DNS Resolver not listening on LAN CARP VIP after update to 2.5.1

rle

If I apply the CARP mode to pfBlockerNG I get:

Status / System Logs / System / General

May 28 01:46:44	dhcpleases	63735	Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) cannot be read, No such file or directory.
May 28 01:46:44	dhcpleases	63735	Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) cannot be read, No such file or directory.
May 28 01:46:29	dhcpleases	63735	Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) cannot be read, No such file or directory.
May 28 01:46:29	dhcpleases	63735	Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) cannot be read, No such file or directory.
May 28 01:46:27	dhcpleases	63735	Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) cannot be read, No such file or directory.
May 28 01:46:20	dhcpleases	36267	Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) cannot be read, No such file or directory.

and Unbound + pfb_dnsbl service will not start at all regardless of DNSBL Mode.

Only the DNSBL VIP Type = IP Alias works for me.

In other words: I cannot properly test the patch unfortunately.

Luke_71

@viktor_g I confirm the patch works properly, the skew is no longer overwritten with a force reload on both nodes and if the resulting added value (100) is over 254 it reverts to max 254.

One additional observation: per the pfSense HA CARP guide, the CARP VIPs should have the same subnet as the main interface:

https://docs.netgate.com/pfsense/en/latest/troubleshooting/high-availability.html
Incorrect Subnet Mask
The real subnet mask must be used for a CARP VIP, not /32. This must match the subnet mask for the IP address on the interface to which the CARP IP is assigned.

I am certain that for "local" ifaces /32 is ok for pfBlocker, but shouldn't the subnet be something else (=matching the assigned iface subnet) other than /32 when pfBlocker is configured in CARP VIP mode based on the above assumption or am I reading this incorrectly?

Thanks for the patch.

Luke_71

@rle can you check the logs and see what the issues are with unbound? I only select LAN, localhost and CARP VIP for listening ifaces (don't select ALL) and WAN on outbound interface (plus LAN CARP VIP for local domain overrides). Remember to Force reload all first primary then secondary in pfBlocker Update after changing to CARP mode in DNSBL.

rle

@luke_71 @viktor_g It seems that I had a (huge) misconfiguration with unbound. My knowledge is not up to par...

Apologies for my rant a couple of posts back. Can't seem to change/edit it however.

Only issue now is that pfb_dnsbl/pfBlockerNG DNSBL service is not starting at all. CARP issues are gone.

Huge thanks to both of you for your help and quick release of the patch!

Tested it on pfSense 2.6.0.a.20210527.0100

Luke_71

@rle I have no issues with pfBlockerNG but I'm on 2.5.1 / 3.0.0_16 + patch. I can only suggest you check the logs after having run a full reload on both nodes. Be sure that the unbound service is running without issues and that the DNSBL webserver config has no conflicting ports on the LAN interface.