Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
-
After upgrade the ports are closed.
Diagnostic->Ping is working.
I saved the alias again to force dns lookup.
still unchecked (never enabled before): Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall
I use DNS Forwarder.
After changing the alias to IP it's working but not preferred.<alias><name>smtp_server</name> <type>host</type> <address>smtp.domain.local</address> <detail></detail></alias><rule><type>pass</type> <interface>opt2</interface> <tag></tag> <tagged></tagged> <max></max> <max-src-nodes></max-src-nodes> <max-src-conn></max-src-conn> <max-src-states></max-src-states> <statetimeout></statetimeout> <statetype></statetype> <protocol>tcp</protocol> <source> <any></any> <destination><address>smtp_server</address> <port>25</port></destination> <tracker>1460899172</tracker></rule> -
I have EXACTLY the same issue although I'm using DNS Resolver and not DNS Forwarder. As many many of my rules rely on aliases (and names) it's broken the best part of my network.
-
I opened a bug for this: https://redmine.pfsense.org/issues/7958
-
You opened a bug report with ZERO info to suggest it is..
So you have an alias for smtp.domain.local as a fqdn in it..
Does this resolve? Simple query to pfsense for that fqdn should show you if pfsense can resolve it. Or simple dns lookup under diag.
What does the table for your alias show also under diag.. As the comment in the bug you created states.. They can not duplicate your problem, nor can I..
Where should smtp.domain.local resolve? Is this a host override on pfsense? reservation in dhcp that you have register in forwarder/resolver? Is it some downstream dns that should resolve that? If so do you have a domain override in place so pfsense knows where to go ask for smtp.domain.local?
-
Can you read?
Diagnostic->Ping is working.
And it worked before update!
-
Information requested below:
Alias: IP_Syncthing_Clients - Type: Hosts - Entries: (contains many local computer names all registered in DNS by pfSense DHCP Server) my-desktop IP_NAS - Type: Hosts - Entries: nas.fqdn.private Port_Syncthing_Server_TCP- Type: Ports - Entries: 22000Looking at the table alias for IP_Syncthing_Clients confirms that the IP address for my-desktop is in there.
The table alias for IP_NAS says there are no entries in the table. I have tried amending both the description and added a new host name to prompt it to refresh it but still it reports there are no entries in the table.
Port_Syncthing_Server_TCP doesn't appear in the tables list (I'm assuming only IP ones will?)DNS Resolver Settings: General: Enable: Ticked Port: Default (53) Network Interfaces: selected the correct interfaces (LAN and the network the NAS is on) Outgoing Interfaces: WAN System Domain Local Zone Type: Transparent (default) Enable Forwarding Mode: Ticked Register the DHCP Leases in the DNS Resolver: Ticked Register DHCP static mappings in the DNS Resolver: Ticked No Domain Overrides Advanced: Hide Identity: Ticked Hide Version: Ticked Everything else either unticked or left at defaults Access Lists: EmptyRule: Action: Pass Interface: LAN Address Family: IPv4 Protocol: TCP Source: Single Host or Alias: IP_Syncthing_Clients Destination: Single Host or Alias: IP_NAS Destination Port Range: (other): Port_Syncthing_Server_TCP: (other): Port_Syncthing_Server_TCP Log packets handled by this rule: Ticked Everything else left as defaultPackets destined to port 22000 on nas.fqdn.local from my-desktop are blocked. If I change the rule and replace IP_NAS with the IP address of NAS it works fine.
So it looks like if the table entries are missing it won't resolve. So it looks like the upgrade is hosing some of the Alias tables (as there are a lot of empty ones). Which begs the question how to recreate the alias tables without starting from scratch.
These rules have been in place since 19/2/16 without issue. There are also other rules I have with the same problems. This is just one.
-
Are you using Domain Overrides and query them in your alias table?
-
Are you using Domain Overrides and query them in your alias table?
No. As I said above there are no Domain Overrides in the DNS Resolver.
Just to be clear as well the nas.fqdn.private and my-desktop both resolve to the correct IP when using Diagnostics -> Ping.
-
Dude post up screenshots of your alias and your diagnostic table… How and the hell is pfsense going to resolve smtp.domain.local since that is not a public..
So your saying that is a reservation in your dhcp that your register in your forwarder? Or your just registering dhcp clients? If your not doing an override
If your saying pfsense can resolve it, then it would be in the TABLE.. If its not in the table then no your alias would not work.
Can not duplicate this.. Plain and simple.. If pfsense can resolve a fqdn, then it shows up in the table.. Be it a local entry or a public entry..
-
Dude post up screenshots of your alias and your diagnostic table… How and the hell is pfsense going to resolve smtp.domain.local since that is not a public..
As you're replying to ggzengel (as he has smtp.domain.local) I will let him answer. If you're referring to me then let me know.
-
Strange:
Since update on Friday until yesterday the firewall was blocking the smtp port.
Yesterday I saved this table entry again in the hope it would work, but it always blocked this port.
Only changing to IP resolved this problem.
Today after trying multiple entries with google it's working again.
Now I have a FQDN entry and the firewall is open again. WTF? -
Strange:
Since update on Friday until yesterday the firewall was blocking the smtp port.
Yesterday I saved this table entry again in the hope it would work, but it always blocked this port.
Only changing to IP resolved this problem.
Today after trying multiple entries with google it's working again.
Now I have a FQDN entry and the firewall is open again. WTF?Glad you got yours sorted. I only upgraded yesterday so hopefully I don't need to wait 4 days before it starts working again!
I have a mixture of internal and external addresses that are in the aliases. All resolve through Diagnostics -> Ping so pfSense knows how to resolve them. But their tables are empty.
