ACB host (acb.netgate.com) not reachable from pfSense
-
@stephenw10 said in ACB host (acb.netgate.com) not reachable from pfSense:
Interesting. The passed servers could not resolve acb is concerning.
Yeah... And I am not sure what I can do to fix this on my end, or if I would need Tailscale to do something...
-
If it's their own DNS servers they may be filtering something....
-
@stephenw10 so now my issue is that if I have the DNS option off, ACB works, but it does not show as an exit node when I connect to it from my phone or an off-site windows machine. I am going to reach out to Tailscale and ask about this.
-
Hmm, yeah I've no idea why they would not resolve it.
You could probably add a host override as a workaround. It would fail if the server ever changed IP address but that's fairly unlikely. Ugly hack though!
-
@stephenw10 the bigger problem is that I need my exit node so I can access stuff on my home network. I may just live with OpenVPN until I can get back to investigate this in-person. :(
-
This :
@RyanM said in ACB host (acb.netgate.com) not reachable from pfSense:
[2.8.1-RELEASE][admin@router.hidden.com]/cf/conf/backup: nslookup acb.netgate.com
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed outdoesn't this mean that :
;; no servers could be reached
so no DNS can be reached == that DNS can't answer.
Is the WAN / uplink ok ?If you need this 100.100.100.100, be aware that they don't want (requests from) you.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
Hmm, maybe it's trying to use tailscale's dns server but not the tailsscale address as source.
-
@Gertjan there is an option in pfSense to "Accept DNS" in the Tailscale settings. When that is checked, it seems to want to use that
100.100.100.100address as the DNS server. Which is good for some things, but the problem is that it was not resolvingacb.netgate.com. So I don't know that saying "they don't want (DNS) requests from you" is accurate is it? Why would they provide that address as the DNS/lookup?However, the consequence of turning off "Accept DNS" seems to be that by disabling that setting, now my pfSense router is not showing up as an "exit node" from other clients on the Tailscale VPN network. Additionally, because it is not an "exit node", I can now not resolve other hosts on my remote network.
EDIT: I forgot to answer your other question @Gertjan. Yes, the uplink is fine. Everything else seems to be working, and I can even reach
acb.netgate.comfrom other hosts on my network, just not from the pfSense router itself. This has to have something to do with the DNS configuration in Tailscale. I want to enable the "Accept DNS" setting, I just need to figure out how to make it work while also being able to use ACB.And I am not sure how comfortable I feel making changes now as I will be remote from this router for another 5 or 6 months.
@stephenw10 can you elaborate on what you mean when you say to try
using tailscale's dns server but not the tailscale address as source
-
I would check the port 53 states when it's trying and failing to resolve against tailscales servers. Are those queries actually going over the tunnel? Are they using the tunnel address as the source IP? Because I would expect their server to refuse connections from any other source IP.
-
@RyanM said in ACB host (acb.netgate.com) not reachable from pfSense:
So I don't know that saying "they don't want (DNS) requests from you" is accurate is it?
It said
;; no servers could be reached
which means : no answer.
@stephenw10 has a point : I presume that "100.100.100.100" only can answer if approached overt the tailscale connection. If the DNS request was send over the other connection, the WAN interface, then "100.100.100.100 " can't be reached and that makes sense (to me). That would explain the "no answer".Btw : I'm not using tailscale : test :
[25.07.1-RELEASE][root@pfSense.bbhf.tld]/root: dig @100.100.100.100 google.com
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed outNote : the return message is different - more 'dig' language for saying the same think : can't connect to 100.100.100.100 - it doesn't answer.
@RyanM said in ACB host (acb.netgate.com) not reachable from pfSense:
EDIT: I forgot to answer your other question @Gertjan. Yes, the uplink is fine. Everything else seems to be working, and I can even reach acb.netgate.com from other hosts on my network, just not from the pfSense router itself. This has to have something to do with the DNS configuration in Tailscale. I want to enable the "Accept DNS" setting, I just need to figure out how to make it work while also being able to use ACB.
Exact. You use tailscale and want to use the provided (?) tailscale's DNS server 100.100.100.100.
What about forcing unbound's connection over the tailscale connection ?
