Pfsense 2.3.3 now allowing private DNS address



  • Hi,

    on pfsense 2.3.2_1 I had, under "System -> General Setup", used a private DNS IP for a specific segment.
    The DNS is 10.0.0.1, however, with update to 2.3.3, I cannot set this up anymore. After clicking "Save" I get "A gateway can not be assigned to DNS '10.0.0.1' server which is on a directly connected network.".

    Am I missing something or what has changed?

    Thanks.


  • Banned

    Yeah, stop setting up gateways there for locally attached interfaces.



  • @doktornotor:

    Yeah, stop setting up gateways there for locally attached interfaces.

    What is the preferred way of setting it up?  If there is a better configuration I'd love to learn about it.

    My setup has one normal WAN, with two additional WANs connected to different OpenVPN servers.  I've always had DNS set to 10.4.0.1 on VPN_WAN_1 and 10.6.0.1 on VPN_WAN_2 and it worked great.  I'm living overseas in a country well known for filtering/censoring/etc so I route everything through VPNs.  My normal web traffic/email/surfing goes through one VPN server, while streaming goes through a different VPN server.

    After upgrading to 2.3.3 everything works fine, but only if I don't change anything on the General Settings page.  If I change anything it triggers the error message mentioned in the original post.


  • Banned

    The preferred way is - as said - none. Do NOT set gateway there since the route already exists.



  • @doktornotor:

    The preferred way is - as said - none. Do NOT set gateway there since the route already exists.

    The DNS Server Settings dont allow (since 2.3.3) a private IP range, as DNS address. I do not see why this would be in issue at all.

    If I route specific traffic thru a VPN, and want to use a DNS server on the other end of the tunnel, that should be possible … dont understand why its not.

    And your comments do not offer a plausible explanation ...


  • Banned

    Let me try again for the last time. Set the gateway next to the DNS servers to NONE.



  • @doktornotor:

    Let me try again for the last time. Set the gateway next to the DNS servers to NONE.

    Setting to NONE breaks the connection, meaning, nothing works. The private address for a private DNS server, NEEDS to be assigned for that gateway ONLY. With NONE, all Gateways try to get to the 10.0.0.1, and failing, since no route exist …


  • Banned

    OMG. I am talking about the settings in System - General Setup. Next to the DNS servers. The dropdown. Set the gateway from dropdown to NONE. Sure like hell breaks NO connection whatsoever.



  • @doktornotor:

    OMG. I am talking about the settings in System - General Setup. Next to the DNS servers. The dropdown. Set the gateway from dropdown to NONE. Sure like hell breaks NO connection whatsoever.

    Thats exactly what I did. I have 2 OpenDNS servers entered and assigned them via drop down, to my regular WAN for all computers on the network. Than I entered as a 3rd item, the 10.0.0.1 as DNS with NONE on the drop down.

    After saving and applying the changes, DNS stops working for everybody, not just the connections using VPN, but also all connections using the regular WAN. Taking the 10.0.0.1 entry out, everything starts working again.

    The questions here really is, it was working and possible to setup prior to 2.3.3, but not in 2.3.3. What is the reason for removing it? Or was it not intentional?

    I need to be able to dedicate a specific DNS server for my VPN, the only way of doing it, is, by assigning a Gateway to the DNS … unless you have a different suggestion than "NONE" ...


  • Banned

    Dude. All that message is telling you is that you are trying to set up another route to something that already exists. That's all what the gateway there does. The reason you are getting that message is that the route already exists. You do not set up the same route twice. Why the heck are you configuring a DNS server intended for VPN clients to be used by the firewall anyway.



  • @doktornotor:

    Dude. All that message is telling you is that you are trying to set up another route to something that already exists. That's all what the gateway there does. The reason you are getting that message is that the route already exists. You do not set up the same route twice. Why the heck are you configuring a DNS server intended for VPN clients to be used by the firewall anyway.

    So, my remote office can resolve addresses of main office Servers and services instead using ip addresses??? That would be a scenario …


  • Banned

    What does a remote office have to do with this? Those fields are for DNS resolution on the firewall ITSELF. (And recycled elsewhere if you are too lazy to configure DNS explicitly in DHCP server and whatnot.)



  • @doktornotor:

    What does a remote office have to do with this? Those fields are for DNS resolution on the firewall ITSELF. (And recycled elsewhere if you are too lazy to configure DNS explicitly in DHCP server and whatnot.)

