Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New pfSense KVM VM DNS Resolver (unbound) Issue…

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    5 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reb00tz
      last edited by

      Hi everyone,

      Set up a new pfSense 2.4.2 VM under KVM/QEMU on Ubuntu LTS (64-bit) w/2 vCPUs, 2GB RAM, 10GB SATA disk and 1x e1000 NIC - i.e. no virtio devices).

      e1000 "WAN" gets IP via DHCP from local DHCP.

      Problem #1: System consistently hangs at "Starting DNS Resolver" when NIC is "connected" at boot

      • if plain, straight-forward install from ISO and reboot, WAN is configured, but sysytem hangs at "Starting DNS Resolver"

      • if NIC is "disconnected" (at hypervisor), boot completes (after slight delay at bringing up WAN and "Starting DNS Resolver"), then system operates as normal (up to a point - read below) when NIC is reconnected (i.e. web configuration wizard although it also hangs at the last "redirect" step) - note that DNS Resolver services shows as "not started" after a forced reboot (while repeating the whole "NIC disconnect, reconnect dance")

      • renaming /usr/local/sbin/unbound* "solves" the hang, but then I cannot disable it via web UI (complains about missing unbound-checkconf)

      Problem #2: Attempting to disable "DNS Resolver" (i.e. unbound) via web UI consistently fails when "Save" button is clicked (nginx reports "504 Gateway Time-out")

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • R
        reb00tz
        last edited by

        Hurdle after hurdle…

        So, I used the PHP and pfsense environment to disable unbound, so booting the VM no longer requires the "NIC disconnect, reconnect" song-and-dance routine.

        For those so inclined:

        • record a script to show the unbound config:
        record showunboundconfig
        parse_config(true);
        $temp = print_r($config['unbound']);
        more($temp);
        stoprecording
        
        • record a script to disable unbound:
        record disableunbound
        parse_config(true);
        $config['unbound']['enable'] = false;
        write_config();
        stoprecording
        
        • display the "before", disable, then display the "after":
        playback showunboundconfig
        playback disableunbound
        playback showunboundconfig
        

        Unfortunately, I am stuck again; I can ping the gateway or any other host, but I cannot access the web UI, even if I were to disable the firewall via shell (pfctl -d).  :o

        I also tried with pfSense 2.3.5, with the exact same results.  :-[

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Have you tried turning off/disabling hardware offload?

          I realise you're not using the virtio drivers (why not? better performance) but it would still be a first step:

          https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards
          https://doc.pfsense.org/index.php/VirtIO_Driver_Support#Disable_Hardware_Checksum_Offloading

          1 Reply Last reply Reply Quote 0
          • R
            reb00tz
            last edited by

            Hi @muppet,

            Thanks for the reply.

            I am not using virtio drivers for now because there is no way to turn it off from the guest side except through the web UI (as far as I am aware); the issues I face here (with e1000 emulation) means I cannot even get to the web UI.

            Fact is, I originally tried with virtio but fell back to e1000 (recreating the entire VM also, just in case) trying to troubleshoot the pesky unbound "Starting DNS Resolver" hanging problem… For what it is worth, I have disabled every offload setting in all NICs on the hypervisor (/etc/network/interfaces snippet for every NIC, bond_n_ and br_n_ iface as follows) and I am still facing this issue (of web UI not being accessible).

            
                    # disable hardware offloading for virtio compatibility
                    offload-tx off
                    offload-rx off
                    offload-tso off
                    offload-ufo off
                    offload-lro off
                    offload-sg off
                    offload-gro off
                    offload-gso off
                    offload-rxvlan off
                    offload-txvlan off
                    offload-ntuple off
                    offload-rxhash off
            
            

            I will try with a complete rebuild (again) and see if I can establish a reliable step-by-step. What I do not understand is why unbound is causing so much grief - and considering it is the "default", why I do not see others having the same issue.

            Hoping someone can help point me towards debugging/logging the answer…

            1 Reply Last reply Reply Quote 0
            • K
              Kohji
              last edited by

              I´ve updated yesterday to

              2.4.2-RELEASE-p1 (amd64)
              built on Tue Dec 12 13:45:26 CST 2017
              FreeBSD 11.1-RELEASE-p7

              .
              Now I have DNS Problems.
              I´ve worked with Backups und, now, I´ve set pfsense back to factory defaults -  still DNS Problems.
              If I do not use e.g. 192.168.1.1 in my devices but use a DNS Server like 8.8.8.8 - internet works.

              Please note: The problem exists directly after "factory defaults" - without any special settings…

              I consider to install an older version of pfsense?

              Thank you
              Kohji

              dns.JPG
              dns.JPG_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.