LAN as a LAGG



  • I am testing the following setup in my lab:
    PC Engine APU2D4:
    WAN1 (wan) -> igb0 -> v4/DHCP4: 192.168.99.11/24
    WAN2 (opt2) -> igb1 ->
    BOND1 (LAN, opt1) -> lagg0 (igb2, igb3) -> v4: 192.168.101.1/24

    Raspberry Pi:
    Running dnsmasq to simulate a domain controller etc.

    The goal is to test a robust setup for a small office, branch etc. with a VPN connection to the main office. Main office running an Active Directory.

    I setup successfully a two WAN scenario for fail over. I also wanted to test a LAGG scenario for reliability, in case one of the two LAN interfaces goes down. I successfully configured igb2 (originally LAN) and igb4 to be lagg0. DHCP works, routing, firewall all works fine but I have the following issues now:

    • Traffic Shaper will not recognize LAGG as the an interface ("This firewall does not have any LAN-type interfaces assigned that are capable of using ALTQ traffic shaping.")
    • Cannot get unbound to resolve the local domain in connection with pfBlockerNG (and / or Suricata). When I restart the unbound service, DNS lookups work for a brief time (about a minute) and then it stops working.

    Is there a way at the initial installation stage to configure a LAGG as LAN? Or what are any other options to overcome my issues? Thanks.


  • Netgate Administrator

    The lagg interface does not support altq as you found. However the vlan interface type does so one thing you can do is just put a VLAN on there and use that as LAN. Whatever it's connected to supports lagg so almost certainly supports vlans too.

    Steve



  • Thanks Steve. I setup a random (unused) VLAN and now the traffic shaper works like a charm. One problem solver. However, it had no effect on unbound, it still does not resolve the local domain.


  • Netgate Administrator

    More info needed.
    What exactly are you trying to resolve? Where from? How are you querying it?

    Steve



  • I cannot get Unbound to resolve a local domain, normal requests work fine. I entered the local DNS server (dnsmasq on a Pi) in the Domain Overrides section. It resolves successfully for maybe a minute and then stops. I am not sure but I suspect an issue with pfBlockerNG.

    Martin


  • Netgate Administrator

    It still resolves other addresses OK?

    Does it just show no response for that if you test in Diag > DNS Lookup?

    Do you see states open to the pi from pfSense when it fails?

    Anything logged on the pi?

    Anything in the pfSense resolver log?

    Steve



  • @stephenw10 said in LAN as a LAGG:

    It still resolves other addresses OK?

    Yes, all other addresses are resolved correctly.

    Does it just show no response for that if you test in Diag > DNS Lookup?

    No response! "Host "labap.local.lab" could not be resolved."

    Do you see states open to the pi from pfSense when it fails?

    No, no states when it fails.

    Anything logged on the pi?

    Nothing unusual

    Anything in the pfSense resolver log?

    Nothing unusual either (can't post the log, otherwise post is flagged as spam)

    Steve

    Thanks,
    Martin


  • Netgate Administrator

    Hmm, odd.
    If you run a pcap on WAN for port 53 traffic can you see it querying external DNS servers for that domain?

    Steve



  • Yes, it queries the external DNS for the local domain.

    After restarting the unbound service, the queries go to the Raspberry Pi but after latest one minute, all queries go to the external DNS server.

    Martin


  • Netgate Administrator

    Hmm, something must be causing it to do that. Rejecting the config perhps.

    That should be logged though. It would at least log Unbound restarting or reloading it's config.

    Steve



  • Where can I find this kind of information? I checked the logs but I cannot find anything suspicious.

    Martin


  • Netgate Administrator

    If it was rejecting the config you would see entries in the resolver and system logs.

    Try increasing the logging level on Unbound on the Advanced Settings tab. I would start at 2 and go to 3 if you still don't see anything. At level 3 it logs a lot!

    Steve



  • I now get some strange results, after I increased the logging level.

    A lookup for "labserver.mgk.local" is logged in unbound:
    Feb 11 23:21:43 unbound 7870:0 info: validation success labserver.mgk.lab.mckusch.lab. CNAME IN

    mckusch.local is my productive server AD domain....

    Martin


  • Netgate Administrator

    Is that correctly a CNAME for that other FQDN?

    Using .local for your domain can hit mDNS issues, using something else there would be preferable.

    Steve



  • Progress! After some setbacks, several re-installing of pfsense, I narrowed done the issue. Dnsmasq on the Raspberry Pi cannot handle DNSSEC properly. After I unchecked the "Enable DNSSEC Support" in Unbound, pfsense resolves the local domain successfully, every time. Now, I just have to figure out how to fix the Pi....

    Thanks Steve for your support!

    Martin


  • Netgate Administrator

    Ah, nice catch!


Log in to reply