OpenVPN Clients + pfblocker + DNSBL [+ suricata] + unbound == unusable

  • I don't think it is a 2.4 only problem, but let me tell you the story:
    scenario: 3 Subnet, 1 openVPN Server, 4 openVPN Clients, the mentioned services activated, GW groups and a bit policy routing.

    To do all my filtering comfortable, I upgraded my pfsense from an Apu1d4 to a j4205 cpu. Enough performance for what I needed.

    Still, there was no stable solution with 2.3; the DNS was down all the time or at least unusable for the clients, the system were barely usable.. so I also read the common RT8111 error in the terminal and decided to take one error source out of the game and upped to a Supermicro E300-8D + ECC + M.2.
    So I read that driver vice the 2.4 RC has a better support for the  board should be usable (according for what I read here and elswere), so I tried my luck.

    The result is IMHO devastating.
    As soon as I upped the game with pfblock and or suricata or some OpenVpn clients the system came more and more unresponsable.
    I suspect unbind to have a great part in it, also it may have something to to with interface updates in general.
    I would like to think of an config error, but the behavior was problematic with 4 openVPN client interfaces alone.
    Sadly the debugging is a pain with a sluggish to not responsive at all webinterface.

    I'm intrigued to order official service, as this setup can be done within a short time, but I'll bet it won't run stable this given time.

    Solution: I switched to opnsense, even if I miss some features (especially pfblockerNG) and settings - but at least it does it job.

    But as PFSense is more my style I would like to hear if anyone has made similar experience and or workarounds with the services activated in the title?

  • This issue did cost me quite some time and some expensive hardware - after long years of pfsense.
    As result I didn't show any logs. But what I can tell you is, that nearly the same setup with the same accounts didn't provoke the error on opensense. (Don't get me wrong I don't care which sense it is… pf, open, common... but I find it very interesting, as I thought that it is very similar to pfsense)

    If I may guess the unbound problem had something to do with changing interfaces (or a result of it).
    I would be really interested if someone has similar issues and best - which are now resolved.

  • I got tired of fighting w/ unbound myself and switched to dnsmasq. For me it was a good move, although others will argue to the contrary. I know Unbound is "better" on paper and the purist in me wants to use it, but it just wasn't as stable for me.  Dnsmasq does everything I need it to and just never seems to have issues. The recent CVEs were fixed in record time. I think from wide disclosure to having the patched binary running on my system was <24 hours, which I consider amazing.

    To be fair, I didn't give Unbound much of a chance w/ recent 2.4 snaps and I hear it has improved, but for me there is no compelling reason to switch. Maybe worth it for you to give dnsmasq a try.

Log in to reply