Mountroot issues after 2.2 upgrade
-
What are you using for web filtering, squidguard not able to install
-
Nope - I sort of wish it was. Its no big deal to switch though. 1 minute? Maybe 2?
-
Nope - I sort of wish it was. Its no big deal to switch though. 1 minute? Maybe 2?
Sorry for the newbie question but could you please explain the steps? Thanks!
-
1. update to pfsense 2.2
2. go to services > DNS forwarder - un-check " Enable DNS forwarder" then save
3. go to services > DNS Resolver - check "enable dns resolver" then saveI also enabled DNSSEC, Register DHCP leases in the DNS Resolver, Register DHCP static mappings in the DNS Resolver (all optional)
and in the advanced settings TAB I enabled Prefetch Support, Prefetch DNS Key Support (these should make DNS abit zippier) (also optional)
I considering enabling Harden Glue and Harden DNSSEC data but I'm no sure. Maybe someone else will chime in. The POSSIBLE issue I see is that once I turn those on any site on the web that hasn't configured DNS 100% perfectly might just disappear and become unavailable to me even though they aren't spoofing or being spoofed? Not sure how this will impact my network if I turn them on basically.
Also, I went to system > general setup and deleted all my DNS server IPs from that list. (seems optional)
Then I un-checked "Allow DNS server list to be overridden by DHCP/PPP on WAN" (seems optional)
and I checked "Do not use the DNS Forwarder as a DNS server for the firewall" (seems required)
And clicked save - always click save when you change things.
These changes should take you off the ISP DNS, any public DNS servers and put you on the Internets main root DNS servers with DNSSEC.
At this point, the only issue (not really an issue) is that large well organized very good ISPs may cache alot of content and may also direct you to the very nearest content servers if you are using their DNS, which you will not be. I'm not too sure how big a performance hit you may take, if any. Maybe someone else can chime in on that subject?
I haven't noticed anything bad myself. I have noticed less issues on the physical LAN with windows machines. They seem to be resolving much faster and more reliably now.
Here in my location, I'm VPNing in and using pfsense DNS over the tunnel and its resolving both IPv4 and IPV6 just fine.
Hope that helps.
-
If pictures help, this is my home config, just set your interfaces and turn off Forwarder and Turn on Resolver. :)
Edited to include: Wpad.dat, and the Advanced options is specific to my setup.
-
Last question (For now LOL), what is/are the advantages/disadvantages of unbound vs the current DNS Forwarder.
Thanks! -
Its just generally better, more robust and feature rich. (also more secure)
Unbound is a validating, recursive and caching DNS server.
Dnsmasq is a lightweight, easy to configure DNS forwarder.
So, one is a DNS server and the other in merely a forwarder for other DNS servers.
-
I am only running a home network should I still make the change in your opinion?
Cheers!
-
I like it better so far. Its up you you.
Be safe. Back up your current config then give it a try. If you don't like it, restore your old config.
-
how did you backup the package? or just import the anything after autoupgraded?
No need to backup the package. All packages that does not have explicit option to remove config options will be there after package reinstall.
-
Waited for the wife to go out shopping and completed the task as per kejianshi instructions. I have noticed a snappier response and I am quite happy with the performance.The only step I didn't follow was to delete the DNS servers from the general setup.
One other bonus that I wasn't expecting is that I no longer have DNS leaks connecting as a VPN client ;D
Thanks kejianshi and all others who responded.
Cheers!
-
how did you backup the package? or just import the anything after autoupgraded?
No need to backup the package. All packages that does not have explicit option to remove config options will be there after package reinstall.
so the procedure is
- make a backup config
- uninstall all package
- run auto upgrade
- import the backup config
right? thanks :D
-
- reinstall and test each package.
-
-
all package need to be config again?
No. Only those that needs this wipe on upgrades(like snort).
-
all package need to be config again?
No. Only those that needs this wipe on upgrades(like snort).
the package config file will remain in the upgraded system?
-
the package config file will remain in the upgraded system?
Yes. It's on xml config file, not on package dirs.
-
-
i had to do a fresh install as well. no big deal.
-
Same issue here, full upgrade running pfsense 2.15 AMD 64. The auto upgrade made the system dysfunctional.
Basically the way to perfectly upgrade the system is to make a full config backup. Fresh install and restore the config.
It was no biggie for me as I needed to replace the HD anyway. But half a day was gone in getting it running again.
Note: After restoring the config, need to clear the packages lock and reinstall packages.
