Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Hi Knut, thanks for the hint, this is what I found: (I use DNS forwarder, not resolver) WEB GUI page "Services" -> "DNS Forwarder", Field "Interfaces": When I select the first option "All", DNS does not work via OpenVPN. When I unselect "All" and instead select each of the interfaces in the list, including "Localhost", DNS works via OpenVPN just like it worked before 2.3.2 . - Lars Wuerfel On 08/09/2016 03:13 PM, kpolb...@olberg.name wrote: Hi, We had to add all our subnets to the access lists in unbound to get resolving working between our sites. Knut Petter On 08/09/2016 08:53 AM, Philipp Tölke wrote: Hi Lars, hi all, I spooled up a Linux-VM, installed DJBs dnscache on it and have the pfSense NAT incoming DNS-Queries on the VPN-Interface to this machine. Queries for internal names (DHCP!) are handed back to the pfSense... I do not find this solution very elegant but what can you do? :-) Regards, Philipp -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lars Wuerfel Sent: 9 August, 2016 7:26 To: list@lists.pfsense.org Subject: Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2 Philipp, I am facing the same problem here since the Upgrade to 2.3.2 DNS resolution through the OpenVPN tunnel works with site2site VPN. But it does not work with with remote login from my laptop. This worked up to version 2.3.1_p5 Do you have a solution meanwhile? Thanks and Regards Lars On 07/28/2016 10:04 AM, Philipp Tölke wrote: Hi again, From: Philipp Tölke [mailto:philipp.toe...@fos4x.de] Sent: 27 July, 2016 16:01 Check the system routing table. From the sound of the errors, it would appear that the firewall routing table does not include a route back to the VPN client subnet. Interesting: The routing table has an entry for the VPN network: DestinationGatewayFlags Netif Expire [...] 10.1.2.0/2410.1.2.2 UGS ovpns2 10.1.2.2 link#16UH ovpns2 But since the OpenVPN is configured as "net30" the gateway 10.1.2.2 is not on the same network as most of the querying systems... Why has this worked until yesterday? So I dug into this issue some more; the other VPN-Servers all use "subnet" and not "net30" and DNS works. The other VPN-Servers all have routes looking like this: 10.1.0.0/2410.1.0.1 UGS ovpns1 10.1.0.1 link#15UHS lo0 10.1.0.2 link#15UH ovpns1 Changing the route of the net30-VPN to be like the routes of my other VPN-Servers: 10.1.2.0/2410.1.2.1 UGS ovpns2 10.1.2.1 link#16UHS lo0 10.1.2.2 link#16UH ovpns2 Does not help with my issue. Even adding the peer-to-peer configuration of a host to the interface: ifconfig ovpns2 10.1.2.181 10.1.2.182 netmask 255.255.255.255 alias Has not enabled DNS resolving. Resolving using another DNS-Server in my internal net works so this is not a firewall-issue. Is there anything I can do short of rolling out another DNS-Server? Thanks for the help! Philipp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Hi, We had to add all our subnets to the access lists in unbound to get resolving working between our sites. Knut Petter On 08/09/2016 08:53 AM, Philipp Tölke wrote: Hi Lars, hi all, I spooled up a Linux-VM, installed DJBs dnscache on it and have the pfSense NAT incoming DNS-Queries on the VPN-Interface to this machine. Queries for internal names (DHCP!) are handed back to the pfSense... I do not find this solution very elegant but what can you do? :-) Regards, Philipp -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lars Wuerfel Sent: 9 August, 2016 7:26 To: list@lists.pfsense.org Subject: Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2 Philipp, I am facing the same problem here since the Upgrade to 2.3.2 DNS resolution through the OpenVPN tunnel works with site2site VPN. But it does not work with with remote login from my laptop. This worked up to version 2.3.1_p5 Do you have a solution meanwhile? Thanks and Regards Lars On 07/28/2016 10:04 AM, Philipp Tölke wrote: Hi again, From: Philipp Tölke [mailto:philipp.toe...