-
This is a outside located perimeter firewall and is connected with the core network over openvpn.
In the core network are the smtp and the dns servers. The domain.local TLD is forwarded with Domain Override.
This solution (openvpn, dns forward, fqdn alias) is working since years.I don't know what happened after update that this solution was so much disturbed.
Normally the tables should be reloaded with interface changes and everything should be alright.1. guess: It didn't refresh the alias table even on saving old entries
2. guess: It look like there was a negative DNS cache entry for the alias tables which didn't expire if it's always used. While booting the FQDN couldn't be resolved.Perhaps tonight I can reboot the pfsense and will see what happen.
-
Can you test a FQDN you never used before?
Only to see if it's a caching problem. -
You mean just to ping?
I just tried to Diagnostics -> Ping 'hello.fqdn.private' and just 'hello' and both failed as you'd expect.
UPDATED: Also tried this from the console itself with the same error (again as you'd expect). I rebooted pfSense earlier today and also about 15 minutes ago (in case the aliases 'spring' to life after a reboot - I can but hope).
-
What says Status/System Logs/System/DNS Resolver?
Before update it was working:
Sep 22 22:47:42 filterdns adding entry 10.19.4.250 to table smtp_server on host smtp.domain.local Sep 22 22:42:48 filterdns failed to resolve host smtp.domain.local will retry later again. Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.4.4#53 Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.8.8#53 Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interfaceAfter update it was working to:
Oct 12 20:41:53 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 12 20:41:53 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 12 20:41:46 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 12 20:41:46 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 12 20:41:45 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 12 20:41:45 filterdns failed to resolve host smtp.domain.local will retry later again. Oct 12 20:26:06 dnsmasq 860 using nameserver 8.8.4.4#53 Oct 12 20:26:06 dnsmasq 860 using nameserver 8.8.8.8#53 Oct 12 20:26:06 dnsmasq 860 ignoring nameserver 127.0.0.1 - local interfaceSuddently on Saturday it didn't update this entry any more:
Oct 17 13:30:37 filterdns adding entry 216.58.210.3 to pf table Host for host www.google.de Oct 17 13:30:37 filterdns adding entry 10.19.4.250 to pf table Host for host smtp.domain.local Oct 14 06:45:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 14 06:30:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 14 06:30:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 14 06:15:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 14 06:15:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 14 06:00:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.localIt only worked today as I added google too.
Yesterday on OCT 16 I tried successfully to ping at smtp.domain.local. So why didn't he update? Did the job crash?I think filterdns has a problem. I have 2 running and since the second one runs I have a fresh alias table:
ps aux | grep filterdns root 19719 0.0 0.3 21492 3184 - Is 13:30 0:00.03 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1 root 58949 0.0 0.3 12784 2616 - Is Thu20 0:00.35 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1 root 44060 0.0 0.2 14728 2444 0 S+ 15:03 0:00.00 grep filterdns -
Sep 22 22:47:42 filterdns adding entry 10.19.4.250 to table smtp_server on host smtp.domain.local Sep 22 22:42:48 filterdns failed to resolve host smtp.domain.local will retry later again. Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.4.4#53 Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.8.8#53 Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interfaceWait …
You're asking 8.8.8.8 - 8.8.4.4 (Also known as Google) info about "smtp.domain.local" ?
Well, yes, that will fail ;DIf "smtp.domain.local" your has a static IP, add it to Services => DNS Forwarder => Host Overrides and you'll be fine.
-
yeah…
Why is it ignoring 127.0.0.1?
"Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interface"
edit: This is forwarder, going to have to forward somewhere ;) I have not used the forwarder since they enabled unbound.. Well really before that when unbound was just a package. A resolver is just so much better than a forwarder. Not sure why anyone still uses it to be honest ;)
In a nutshell if you have an alias that is not working, you need to check the table. If entries not in the table then you need to figure out why the resolution of whatever FQDN is not working is not in the table. Pfsense needs to be able to resolve the FQDN you put in there for it to be able to put in the table..
So normally such problems just come down to name resolution troubleshooting.. Which doesn't look like any was done before bug report filed ;)
-
Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.4.4#53
Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.8.8#53
Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interfaceWhat you see here is dnsmasq and not filterdns.
Dnsmasq works on localhost so it could not add itself. This would give a loop.If filterdns is running it makes it good.
Oct 13 10:29:32 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 13 10:29:32 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 13 10:15:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 13 10:15:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.local Oct 13 10:00:01 filterdns adding entry 10.19.4.250 to pf table smtp_server for host smtp.domain.local Oct 13 10:00:01 filterdns clearing entry 10.19.4.250 from pf table smtp_server on host smtp.domain.localBut since update it talks too much:
Oct 10 01:47:52 filterdns failed to resolve host smtp.domain.local will retry later again. Sep 22 22:47:42 filterdns adding entry 10.19.4.250 to table smtp_server on host smtp.domain.local Sep 22 22:42:48 filterdns failed to resolve host smtp.domain.local will retry later again. Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.4.4#53 Sep 22 22:18:56 dnsmasq 43335 using nameserver 8.8.8.8#53 Sep 22 22:18:56 dnsmasq 43335 ignoring nameserver 127.0.0.1 - local interface -
What says Status/System Logs/System/DNS Resolver?
DNS Resolver only has the 'unbound' process. There is nothing of filterdns or dnsmasq in there. There is also nothing in System|General either for either filterdns or dnsmasq.
Are you not using DNS Forwarder service rather than DNS Resolver? I'm assuming there are different 'process' entries.
I'm happy to check anything else out to try and resolve this.
