Issues after upgrade to 2.4.4 on all firewalls : Diagnostic ->Tables is empty
-
Hi,
sorry for the delay in my answer.
The table is made of alias or group of alias.
Each of those is an IP: no fqdn and no unresolvable addresses.
No mix between ip and FQDN.When the problem will happen again, I will check for Status -> filter Reload.
I'm triyng to install from scratch a 2.4.3 version, but what i see is that i cannot install some package: openvpn client export for example.
Are we forced to use 2.4.4?
Is there a way to install packages for 2.4.3? -
Hi to all,
I can confirm that Status -> Filter Reload show no errors when the problem riser,
and even after forcing a filter reload there are no error but the problem persists.
Any idea? -
Can we see how these are defined? Which are failing?
Is it only those that are nested aliases?When we've seen errors like this before it has often been because something is attempted to be resolved as an FQDN that should not be. Due to an odd character for example or a typo in an IP. But I would expect that to show a DNS error.
Steve
-
Hi,
all table is failing: completely empty.
The structure of the source_group is something like
address01
address02
sub_grp1
sub_grp2
...where sub_grp1 is
address11
address12
...All of the addessxx are static private ip addreses 10.0.1.x for example.
The same configuration was working fine before update to 2.4.4
In effect I have no DNS errors. -
@chriva said in Issues after upgrade to 2.4.4 on all firewalls : Diagnostic ->Tables is empty:
All of the addessxx are static private ip addreses 10.0.1.x for example.
Then it shouldn't be that difficult to show actual screenshots of them.
-
Mmm, nothing special there. There must be something different about how they are configured.
You have other aliases that do populate? The sub groups still populate correctly?Steve
-
@Grimson
Here you have the screenshot of how groups are made.
I can confirm that they are all made of static ip addresses.
@stephenw10
It is not easy to answer your question: in general some alias where populated, some where not populated.
My access to https gui comes from a rule with an alias and it usually works, but not always since the upgrade.
At hte same way some of the subgroups wehre populated, some other not.
-
Hmm, it still looks exactly like the sort of issue we saw previously where it tries to resolve one of those things as an FQDN instead of using the alias. There's definitely no errors in the DNS log when it fails?
Steve
-
No, I noticed no error: just in case how is the DNS log enabled ?
Now I did a rollback of all of the installation except one.
I will try to keep an eye on it, but traffic through this device is very few. I don't even know if this firewall needed ever showed the problem. -
It is enabled by default for errors and status information but you can turn up the logging level to see all dns requests if required. That's a setting in Services > DNS Resolver > Advanced Settings.
Steve
-
Hi,
should I set it up to maximum level? (I've just set it to lvl5)
What should I look for in clog /var/log/resolver.log ?
Can you give me an example?Regards.
-
I wouldn't expect you to need to turn up the logging. For example here's what I see in the resolver logs if I add an IP to an alias but typo it:
Dec 4 12:53:14 filterdns Adding Action: pf table: Test_Alias_2 host: 192.16810.10 Dec 4 12:53:14 filterdns Adding host 192.16810.10 Dec 4 12:53:14 filterdns failed to resolve host 192.16810.10 will retry later again.
Steve
-
This post is deleted! -
Yes it should. I deliberately typo'd it to show what happens.
It sees it as an FQDN as it's not a valid IP address and tries to resolve it. And of course that fails resulting in the errors shown.Steve
Edit: Replying to a deleted post now.
-
yeah, deleted my post as I overlooked the mention of 'not a valid IP address' in your original
-
Thanks for your support and suggestions.
I have no filterdns entries in the logs until now.
I will keep an eye on it.Remember that the same configuration on 2.4.3_p1 gives me no issues.
-
The most likely thing there is you're hitting something really obscure that passes in php 5.6 but not in php 7. I would have expected some error though but it may simply interpret it differently.
Steve
-
Hi to all,
I have an update: facing the same problem on 2.4.4_p1
I have an alias like
FQDN_Hamal
corrisponding to
hamal.intranetThe name is correctly resolved like
*drill hamal.intranet @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9055
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; hamal.intranet.dynameeting.it. IN A;; ANSWER SECTION:
hamal.intranet 16 IN A 192.168.212.135;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Dec 27 11:36:32 2018
;; MSG SIZE rcvd: 63*The corresponding table was empty, so the corresponding permit rule was never triggered (trafic dropped)
I tried adding via command line
pfctl -t FQDN_Hamal -T add hamal.intranet
it sometimes works giving
1/1 addresses added
sometimes does'nt work
0/1 addresses added
The corresponding log in filterdns is allways
filterdns: Adding Action: pf table: FQDN_Hamal host: hamal.intranetI have no idea why this happens.
Can anyone help me? -
First, you wouldn't inject an alias entry using
pfctl
that way for a hostname. Thefilterdns
daemon manages that internally.Second, if it works sometimes and not others, it could be either because the host can't be resolved, or that it's already in the table.
The
adding action
log entry meansfilterdns
read that entry from the config, not that it successfully resolved the host. -
Hi Jimp,
I know I should not add hostnames like this, I'm simply trying to make the problem clearer.
The table itself should hold only one entry (resolved to 192.168.212.135)
If I try to inject a non valid fqdn I get an error:
pfctl -t FQDN_Hamal -T add hamal2.intranet
no IP address found for hamal2.intranet -
So this is an internal domain, how are your DNS on pfSense configured. Make sure pfSense only uses name servers that can resolve those internal domains.
-
Hi Grimson,
sorry for the delay (and Happy New Year to all).
The DNS is configured to point
2 internal DNS server (reachables)
2 external DNS servers (google)I 've just removed the google ones and I will let you know
Regards.
-
Hi,
Today the problem is back again: some table are void: non traffic allowed despite the dns pointing only internal servers. -
And still no filterdns errors on the resolver log? Or system log?
Steve
-
No errors in system log.
No relevant errors in resolver log (only a few failed to resolve host : new_name.internal , due to devices that are already configured on the firewall but not on the dns server. Those entries have no concern with the void tables.)Regards