SG-3100 VPN and Unbound Issues



  • I recently switched from a VMware VM running PfSense to the SG-3100. Since then, I've experiencing a few issues.

    • Remote Access OpenVPN sessions will stop passing traffic intermittently.
    • Site-to-Site IPsec tunnel (partner is a PfSense VM) will stop passing traffic intermittently.
    • If any configuration changes are made to Unbound, DNS resolution fails with a "Query Refused" error.
    • All DNS Resolver domain overrides fail to return internal addresses.

    I initially deployed the firewall by restoring the configuration from my VM. There are several packages that appear to not be installed/uninstalled cleanly. I plan to redeploy the device from a factory image this evening and manually configuring it.

    The only services I'm currently using are the OpenVPN Remote Access, IPsec Site-To-Site, and Unbound. I may add PfBlockerNG in the future, but I want to achieve stability first. I have a single gigabit internet connection to this device.

    I'm looking for input on the following:

    • Which cryptographic configurations provide the best results for this device (AES-NI vs cryptodev vs both)
    • Opinions on appropriate VPN algorithms for the device. I'm willing to do the work of testing, but I'd like some general guidelines on what I should test.
    • If there are any device-specific Unbound configuration options that I should be aware of.


  • Quick update. The firewall rebuild has been completed, but none of the VPN tunnels have been rebuilt. I'm on as close to a factory default configuration as possible.

    The Unbound issues are still unresolved. If I make any change to its configuration, I get a "Query refused" error on all attempted lookups until the firewall is rebooted. Once the firewall is rebooted, the changes take effect and Unbound behaves normally.

    In addition, my domain overrides don't appear to be working at all. I have domain overrides for 2 internal Active Directory domains pointing to their domain controllers. One is the domain assigned to the firewall. I have the "System Domain Local Zone Type" set to "Redirect" as my understanding is that causes Unbound to honor the override for that domain. I get a "No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for X.X.X" for all of these lookups.

    I'll be working on the VPN tunnels next, but I'm no closer on the Unbound issues.



  • The IPsec VPN issues appear to be resolved and appear to have been unrelated to the hardware change. We had a bad phase 2 SA configuration. I'd still like recommendation for algorithm choice and crypto acceleration configuration for both OpenVPN and IPsec, if anyone has them for this device.


  • Netgate Administrator

    You should use cryptodev only in the crypto hardware setting.

    The CESA crypto hardware that is called by the framework supports AES-CBC (128, 192 and 256) only so use that, not AES-GCM.
    It also accelerates MD5 (but never use that!), sha1 and sha256:
    https://github.com/pfsense/FreeBSD-src/blob/ff7d4801f1b88de656e028209818ff005e8a1353/sys/dev/cesa/cesa.c#L1229

    It's significantly faster over ipsec when you use a supported algorithm.

    Steve



  • Thanks for the clarification. I've configured the VPNs and everything seems stable and is performing well.

    I'm still dealing with the Unbound issue, where I get a "query refused" once any changes are applied until the firewall is rebooted. I found that using the DNS Lookup diagnostic in PfSense returns a lookup, but any lookups from other nodes on the network fails. Once I have a spare minute, I'm going to attempt to recreate the issues in a VMware VM to determine if it's a hardware related issue or not.

    Should I open a new post in the appropriate forum regarding the Unbound issue?


  • Netgate Administrator

    Yes, please start a new thread there.


Log in to reply