ACB host (acb.netgate.com) not reachable from pfSense

RyanM

I am having issues w/ Auto-Config Backup (ACB) not backing up. It seems the host acb.netgate.com is not reachable from my router, but is from hosts on my network.

From my windows machine:

C:\Users\me>ping acb.netgate.com

Pinging acb.netgate.com [208.123.73.69] with 32 bytes of data:
Reply from 208.123.73.69: bytes=32 time=65ms TTL=51
Reply from 208.123.73.69: bytes=32 time=65ms TTL=51

Ping statistics for 208.123.73.69:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 65ms, Maximum = 65ms, Average = 65ms
Control-C

But when I try to use the DNS Lookup or Ping diagnostic tools in the pfSense UI it returns a 503 bad gateway. And if I do it from shell on the machine, both ping and nslookup do not return:

[2.8.1-RELEASE][admin@router.hidden.com]/cf/conf/backup: ping acb.netgate.com
^C
[2.8.1-RELEASE][admin@router.hidden.com]/cf/conf/backup: nslookup acb.netgate.com
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed out
;; no servers could be reached

I wonder if this is something going on w/ Tailscale? My Tailscale network seems to be on a '100' IP network.

Or I setup HAProxy about a month or 2 ago, but I thought ACB had been working. I may try turning it off to see what happens.

The '100' in the nslookup leads me to believe this is something w/ Tailscale. Will disable that and see if it fixes this.

RyanM

Ok, so turning off Tailscale seems to have fixed it. Any ideas in my config what I need to change so I can have this enabled but not break ACB?

RyanM

For anyone finding this later, it was the Accept DNS option in the Tailscale settings. After turning this off, ACB is working again.

stephenw10

Interesting. The passed servers could not resolve acb is concerning.

RyanM

@stephenw10 said in ACB host (acb.netgate.com) not reachable from pfSense:

Interesting. The passed servers could not resolve acb is concerning.

Yeah... And I am not sure what I can do to fix this on my end, or if I would need Tailscale to do something...

stephenw10

If it's their own DNS servers they may be filtering something....

RyanM

@stephenw10 so now my issue is that if I have the DNS option off, ACB works, but it does not show as an exit node when I connect to it from my phone or an off-site windows machine. I am going to reach out to Tailscale and ask about this.

stephenw10

Hmm, yeah I've no idea why they would not resolve it.

You could probably add a host override as a workaround. It would fail if the server ever changed IP address but that's fairly unlikely. Ugly hack though!

RyanM

@stephenw10 the bigger problem is that I need my exit node so I can access stuff on my home network. I may just live with OpenVPN until I can get back to investigate this in-person. :(

Gertjan

This :

@RyanM said in ACB host (acb.netgate.com) not reachable from pfSense:

[2.8.1-RELEASE][admin@router.hidden.com]/cf/conf/backup: nslookup acb.netgate.com
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed out

doesn't this mean that :

;; no servers could be reached

so no DNS can be reached == that DNS can't answer.
Is the WAN / uplink ok ?

If you need this 100.100.100.100, be aware that they don't want (requests from) you.

stephenw10

Hmm, maybe it's trying to use tailscale's dns server but not the tailsscale address as source.

RyanM

@Gertjan there is an option in pfSense to "Accept DNS" in the Tailscale settings. When that is checked, it seems to want to use that 100.100.100.100 address as the DNS server. Which is good for some things, but the problem is that it was not resolving acb.netgate.com. So I don't know that saying "they don't want (DNS) requests from you" is accurate is it? Why would they provide that address as the DNS/lookup?

However, the consequence of turning off "Accept DNS" seems to be that by disabling that setting, now my pfSense router is not showing up as an "exit node" from other clients on the Tailscale VPN network. Additionally, because it is not an "exit node", I can now not resolve other hosts on my remote network.

EDIT: I forgot to answer your other question @Gertjan. Yes, the uplink is fine. Everything else seems to be working, and I can even reach acb.netgate.com from other hosts on my network, just not from the pfSense router itself. This has to have something to do with the DNS configuration in Tailscale. I want to enable the "Accept DNS" setting, I just need to figure out how to make it work while also being able to use ACB.

And I am not sure how comfortable I feel making changes now as I will be remote from this router for another 5 or 6 months.

@stephenw10 can you elaborate on what you mean when you say to try

using tailscale's dns server but not the tailscale address as source

stephenw10

I would check the port 53 states when it's trying and failing to resolve against tailscales servers. Are those queries actually going over the tunnel? Are they using the tunnel address as the source IP? Because I would expect their server to refuse connections from any other source IP.

Gertjan

@RyanM said in ACB host (acb.netgate.com) not reachable from pfSense:

So I don't know that saying "they don't want (DNS) requests from you" is accurate is it?

It said

;; no servers could be reached

which means : no answer.
@stephenw10 has a point : I presume that "100.100.100.100" only can answer if approached overt the tailscale connection. If the DNS request was send over the other connection, the WAN interface, then "100.100.100.100 " can't be reached and that makes sense (to me). That would explain the "no answer".

Btw : I'm not using tailscale : test :

[25.07.1-RELEASE][root@pfSense.bbhf.tld]/root: dig @100.100.100.100 google.com
;; communications error to 100.100.100.100#53: timed out
;; communications error to 100.100.100.100#53: timed out

Note : the return message is different - more 'dig' language for saying the same think : can't connect to 100.100.100.100 - it doesn't answer.

@RyanM said in ACB host (acb.netgate.com) not reachable from pfSense:

EDIT: I forgot to answer your other question @Gertjan. Yes, the uplink is fine. Everything else seems to be working, and I can even reach acb.netgate.com from other hosts on my network, just not from the pfSense router itself. This has to have something to do with the DNS configuration in Tailscale. I want to enable the "Accept DNS" setting, I just need to figure out how to make it work while also being able to use ACB.

Exact. You use tailscale and want to use the provided (?) tailscale's DNS server 100.100.100.100.
What about forcing unbound's connection over the tailscale connection ?