/ and click on that link ( it's safe 😊 ).

            For everybody, it should indicate your WAN IP.

            I can do the same thing on the console / SSH access of my pfSEnse :

            [23.01-RELEASE][admin@pfSense.my4100.tld]/root: curl http://checkip.dyndns.org/
            <html><head><title>Current IP Check</title></head><body>Current IP Address: 82.127.62.108</body></html>
            

            And that's correct : that my WAN IPv4 !!

            Your issue is probably : the same command doesn't work for you.
            A possible reason is : your pfSense can't do DNS for itself.

            Check that out with :

            nslookup checkip.dyndns.org
            

            on your PC.

            And do the same command on pfSense :

            [23.01-RELEASE][admin@pfSense.my4100.net]/root: nslookup checkip.dyndns.org
            Server:         127.0.0.1
            Address:        127.0.0.1#53
            
            Non-authoritative answer:
            checkip.dyndns.org      canonical name = checkip.dyndns.com.
            Name:   checkip.dyndns.com
            Address: 193.122.6.168
            Name:   checkip.dyndns.com
            Address: 132.226.247.73
            Name:   checkip.dyndns.com
            Address: 193.122.130.0
            Name:   checkip.dyndns.com
            Address: 132.226.8.169
            Name:   checkip.dyndns.com
            Address: 158.101.44.242
            

            I don't say that 'this' is your issue.
            Just that if pfSense can't access "checkip.dyndns.com" you've 'done' something, because it works out of the box.

            Massive issues upgrading to 23.01

            You have a 4100 recently so it had what in the beginning , 22.05 ?
            Going from 22.05 to 23.01 wasn't that hard if I recall - I thought I was a mouse click thing.
            For me it was.

            Didn't even know people were talking pfSense also on reddit.
            Actually, I never check / use reddit. It's to ... noisy. I like this place : no adds ^^

            Dev versions are for those who want to live on the bleeding edge.
            It's normal to see some blood ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            J 2 Replies Last reply Apr 7, 2023, 4:29 PM Reply Quote 0
            • J
              Jimbohello @Gertjan
              last edited by Apr 7, 2023, 4:29 PM

              @gertjan

              Server: 127.0.0.1
              Address: 127.0.0.1#53

              Non-authoritative answer:
              Name: checkip.dyndns.com
              Address: 132.226.8.169
              Name: checkip.dyndns.com
              Address: 193.122.130.0
              Name: checkip.dyndns.com
              Address: 158.101.44.242
              Name: checkip.dyndns.com
              Address: 193.122.6.168
              Name: checkip.dyndns.com
              Address: 132.226.247.73

              1 Reply Last reply Reply Quote 0
              • J
                Jimbohello @Gertjan
                last edited by Apr 7, 2023, 4:33 PM

                @gertjan

                hum strange !
                i test out something !
                disable dns over TLS in the dns resolver !
                put it back to standard 53, seem to resolved the issue !
                pretty strange !

                C S 2 Replies Last reply Apr 7, 2023, 5:01 PM Reply Quote 0
                • C
                  Cylosoft @Jimbohello
                  last edited by Apr 7, 2023, 5:01 PM

                  @jimbohello at this point every issue we have with v23 seems to come back to some unbound DNS issue. You might check the other threads about getting DNS with TLS working.

                  1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @Jimbohello
                    last edited by Apr 7, 2023, 5:16 PM

                    @jimbohello said in PFSENSE + 23.01:

                    disable dns over TLS in the dns resolver

                    As Clyosoft indicates there are a few threads about DNS not working. Disabling DNSSEC while forwarding seems to be required now (and reportedly all along was known to sometimes cause failures when forwarding), but several have said they also need to disable DNS over TLS. See for instance:

                    https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    J 2 Replies Last reply Apr 7, 2023, 5:25 PM Reply Quote 0
                    • J
                      Jimbohello @SteveITS
                      last edited by Jimbohello Apr 7, 2023, 5:34 PM Apr 7, 2023, 5:25 PM

                      @steveits

                      DNSSEC was already disable !
                      i do not use quad9
                      opendns
                      cloudflare
                      google

                      il just turn off TLS for now :)

                      1 Reply Last reply Reply Quote 1
                      • J
                        Jimbohello @SteveITS
                        last edited by Jimbohello Apr 7, 2023, 10:39 PM Apr 7, 2023, 10:38 PM

                        @steveits

                        i don't know if this help, but i did some testing,

                        if i remove in tab - /system/general
                        use remote dns serveur , ignore local dns

                        the problem is solve using DNS OVER TLS

                        when i put back "use local dns, ignore remote dns " problem occur

                        S 1 Reply Last reply Apr 7, 2023, 11:13 PM Reply Quote 0
                        • S
                          SteveITS Galactic Empire @Jimbohello
                          last edited by Apr 7, 2023, 11:13 PM