@fos4x.de] Sent: 27 July, 2016 16:01 Check the system routing table. From the sound of the errors, it would appear that the firewall routing table does not include a route back to the VPN client subnet. Interesting: The routing table has an entry for the VPN network: DestinationGatewayFlags Netif Expire [...] 10.1.2.0/2410.1.2.2 UGS ovpns2 10.1.2.2 link#16UH ovpns2 But since the OpenVPN is configured as "net30" the gateway 10.1.2.2 is not on the same network as most of the querying systems... Why has this worked until yesterday? So I dug into this issue some more; the other VPN-Servers all use "subnet" and not "net30" and DNS works. The other VPN-Servers all have routes looking like this: 10.1.0.0/2410.1.0.1 UGS ovpns1 10.1.0.1 link#15UHS lo0 10.1.0.2 link#15UH ovpns1 Changing the route of the net30-VPN to be like the routes of my other VPN-Servers: 10.1.2.0/2410.1.2.1 UGS ovpns2 10.1.2.1 link#16UHS lo0 10.1.2.2 link#16UH ovpns2 Does not help with my issue. Even adding the peer-to-peer configuration of a host to the interface: ifconfig ovpns2 10.1.2.181 10.1.2.182 netmask 255.255.255.255 alias Has not enabled DNS resolving. Resolving using another DNS-Server in my internal net works so this is not a firewall-issue. Is there anything I can do short of rolling out another DNS-Server? Thanks for the help! Philipp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Hi Lars, hi all, I spooled up a Linux-VM, installed DJBs dnscache on it and have the pfSense NAT incoming DNS-Queries on the VPN-Interface to this machine. Queries for internal names (DHCP!) are handed back to the pfSense... I do not find this solution very elegant but what can you do? :-) Regards, Philipp > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lars > Wuerfel > Sent: 9 August, 2016 7:26 > To: list@lists.pfsense.org > Subject: Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" > with 2.3.2 > > Philipp, > > I am facing the same problem here since the Upgrade to 2.3.2 > DNS resolution through the OpenVPN tunnel works with site2site VPN. > But it does not work with with remote login from my laptop. > This worked up to version 2.3.1_p5 > > Do you have a solution meanwhile? > > Thanks and Regards > Lars > > On 07/28/2016 10:04 AM, Philipp Tölke wrote: > > Hi again, > > > >> From: Philipp Tölke [mailto:philipp.toe...@fos4x.de] > >> Sent: 27 July, 2016 16:01 > >> > >>> Check the system routing table. From the sound of the errors, it > would > >>> appear that the firewall routing table does not include a route back > to > >>> the VPN client subnet. > >> > >> Interesting: The routing table has an entry for the VPN network: > >> > >> DestinationGatewayFlags Netif Expire > >> [...] > >> 10.1.2.0/2410.1.2.2 UGS ovpns2 > >> 10.1.2.2 link#16UH ovpns2 > >> > >> But since the OpenVPN is configured as "net30" the gateway 10.1.2.2 is > >> not on the same network as most of the querying systems... > >> > >> Why has this worked until yesterday? > > > > So I dug into this issue some more; the other VPN-Servers all use > "subnet" > > and not "net30" and DNS works. > > > > The other VPN-Servers all have routes looking like this: > > > > 10.1.0.0/2410.1.0.1 UGS ovpns1 > > 10.1.0.1 link#15UHS lo0 > > 10.1.0.2 link#15UH ovpns1 > > > > Changing the route of the net30-VPN to be like the routes of my other > > VPN-Servers: > > > > 10.1.2.0/2410.1.2.1 UGS ovpns2 > > 10.1.2.1 link#16UHS lo0 > > 10.1.2.2 link#16UH ovpns2 > > > > Does not help with my issue. > > > > Even adding the peer-to-peer configuration of a host to the interface: > > > > ifconfig ovpns2 10.1.2.181 10.1.2.182 netmask 255.255.255.255 alias > > > > Has not enabled DNS resolving. Resolving