Firewall Stops routing Internet

ddave

Good Moring.
Almost everyday my firewall stops routing to the internet. If I enable or disable PfBlocker the Internet works. If I change my PC to use google DNS it works. If I reboot the firewall it works. If I just save DNS resolver and apply changes, even though I made no change it works. I see nothing in the firewall that suggests I'm being blocked. It's driving me crazy and any assistance would be appreciated.

Thank you

vjizzle

Hi. What version of pfSense are you using?

ddave

@vjizzle Version 2.5.0

thanks
Dave

vjizzle

@ddave I have pfSense 2.5.0 working here in production as well with pfBlockerNG running. The behaviour you describe looks like you hit a bug in version 2.5.0 where unbound just dies.

When you edit pfBlockerNG settings and apply them, pfBlockerNG restarts unbound. When you edit unbound properties and save, it restarts unbound. So that explains why it works again after you do those things.

On my pfSense I did experience this also and I managed to resolve by updating unbound. You can try it but make sure you have a backup of everything before and use at own risk :).

The command for upgrading unbound is:

pkg upgrade -fy unbound; pfSsh.php playback svc restart unbound

ddave

@vjizzle Is this the bug you are indicating...Bug #11547 "DNS Resolver does not bind to an interface when it recovers from a down state"?

If I upgrade to 2.5.1 should fix the issue?
Thanks
Dave

vjizzle

@ddave Well I would stay away from 2.5.1. I tried the upgrade but hit a portforwarding bug with multiple wans and openvpn client and also NAT stopped working eventually and only a reboot could fix that. The portforwading issue is an official bug in 2.5.1.

But others reported that 2.5.1 was stable for them and also that unbound was running fine. If you decide to go to 2.5.1 be prepared to roll-back.

ddave

@vjizzle Good morning,

I was thinking last night I was going to log on and say thank you everything seems to be working. But it happened again this morning. Woke up, fired up the PC and no internet. Logged on to Pfsense internet showing online but not able to reach anything until I disable pfblockerNG then internet was backup.

Any other suggestions please. And of course thank you for helping out. :)

Dave

ddave

This is very frustrating not knowing when the Pfsense is going to stop routing to the internet, to the point I'm considering changing firewalls. Any assistance would be appreciated. Thanks

vjizzle

@ddave Hi. I suggest check my post above about Unbound not running. If your internet stops on pfSense, what is the status of Unbound? Can you still ping to internet ip's from your pfSense using WAN as the source? Can you troubleshoot using nslookup and digg from a computer on your LAN and set pfSense as DNS server?

I mean if you do not understand why internet is not working anymore, but pfSense is still running, it will be difficult to find the solution.

Like I said before, when you say your internet is not working but after you change settings on Unbound or pfBlockgerNG it start working again....I would suspect Unbound to be the problem. After applying changes to DNS Resolver or pfBlockerNG and saving it, pfSense usually restarts Unbound thus making your internet work again....untill Unbound crashes.

ddave

@vjizzle Good morning,

I did complete your suggestion of updating the unbound (pkg upgrade -fy unbound; pfSsh.php playback svc restart unbound) and had no issues for 3 days and thought the issue was resolved.

As indicated in my first post I can ping DNS address if I change my PC to not use the firewall DNS when the issue is occurring. I can ping 8.8.8.8 from pfsense but not goggle.com.

I don't understand why pfsense is running and it stops routing to the internet, why I can change the DNS of my PC to go around pfsense DNS and the reason why I'm asking for assistance. What should I do to troubleshoot unbound when it's having this issue? Is there a log to see when and at what point does unbound crash and why is it crashing?

Thank you again for reaching out

Here a sample of DNS Resolver Log notice the first line service stopped.

May 5 09:07:46 unbound 92037 [92037:0] info: service stopped (unbound 1.13.1).
May 5 09:07:46 unbound 92037 [92037:0] info: server stats for thread 0: 13 queries, 3 answers from cache, 10 recursions, 0 prefetch, 0 rejected by ip ratelimiting
May 5 09:07:46 unbound 92037 [92037:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
May 5 09:07:46 unbound 92037 [92037:0] info: average recursion processing time 0.152821 sec
May 5 09:07:46 unbound 92037 [92037:0] info: histogram of recursion processing times
May 5 09:07:46 unbound 92037 [92037:0] info: [25%]=0.0851968 median[50%]=0.117965 [75%]=0.196608
May 5 09:07:46 unbound 92037 [92037:0] info: lower(secs) upper(secs) recursions
May 5 09:07:46 unbound 92037 [92037:0] info: 0.032768 0.065536 1
May 5 09:07:46 unbound 92037 [92037:0] info: 0.065536 0.131072 5
May 5 09:07:46 unbound 92037 [92037:0] info: 0.131072 0.262144 3
May 5 09:07:46 unbound 92037 [92037:0] info: 0.262144 0.524288 1
May 5 09:07:46 unbound 92037 [92037:0] info: server stats for thread 1: 6 queries, 2 answers from cache, 4 recursions, 0 prefetch, 0 rejected by ip ratelimiting
May 5 09:07:46 unbound 92037 [92037:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
May 5 09:07:46 unbound 92037 [92037:0] info: average recursion processing time 0.360414 sec
May 5 09:07:46 unbound 92037 [92037:0] info: histogram of recursion processing times
May 5 09:07:46 unbound 92037 [92037:0] info: [25%]=0 median[50%]=0 [75%]=0
May 5 09:07:46 unbound 92037 [92037:0] info: lower(secs) upper(secs) recursions
May 5 09:07:46 unbound 92037 [92037:0] info: 0.032768 0.065536 1
May 5 09:07:46 unbound 92037 [92037:0] info: 0.262144 0.524288 1
May 5 09:07:46 unbound 92037 [92037:0] info: 0.524288 1.000000 1
May 5 09:07:46 unbound 92037 [92037:0] info: server stats for thread 2: 15 queries, 1 answers from cache, 14 recursions, 0 prefetch, 0 rejected by ip ratelimiting

vjizzle

@ddave So internet is working, I mean you can access it but DNS is not working. If you go around the DNS of pfSense (for example use 8.8.8.8 directly on your computer) internet is then working fine.

At the point where unbound is not responding anymore, can you check what the status of unbound is? Go to Status -> Services and check if unbound is running. If it is not then I would try and disable pfBlockerNG (even better remove it) reboot pfSense and see if it stays stable. If not then it is time to start enabling unbound logging / debug and try to figure out what is crashing it.

I remember unbound being unstable on my 2.5.0 install and from what I read on the internet a lot of people reported that. I then decided to move on to AdGuard Home (or PiHole) for my DNS and DNSBL needs and just hope that Netgate would fix that. Then I found the link about updating unbound and since then my install has been running fine. BUT I do keep my AdGuard Home server running in case unbound decides to quit again because I cannot be bothered to troubleshoot something that basically was running fine in 2.4.5 - p1.