                          @jimbohello said in PFSENSE + 23.01:

                          when i put back "use local dns, ignore remote dns " problem occur

                          This setting affects how pfSense itself does DNS. So again it sounds like DNS is not working on your router, for some reason.
                          https://docs.netgate.com/pfsense/en/latest/config/general.html#dns-resolution-behavior

                          Is the DNS Resolver service running? If you try to start it, or restart it, are there errors shown in the system log or DNS Resolver log? Test DNS using Diagnostics/DNS Lookup.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          J 2 Replies Last reply Apr 7, 2023, 11:22 PM Reply Quote 0
                          • J
                            Jimbohello @SteveITS
                            last edited by Jimbohello Apr 7, 2023, 11:35 PM Apr 7, 2023, 11:22 PM

                            @steveits

                            Listen my friend , yesterday before my upgrade 23.01 my setup was the same for several years

                            Never had ans issue

                            23.01 is the issue in DoT
                            I have zero problem on dns resolution for my local lan client.
                            The problem is only in alias fetching xxxx.dyndns.org ip

                            Same issue on all my appliance

                            LOG/ dns resolver /. FAILED TO RESOLVE HOST

                            If i go back to standard dns(53). Work like luky charm. :)

                            It exacly this problem

                            https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl

                            quad9, google, opendns, cloudflare or whatever is issue

                            All my appliance 23.01 are doing this issue
                            All my appliance 22.05 are doing good

                            They have the same setup everywhere.

                            1 Reply Last reply Reply Quote 0
                            • J
                              Jimbohello @SteveITS
                              last edited by Apr 8, 2023, 1:41 AM

                              @steveits

                              here log level 3
                              from pfsense resolution imself
                              Apr 7 21:33:30 unbound 88702 [88702:0] info: finishing processing for vrac-nicolas.dyndns.org.jimbohello.arpa. AAAA IN
                              Apr 7 21:33:30 unbound 88702 [88702:0] info: query response was NXDOMAIN ANSWER
                              Apr 7 21:33:30 unbound 88702 [88702:0] info: reply from <.> 1.1.1.1#853
                              Apr 7 21:33:30 unbound 88702 [88702:0] info: response for vrac-nicolas.dyndns.org.jimbohello.arpa. AAAA IN
                              Apr 7 21:33:30 unbound 88702 [88702:0] info: iterator operate: query vrac-nicolas.dyndns.org.jimbohello.arpa. AAAA IN
                              Apr 7 21:33:30 unbound 88702 [88702:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply

                              From the client side (lan)

                              Apr 7 21:38:42 unbound 88702 [88702:0] info: finishing processing for vrac-nicolas.dyndns.org. A IN
                              Apr 7 21:38:42 unbound 88702 [88702:0] info: query response was ANSWER
                              Apr 7 21:38:42 unbound 88702 [88702:0] info: reply from <.> 8.8.8.8#853
                              Apr 7 21:38:42 unbound 88702 [88702:0] info: response for vrac-nicolas.dyndns.org. A IN
                              Apr 7 21:38:42 unbound 88702 [88702:0] info: iterator operate: query vrac-nicolas.dyndns.org. A IN

                              JESUS I FOUND THE ISSUE I GUEST :
                              WHY IS PFSENSE ITSELF TRY TO RESOLVE
                              vrac-nicolas.dyndns.org.jimbohello.arpa
                              when it suppose to be vrac-nicolas.dyndns.org

                              pfsense is hading the domain part of itself ! no wonder why it can't resolve

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by Apr 8, 2023, 1:12 PM

                                Hmm, I only expect to see that if it has already failed to resolve the fqdn without the domain appended.

                                J 1 Reply Last reply Apr 8, 2023, 8:28 PM Reply Quote 0
                                • J
                                  Jimbohello @stephenw10
                                  last edited by Jimbohello Apr 8, 2023, 8:38 PM Apr 8, 2023, 8:28 PM

                                  @stephenw10

                                  When following DoT procedure base on netgate.
                                  All alliases having dynamic name to resolve, get an response from dnsfilter « failed to resolve host - will retry again later ». Some of them does resolve bost most part failed completly ans then, at a point failed all.

                                  When chanching aliases to url ip table , no problem occur.

                                  If i remove all DoT everything work as expected

                                  Note : i have arround 140 dynamic name to resolve.

                                  Hope help

                                  Behavior apper on sg-3100, sg-8200 pro max. And all other device

                                  Version 22.05 not affected
                                  Version 23.01 affected

                                  Thank’s

                                  Hope helps

                                  1 Reply Last reply Reply Quote 0
                                  5 out of 16
                                  • First post
                                    5/16
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.