    Dont feel like writing a book of my setup, but remote office using main office DNS to resolve addresses and use the main office as gateway to internet. See it as a big building, main floor is main office, second floor is remote office 1 etc. In one building, you only have one access point to internet, one dns and dhcp, etc. That what I do, site to site VPN, and the main office handles DNS and DHCP, and has main servers located.

    Setting it up everywhere is not possible, thats why I need it on pfsense, because if requests go to the offsite pfsense box, thay are forwarded to the main office, of the offsite cannot resolve (forwarded).

    Makes sense?



  • @eddi1984:

    @doktornotor:

    What does a remote office have to do with this? Those fields are for DNS resolution on the firewall ITSELF. (And recycled elsewhere if you are too lazy to configure DNS explicitly in DHCP server and whatnot.)

    Dont feel like writing a book of my setup, but remote office using main office DNS to resolve addresses and use the main office as gateway to internet. See it as a big building, main floor is main office, second floor is remote office 1 etc. In one building, you only have one access point to internet, one dns and dhcp, etc. That what I do, site to site VPN, and the main office handles DNS and DHCP, and has main servers located.

    Setting it up everywhere is not possible, thats why I need it on pfsense, because if requests go to the offsite pfsense box, thay are forwarded to the main office, of the offsite cannot resolve (forwarded).

    Makes sense?

    Thats why I need it to work …


  • Banned

    Sir, you only assign such DNS servers to clients that they are able to reach. No idea what kind of bug you relied upon until now, but you need to sanitize your setup. pfSense itself clearly already can reach 10.0.0.1 just fine since it's a local interface subnet. So, it won't let you configure any gateway/route there because it already exists.



  • @doktornotor:

    Sir, you only assign such DNS servers to clients that they are able to reach. No idea what kind of bug you relied upon until now, but you need to sanitize your setup. pfSense itself clearly already can reach 10.0.0.1 just fine since it's a local interface subnet. So, it won't let you configure any gateway/route there because it already exists.

    172.16.0.123 (Client) –- 172.16.0.1 (pfsense, VPN client, offsite) -----  10.0.0.0/16 tunnel ---- 10.0.0.1/16-VPN server & 172.20.0.1/24-pfsene (main office) -----  172.20.0.100 (server with DB)

    The DNS settings on the offsite client point to the local pfsense box, 172.16.0.1, and that pfsense box will query 10.0.0.1 ...

    In this case, DHCP and DNS servers will be 10.0.0.1 for the client connecting (not 172.20.0.1 since pfsense does the routing from 10.0.0.0 to 172.20.0.0).
    Thats why I need to setup 10.0.0.1 on the offisite DNS settings. The route is not there, it needs to translate from 172.16.0.0 to 10.0.0.0 ... so adding it to the DNS settings and assigning the VPN gateway to the 10.0.0.1 makes sense, at least to me ...


  • Banned

    So, your pfSense (main office) WAN is 172.20.0.0/24 and your pfSense LAN is 172.20.0.0/24 as well, and you have a pfSense dangling somewhere between some god knows what VPN server and a DB server? WTF. And what should be translating what there?

    :o :o :o



  • @doktornotor:

    So, your pfSense (main office) WAN is 172.20.0.0/24 and your pfSense LAN is 172.20.0.0/24 as well, and you have a pfSense dangling somewhere between some god knows what VPN server and a DB server? WTF. And what should be translating what there?

    :o :o :o

    Dude, forget it …


  • Banned

    Yeah, sounds like this one is best forgotten, flushed down the drain and reconfigured from scratch. Looks like you wanted to set up a site-to-site VPN and ended up with a complete clusterfuck instead. BTW, this is the relevant code you are complaining about:

    https://github.com/pfsense/pfsense/blob/RELENG_2_3_3/src/usr/local/www/system.php#L269

    
    	$direct_networks_list = explode(" ", filter_get_direct_networks_list());
    	while (isset($_POST[$dnsname])) {
    		$dnsgwname = "dnsgw{$dnscounter}";
    		if ($_POST[$dnsgwname] && ($_POST[$dnsgwname] <> "none")) {
    			foreach ($direct_networks_list as $direct_network) {
    				if (ip_in_subnet($_POST[$dnsname], $direct_network)) {
    					$input_errors[] = sprintf(gettext("A gateway can not be assigned to DNS '%s' server which is on a directly connected network."), $_POST[$dnsname]);
    				}
    			}
    		}
    		$dnscounter++;
    		$dnsname = "dns{$dnscounter}";
    	}
    
