List of DHCP Leases: Gateway Time-out (504)
-
Hi,
I have a strange issue with my up-to-date pfSense (2.5.2-RELEASE ).
Everything works fine except I can not get my current state of DHCP leases.
I click on "Status -> DHCL Leases" and nothing happens. After a while I am getting a "504 Gateway Time-out" fromnginx
.I already rebooted the firewall with no change in behaviour.
Everything else seems to work- I am getting IP addresses through DHCP. Log files shows DHCPACKs and DHCP itself runs fine - just as sall other services (bind, OpenVPN, ...)
What I can see in the log is the following:
2022/01/20 13:44:20 [error] 4674#100190: *4418 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.9.50, server: , request: "GET /status_dhcp_leases.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "pfsense.dom.intern:8443", referrer: "https://pfsense.dom.intern:8443/status_logs.php?logfile=dhcpd"
It's just I can not see the list of current leases which is a bit annoying.
And no, last update was six months ago and I really did not change any settings related to DHCP or its logs.
[EDIT] The issues seems not to be related to DNS7 name resolution. When I am connected through IP-address I am getting same error and the above error message replaces the hostnam with the IP.Anyone having a clue what is wrong here?
Thanks!
/KNEBB
-
@knebb said in List of DHCP Leases: Gateway Time-out (504):
Fixed in 22.01/2.6:
https://redmine.pfsense.org/issues/11512 -
[EDIT] Just as I wrote the below the page displayed fine. Looks like it took a while...
So I am back again to a working pfSense. Thanks!Thanks for pointing this out. Assuming the release of 2.6 will currently not be published I am obviously looking for a workaround.
Even I thought it is not related to DNS looks like I was wrong. So which setting is recommended for DNS? I played a while but was not able to get the page loading fine back again.
pfSense has configured some external DNS servers and my bind is configured to forward queries to these (external) DNS servers. Additionally, pfSense is configured to query 127.0.0.1 and then the configured external DNS servers.
So how should I configure this to get the page loading fine? I do not mind editing a file, but I have no clue which....
Greetings
/KNEBB
-
@knebb said in List of DHCP Leases: Gateway Time-out (504):
[EDIT] The issues seems not to be related to DNS7 name resolution. When I am connected through IP-address I am getting same error and the above error message replaces the hostnam with the IP.
It is DNS related.
When building the list :the IP addresses are reverse PTRd.
Normally, the DNS request reaches the resolver, unbound, and unbound should know all about the devices that exist locally.
Now entering those who think they have to 'change' DNS settings, because the default ones are not good.
For example : the local resolver isn't trusted, everything has to get forwarded to some "fortune 500" company.
If the "fortune 500" doesn't reply, or is unreachable for whatever reason : no reply, even after a long delay - PHP will bail out earlier.
Note that known 'local' devices shouldn't be send to be resolved @500. But, depending the settings, this can be done (totally not ok of course - as @500 doesn't wouldn't be able to answer to the question "who is nas.here.local." anyway).I've tried to reproduce the error "no dhcp leases shown - and bails out with an error".
I never managed to do so.edit : not correct.
When I break DNS, like this :
the DHCP lease file status page won't show.
So I un break it, and all is well.@knebb : all that matters to me is, how come that some have this DHCP lease status page doesn't show. A "not working DNS" is a reason. Are there other reasons - that's my question ?
-
@gertjan said in List of DHCP Leases: Gateway Time-out (504):
@knebb : all that matters to me is, how come that some have this DHCP lease status page doesn't show. A "not working DNS" is a reason. Are there other reasons - that's my question ?
Hi,
as far as I can see it was related to DNS for me as well- even thought I did not think so.Unfortunately I can only guess about other possible issuees. On my site two things happened:
First, I reconfigured my bind a couple of days ago and switched from "forwarding" to "do your own". I guess it took then too long to resolve.... just a guess.
Then it happened my GREEN interface got disconnected due to a cable issue. After a couple of minutes it was back- and shortly afterwards I noticed the issue. I enabled forwarding mode again and it worked- even thtough with a noticeable short delay.I have not configured any reverse zones here- possibly related?
/KNEBB
-
For what it's worth, I had the same issue and this fixed it for me:
- pfSense General Setup page was configured to use NextDNS
- I changed it to use my local AD Domain Controllers instead.
- Suddenly DHCP Leases loads instantly.
-
@aaronssh said in List of DHCP Leases: Gateway Time-out (504):
Suddenly DHCP Leases loads instantly.
Because your local DNS server knows about the devices you have attached to your local LAN.
"NextDNS" or Google DNS, or everybody else on the internet, do not not know that your printer on you lan, called "printer.yourlan.local" with IP 192.168.1.x, exists.
After all, a domain like "yourlan.local" isn't registered and can not be resolved the Internet - do not believe my words, test this :root@ns311465:~# host yourlan.local Host yourlan.local not found: 3(NXDOMAIN)
What happens when you look at the pfSense page Status DHCP Leases ?
Every line is also resolved. Info like "Hostname" is present in the DNS, on in the lease info. If you have these DNS questions send to NextDNS, it will take some time, and this is normal, your asking NextDNS to walk through their entire xxxxx million line DNS database to finally find ... nothing.
The a next line is asked ... same result.A couple of minutes later people are posting here to ask why showing the page Status DHCP Leases is so slow ....
Now you know.This is me inventing something
If you were a huge multi billion public DNS supplier : what would you do if 'some one' start to ask DNS request that can't be resolved ?
You wait before you send an answer NXDOMAIN back. Because you know, there are changes that the next request from the same device will also be NXDOMAIN. So you add an extra wait time on the next request. And even more on the next request.
This way, the local admin (you) will start to understand that something is wrong ;)Again, maybe this is pure BS .....
-
@gertjan I totally get all that but I do feel this is a poor design decision by pfSense. The reason being:
Many of us have local DNS via AD. This is great for our private network, but we don't want our local servers resolvable for users of more restricted VLANs (Guest WiFi or a web server DMZ for example). Because of this security concern, we configure our local LAN to use the local AD DNS, but we have always have pfSense configured to use NextDNS so that all queries made to DNS Resolver (via restricted Guest wifi for example) use external DNS and so have no way to resolve internal server IPs.
The other reason is that it is quite possible that local DNS via AD goes down but we still want pfSense DNS to continue functioning.
Both of these reasons are legit reasons to use external DNS only for pfSense and DNS Resolver. My only gripe is that the DHCP Leases pages isn't smart enough to handle resoluation timeouts and just move on. If a name can't be resolved it should just move on to the next hostname and still provide me the results. As designed, it is totally unusuable with external DNS.
-
@aaronssh I just want to add that I came across a bug report for this from a prior version. They fixed it, so that it could handle timeouts correctly. This issue in 21.05 appears to be a regression.
-
I've been having this problem for some time, and I'm using version 22.05. I thought I just have a little play with the DNS Resolver, in the Network Interfaces and Outgoing Network Interfaces instead of ALL interface I unclicked the pfblocker interface, 10.10.10.1... and now everything seems to be working fine.
-
I have the same problem in version 2.6. Any solution?
-
@charlesiapp said in List of DHCP Leases: Gateway Time-out (504):
Any solution?
Yeah.
Don't stop reading after you've seen the subject.
Read the rest.Use default "out of the box" DNS settings ? I mean : no DNS settings changed or added, nothing, no exception.
And one thing not added yet : upgrade. -
@slim2016 thank You