Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Clients + pfblocker + DNSBL [+ suricata] + unbound == unusable

    2.4 Development Snapshots
    2
    3
    953
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kpk
      last edited by

      I don't think it is a 2.4 only problem, but let me tell you the story:
      scenario: 3 Subnet, 1 openVPN Server, 4 openVPN Clients, the mentioned services activated, GW groups and a bit policy routing.

      To do all my filtering comfortable, I upgraded my pfsense from an Apu1d4 to a j4205 cpu. Enough performance for what I needed.

      Still, there was no stable solution with 2.3; the DNS was down all the time or at least unusable for the clients, the system were barely usable.. so I also read the common RT8111 error in the terminal and decided to take one error source out of the game and upped to a Supermicro E300-8D + ECC + M.2.
      So I read that driver vice the 2.4 RC has a better support for the  board should be usable (according for what I read here and elswere), so I tried my luck.

      The result is IMHO devastating.
      As soon as I upped the game with pfblock and or suricata or some OpenVpn clients the system came more and more unresponsable.
      I suspect unbind to have a great part in it, also it may have something to to with interface updates in general.
      I would like to think of an config error, but the behavior was problematic with 4 openVPN client interfaces alone.
      Sadly the debugging is a pain with a sluggish to not responsive at all webinterface.

      I'm intrigued to order official service, as this setup can be done within a short time, but I'll bet it won't run stable this given time.

      Solution: I switched to opnsense, even if I miss some features (especially pfblockerNG) and settings - but at least it does it job.

      But as PFSense is more my style I would like to hear if anyone has made similar experience and or workarounds with the services activated in the title?

      1 Reply Last reply Reply Quote 0
      • K
        kpk
        last edited by

        This issue did cost me quite some time and some expensive hardware - after long years of pfsense.
        As result I didn't show any logs. But what I can tell you is, that nearly the same setup with the same accounts didn't provoke the error on opensense. (Don't get me wrong I don't care which sense it is… pf, open, common... but I find it very interesting, as I thought that it is very similar to pfsense)

        If I may guess the unbound problem had something to do with changing interfaces (or a result of it).
        I would be really interested if someone has similar issues and best - which are now resolved.

        1 Reply Last reply Reply Quote 0
        • luckman212L
          luckman212 LAYER 8
          last edited by

          I got tired of fighting w/ unbound myself and switched to dnsmasq. For me it was a good move, although others will argue to the contrary. I know Unbound is "better" on paper and the purist in me wants to use it, but it just wasn't as stable for me.  Dnsmasq does everything I need it to and just never seems to have issues. The recent CVEs were fixed in record time. I think from wide disclosure to having the patched binary running on my system was <24 hours, which I consider amazing.

          To be fair, I didn't give Unbound much of a chance w/ recent 2.4 snaps and I hear it has improved, but for me there is no compelling reason to switch. Maybe worth it for you to give dnsmasq a try.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.