Unbound request: ACL
-
My pfsense network looks like this:
WAN: pppoe
LAN: 192.168.85.254/24
OPT1: 192.168.172.254/24I have a single client device on the OPT1 network and it looks like this:
WAN: 192.168.172.101
LAN: 1.1.1.1/30 (public subnet)This device in turn has a router attached to it that has:
WAN 1.1.1.2/30
gw: 1.1.1.1So pfsense is not doing NAT on OPT1, and it has a static route for 1.1.1.0/30 with 192.168.172.101 as gateway.
My understanding from one of your other posts is that unbound will service 192.168.85.0/24 and 192.168.172.0/24, but not 1.1.1.0/30. If I am correct, then this is a deal-breaker for me, as I need to be able to respond to DNS queries for 1.1.1.0/30. The built-in DNS forwarder (dnsmasq?) responds to all requests by default in pfsense, so it is working for me now. I would like to take unbound for a spin though. Thanks for your efforts.
-
Thats correct, Unbound currently only allows the networks that are physically configured on pfSense. DNSMasq doesnt provide this functionality (not that i know of) so it just listens and allows for any host to utilize the service. I will definitely add ACL functionality so a user can specify multiple 'non-local' networks. Hopefully will have it done by Friday, I will let you know.
Thanks for the detailed info.
-
I have done the work for adding additional networks to a separate Unbound ACL's page. There are a few tests I just need to do to confirm all is working - otherwise I will commit tonight and update the package.
-
Let me know if you need a tester.
-
Ok I have committed the changes - reinstall and you should be good to go. Just remember to obviously add the necessary firewalls rules (which I think you already have).
I must add a note indicating this in that ACLs page.
-
On first visiting Services: Unbound
Parse error: syntax error, unexpected $end in /usr/local/pkg/unbound.inc on line 63
Line 63 appears to be the last line in the referenced file, and this is what it looks like in my installation:
@unlink_if_exists("/usr/local/etc/unbound/unbound.con
-
2.0-BETA5 (amd64)
built on Sat Jan 8 00:47:04 EST 2011Additionally, when I try to reinstall or uninstall the Unbound package, this is as far as I get:
Removing package…
Starting package deletion for unbound-1.4.7...done.
Starting package deletion for expat-2.0.1_1...done.
Starting package deletion for libevent-1.4.14b_1...done.
Removing Unbound components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
[/bquote] -
Odd - i cant reproduce this. I have re-installed, uninstalled and installed and it works. I am on build 'Mon Jan 10 22:34:12 EST 2011'.
-
On first visiting Services: Unbound
Parse error: syntax error, unexpected $end in /usr/local/pkg/unbound.inc on line 63
Line 63 appears to be the last line in the referenced file, and this is what it looks like in my installation:
@unlink_if_exists("/usr/local/etc/unbound/unbound.con
Looks like an incomplete download of unbound.inc ?
-
That's what I thought. Can you post the complete file, or tell me how to manually remove the package so I can try a new install?
-
Success. Deleted two unbound directories and removed the package info from the config file. I was then able to install the package and start the service with my ACL active.
Looks great so far, thank you very much.
-
Ok cool - glad you manage to help yourself out there. The incomplete download is a bit worrying will chat to the devs and see if we can possibly work around that.
Let me know if you have any problems.
-
I bumped the version number due to an old bug thats been around since the incarnation of the unbound package :-\
-
You can update the second bullet here: http://doc.pfsense.org/index.php/Unbound_package
What's the bug fix? Is there a changelog somewhere?
edit: I see it: http://forum.pfsense.org/index.php/topic,29771.msg165982.html#msg165982
Looks like it doesn't affect me if I am using ACL though.
-
Unfortunately no change log online besides commit comments.
There was a bug when reinstalling the package that an original configuration would be over-written with the default. However this wouldn't have happened to the new ACL section.Will update the doc site shortly.