    

    where filter_get_direct_networks_list() translates to this:

    https://github.com/pfsense/pfsense/blob/RELENG_2_3_3/src/etc/inc/filter.inc#L1032

    
    function filter_get_direct_networks_list($returnsubnetsonly = true) {
    	global $config, $FilterIflist, $GatewaysList;
    	/* build list of directly connected interfaces and networks */
    	$networks = "";
    	$networks_arr = array();
    	if (empty($FilterIflist)) {
    		filter_generate_optcfg_array();
    	}
    	foreach ($FilterIflist as $ifent => $ifcfg) {
    		$subnet = "{$ifcfg['sa']}/{$ifcfg['sn']}";
    		if (is_subnet($subnet)) {
    			if ($returnsubnetsonly) {
    				$networks_arr[] = $subnet;
    			} else {
    				$networks_arr[] = array(
    					'subnet' => $subnet,
    					'if' => $ifent,
    					'ip' => $ifcfg['ip']);
    			}
    		}
    	}
    	$viplist = get_configured_vip_list();
    	foreach ($viplist as $vid => $address) {
    		$vip = get_configured_vip($vid);
    		$subnet = "{$vip['subnet']}/{$vip['subnet_bits']}";
    		if (is_subnet($subnet) && !(is_subnetv4($subnet) && $vip['subnet_bits'] == 32) && !(is_subnetv6($subnet) && $vip['subnet_bits'] == 128)) {
    			if (is_subnetv4($subnet)) {
    				$subnet = gen_subnet($vip['subnet'], $vip['subnet_bits']) . "/{$vip['subnet_bits']}";
    			} else if (is_subnetv6($subnet)) {
    				$subnet = gen_subnetv6($vip['subnet'], $vip['subnet_bits']) . "/{$vip['subnet_bits']}";
    			}
    			if ($returnsubnetsonly) {
    				$networks_arr[] = $subnet;
    			} else {
    				$networks_arr[] = array(
    					'subnet' => $subnet,
    					'if' => $vip['interface'],
    					'ip' => $vip['subnet']);
    			}
    		}
    	}
    	// Add any enabled static routes
    	foreach (get_staticroutes(false, false, true) as $netent) {
    		if (is_subnet($netent['network'])) {
    			if ($returnsubnetsonly) {
    				$networks_arr[] = $netent['network'];
    			} else if (isset($GatewaysList[$netent['gateway']])) {
    				$networks_arr[] = array(
    					'subnet' => $netent['network'],
    					'if' => $GatewaysList[$netent['gateway']]['friendlyiface'],
    					'gateway' => $GatewaysList[$netent['gateway']]['gateway']);
    			}
    		}
    	}
    	if ($returnsubnetsonly) {
    		if (!empty($networks_arr)) {
    			$networks = implode(" ", $networks_arr);
    		}
    		return $networks;
    	} else {
    		return $networks_arr;
    	}
    }
    
    

    So, those are local interfaces (incl. virtual IPs) and static routes you configure. With that, you can go and figure out what in your whacky setup is the case.


  • LAYER 8 Global Moderator

    "10.0.0.0/16 tunnel"

    WTF why would you need such a large tunnel for a site to site connection??  Why would you ever need such a tunnel??  For site to site /30 would be all you would need.

    "172.16.0.1, and that pfsense box will query 10.0.0.1 "

    Why would it do that???

    "needs to translate from 172.16.0.0 to 10.0.0."

    Why???

    This would be your typical setup.. See attached.

    So you want the main site dns and dhcp to to provide dns for the remote site?  Then you would setup dhcp relay on the remote site to point to your dhcp server.  As for DNS.. You would either point your clients directly to the dns server on 172.20.0/24 or you could have your clients ask the remote site pfsense for dns.  And then use a domain override to ask the main site dns for whatever domains its authoritative for, or you could just have pfsense do a forward for all dns to it.. Comes down to what exactly do clients want/need to resolve from there?

    Or you could just have the remote site pfsense hand out dhcp and not have to worry about the relay.

    I am at a loss to understand why you think you need to translate from rfc1918 to rfc1918 and why pfsense on your remote site would need to forward or use for dns the IP address in your tunnel?



Log in to reply