Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN as a LAGG

    Installation and Upgrades
    2
    16
    281
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kuschi last edited by

      I am testing the following setup in my lab:
      PC Engine APU2D4:
      WAN1 (wan) -> igb0 -> v4/DHCP4: 192.168.99.11/24
      WAN2 (opt2) -> igb1 ->
      BOND1 (LAN, opt1) -> lagg0 (igb2, igb3) -> v4: 192.168.101.1/24

      Raspberry Pi:
      Running dnsmasq to simulate a domain controller etc.

      The goal is to test a robust setup for a small office, branch etc. with a VPN connection to the main office. Main office running an Active Directory.

      I setup successfully a two WAN scenario for fail over. I also wanted to test a LAGG scenario for reliability, in case one of the two LAN interfaces goes down. I successfully configured igb2 (originally LAN) and igb4 to be lagg0. DHCP works, routing, firewall all works fine but I have the following issues now:

      • Traffic Shaper will not recognize LAGG as the an interface ("This firewall does not have any LAN-type interfaces assigned that are capable of using ALTQ traffic shaping.")
      • Cannot get unbound to resolve the local domain in connection with pfBlockerNG (and / or Suricata). When I restart the unbound service, DNS lookups work for a brief time (about a minute) and then it stops working.

      Is there a way at the initial installation stage to configure a LAGG as LAN? Or what are any other options to overcome my issues? Thanks.

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        The lagg interface does not support altq as you found. However the vlan interface type does so one thing you can do is just put a VLAN on there and use that as LAN. Whatever it's connected to supports lagg so almost certainly supports vlans too.

        Steve

        1 Reply Last reply Reply Quote 0
        • K
          kuschi last edited by

          Thanks Steve. I setup a random (unused) VLAN and now the traffic shaper works like a charm. One problem solver. However, it had no effect on unbound, it still does not resolve the local domain.

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            More info needed.
            What exactly are you trying to resolve? Where from? How are you querying it?

            Steve

            1 Reply Last reply Reply Quote 0
            • K
              kuschi last edited by

              I cannot get Unbound to resolve a local domain, normal requests work fine. I entered the local DNS server (dnsmasq on a Pi) in the Domain Overrides section. It resolves successfully for maybe a minute and then stops. I am not sure but I suspect an issue with pfBlockerNG.

              Martin

              1 Reply Last reply Reply Quote 0
              • stephenw10
                stephenw10 Netgate Administrator last edited by

                It still resolves other addresses OK?

                Does it just show no response for that if you test in Diag > DNS Lookup?

                Do you see states open to the pi from pfSense when it fails?

                Anything logged on the pi?

                Anything in the pfSense resolver log?

                Steve

                K 1 Reply Last reply Reply Quote 0
                • K
                  kuschi @stephenw10 last edited by

                  @stephenw10 said in LAN as a LAGG:

                  It still resolves other addresses OK?

                  Yes, all other addresses are resolved correctly.

                  Does it just show no response for that if you test in Diag > DNS Lookup?

                  No response! "Host "labap.local.lab" could not be resolved."

                  Do you see states open to the pi from pfSense when it fails?

                  No, no states when it fails.

                  Anything logged on the pi?

                  Nothing unusual

                  Anything in the pfSense resolver log?

                  Nothing unusual either (can't post the log, otherwise post is flagged as spam)

                  Steve

                  Thanks,
                  Martin

                  1 Reply Last reply Reply Quote 0
                  • stephenw10
                    stephenw10 Netgate Administrator last edited by

                    Hmm, odd.
                    If you run a pcap on WAN for port 53 traffic can you see it querying external DNS servers for that domain?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • K
                      kuschi last edited by

                      Yes, it queries the external DNS for the local domain.

                      After restarting the unbound service, the queries go to the Raspberry Pi but after latest one minute, all queries go to the external DNS server.

                      Martin

                      1 Reply Last reply Reply Quote 0
                      • stephenw10
                        stephenw10 Netgate Administrator last edited by

                        Hmm, something must be causing it to do that. Rejecting the config perhps.

                        That should be logged though. It would at least log Unbound restarting or reloading it's config.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • K
                          kuschi last edited by

                          Where can I find this kind of information? I checked the logs but I cannot find anything suspicious.

                          Martin

                          1 Reply Last reply Reply Quote 0
                          • stephenw10
                            stephenw10 Netgate Administrator last edited by

                            If it was rejecting the config you would see entries in the resolver and system logs.

                            Try increasing the logging level on Unbound on the Advanced Settings tab. I would start at 2 and go to 3 if you still don't see anything. At level 3 it logs a lot!

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • K
                              kuschi last edited by

                              I now get some strange results, after I increased the logging level.

                              A lookup for "labserver.mgk.local" is logged in unbound:
                              Feb 11 23:21:43 unbound 7870:0 info: validation success labserver.mgk.lab.mckusch.lab. CNAME IN

                              mckusch.local is my productive server AD domain....

                              Martin

                              1 Reply Last reply Reply Quote 0
                              • stephenw10
                                stephenw10 Netgate Administrator last edited by

                                Is that correctly a CNAME for that other FQDN?

                                Using .local for your domain can hit mDNS issues, using something else there would be preferable.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kuschi last edited by

                                  Progress! After some setbacks, several re-installing of pfsense, I narrowed done the issue. Dnsmasq on the Raspberry Pi cannot handle DNSSEC properly. After I unchecked the "Enable DNSSEC Support" in Unbound, pfsense resolves the local domain successfully, every time. Now, I just have to figure out how to fix the Pi....

                                  Thanks Steve for your support!

                                  Martin

                                  1 Reply Last reply Reply Quote 1
                                  • stephenw10
                                    stephenw10 Netgate Administrator last edited by

                                    Ah, nice catch!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post