• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

New pfSense KVM VM DNS Resolver (unbound) Issue…

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
5 Posts 3 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    reb00tz
    last edited by Mar 1, 2018, 9:32 AM

    Hi everyone,

    Set up a new pfSense 2.4.2 VM under KVM/QEMU on Ubuntu LTS (64-bit) w/2 vCPUs, 2GB RAM, 10GB SATA disk and 1x e1000 NIC - i.e. no virtio devices).

    e1000 "WAN" gets IP via DHCP from local DHCP.

    Problem #1: System consistently hangs at "Starting DNS Resolver" when NIC is "connected" at boot

    • if plain, straight-forward install from ISO and reboot, WAN is configured, but sysytem hangs at "Starting DNS Resolver"

    • if NIC is "disconnected" (at hypervisor), boot completes (after slight delay at bringing up WAN and "Starting DNS Resolver"), then system operates as normal (up to a point - read below) when NIC is reconnected (i.e. web configuration wizard although it also hangs at the last "redirect" step) - note that DNS Resolver services shows as "not started" after a forced reboot (while repeating the whole "NIC disconnect, reconnect dance")

    • renaming /usr/local/sbin/unbound* "solves" the hang, but then I cannot disable it via web UI (complains about missing unbound-checkconf)

    Problem #2: Attempting to disable "DNS Resolver" (i.e. unbound) via web UI consistently fails when "Save" button is clicked (nginx reports "504 Gateway Time-out")

    Any ideas?

    1 Reply Last reply Reply Quote 0
    • R
      reb00tz
      last edited by Mar 1, 2018, 5:30 PM

      Hurdle after hurdle…

      So, I used the PHP and pfsense environment to disable unbound, so booting the VM no longer requires the "NIC disconnect, reconnect" song-and-dance routine.

      For those so inclined:

      • record a script to show the unbound config:
      record showunboundconfig
      parse_config(true);
      $temp = print_r($config['unbound']);
      more($temp);
      stoprecording
      
      • record a script to disable unbound:
      record disableunbound
      parse_config(true);
      $config['unbound']['enable'] = false;
      write_config();
      stoprecording
      
      • display the "before", disable, then display the "after":
      playback showunboundconfig
      playback disableunbound
      playback showunboundconfig
      

      Unfortunately, I am stuck again; I can ping the gateway or any other host, but I cannot access the web UI, even if I were to disable the firewall via shell (pfctl -d).  :o

      I also tried with pfSense 2.3.5, with the exact same results.  :-[

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by Mar 1, 2018, 10:34 PM

        Have you tried turning off/disabling hardware offload?

        I realise you're not using the virtio drivers (why not? better performance) but it would still be a first step:

        https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards
        https://doc.pfsense.org/index.php/VirtIO_Driver_Support#Disable_Hardware_Checksum_Offloading

        1 Reply Last reply Reply Quote 0
        • R
          reb00tz
          last edited by Mar 2, 2018, 3:48 PM Mar 2, 2018, 3:12 PM

          Hi @muppet,

          Thanks for the reply.

          I am not using virtio drivers for now because there is no way to turn it off from the guest side except through the web UI (as far as I am aware); the issues I face here (with e1000 emulation) means I cannot even get to the web UI.

          Fact is, I originally tried with virtio but fell back to e1000 (recreating the entire VM also, just in case) trying to troubleshoot the pesky unbound "Starting DNS Resolver" hanging problem… For what it is worth, I have disabled every offload setting in all NICs on the hypervisor (/etc/network/interfaces snippet for every NIC, bond_n_ and br_n_ iface as follows) and I am still facing this issue (of web UI not being accessible).

          
                  # disable hardware offloading for virtio compatibility
                  offload-tx off
                  offload-rx off
                  offload-tso off
                  offload-ufo off
                  offload-lro off
                  offload-sg off
                  offload-gro off
                  offload-gso off
                  offload-rxvlan off
                  offload-txvlan off
                  offload-ntuple off
                  offload-rxhash off
          
          

          I will try with a complete rebuild (again) and see if I can establish a reliable step-by-step. What I do not understand is why unbound is causing so much grief - and considering it is the "default", why I do not see others having the same issue.

          Hoping someone can help point me towards debugging/logging the answer…

          1 Reply Last reply Reply Quote 0
          • K
            Kohji
            last edited by Apr 9, 2018, 10:01 AM

            I´ve updated yesterday to

            2.4.2-RELEASE-p1 (amd64)
            built on Tue Dec 12 13:45:26 CST 2017
            FreeBSD 11.1-RELEASE-p7

            .
            Now I have DNS Problems.
            I´ve worked with Backups und, now, I´ve set pfsense back to factory defaults -  still DNS Problems.
            If I do not use e.g. 192.168.1.1 in my devices but use a DNS Server like 8.8.8.8 - internet works.

            Please note: The problem exists directly after "factory defaults" - without any special settings…

            I consider to install an older version of pfsense?

            Thank you
            Kohji

            dns.JPG
            dns.JPG_thumb

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received