using another DNS-Server in my > > internal net works so this is not a firewall-issue. > > > > Is there anything I can do short of rolling out another DNS-Server? > > > > Thanks for the help! > > > > Philipp > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Philipp, I am facing the same problem here since the Upgrade to 2.3.2 DNS resolution through the OpenVPN tunnel works with site2site VPN. But it does not work with with remote login from my laptop. This worked up to version 2.3.1_p5 Do you have a solution meanwhile? Thanks and Regards Lars On 07/28/2016 10:04 AM, Philipp Tölke wrote: Hi again, From: Philipp Tölke [mailto:philipp.toe...@fos4x.de] Sent: 27 July, 2016 16:01 Check the system routing table. From the sound of the errors, it would appear that the firewall routing table does not include a route back to the VPN client subnet. Interesting: The routing table has an entry for the VPN network: DestinationGatewayFlags Netif Expire [...] 10.1.2.0/2410.1.2.2 UGS ovpns2 10.1.2.2 link#16UH ovpns2 But since the OpenVPN is configured as "net30" the gateway 10.1.2.2 is not on the same network as most of the querying systems... Why has this worked until yesterday? So I dug into this issue some more; the other VPN-Servers all use "subnet" and not "net30" and DNS works. The other VPN-Servers all have routes looking like this: 10.1.0.0/2410.1.0.1 UGS ovpns1 10.1.0.1 link#15UHS lo0 10.1.0.2 link#15UH ovpns1 Changing the route of the net30-VPN to be like the routes of my other VPN-Servers: 10.1.2.0/2410.1.2.1 UGS ovpns2 10.1.2.1 link#16UHS lo0 10.1.2.2 link#16UH ovpns2 Does not help with my issue. Even adding the peer-to-peer configuration of a host to the interface: ifconfig ovpns2 10.1.2.181 10.1.2.182 netmask 255.255.255.255 alias Has not enabled DNS resolving. Resolving using another DNS-Server in my internal net works so this is not a firewall-issue. Is there anything I can do short of rolling out another DNS-Server? Thanks for the help! Philipp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Hi again, > From: Philipp Tölke [mailto:philipp.toe...@fos4x.de] > Sent: 27 July, 2016 16:01 > >> Check the system routing table. From the sound of the errors, it would >> appear that the firewall routing table does not include a route back to >> the VPN client subnet. > > Interesting: The routing table has an entry for the VPN network: > > DestinationGatewayFlags Netif Expire > [...] > 10.1.2.0/2410.1.2.2 UGS ovpns2 > 10.1.2.2 link#16UH ovpns2 > > But since the OpenVPN is configured as "net30" the gateway 10.1.2.2 is > not on the same network as most of the querying systems... > > Why has this worked until yesterday? So I dug into this issue some more; the other VPN-Servers all use "subnet" and not "net30" and DNS works. The other VPN-Servers all have routes looking like this: 10.1.0.0/2410.1.0.1 UGS ovpns1 10.1.0.1 link#15UHS lo0 10.1.0.2 link#15UH ovpns1 Changing the route of the net30-VPN to be like the routes of my other VPN-Servers: 10.1.2.0/2410.1.2.1 UGS ovpns2 10.1.2.1 link#16UHS lo0 10.1.2.2 link#16UH ovpns2 Does not help with my issue. Even adding the peer-to-peer configuration of a host to the interface: ifconfig ovpns2 10.1.2.181 10.1.2.182 netmask 255.255.255.255 alias Has not enabled DNS resolving. Resolving using another DNS-Server in my internal net works so this is not a firewall-issue. Is there anything I can do short of rolling out another DNS-Server? Thanks for the help! Philipp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Hi all, Hi Jim, Thanks for your fast reply! > From: Jim Pingle > Sent: 27 July, 2016 15:37 > > On 07/27/2016 08:45 AM, Philipp Tölke wrote: >> since the update to 2.3.2 yesterday our external devices do not get >> DNS-Replies anymore. > > What version was this firewall running previously? 2.3.1 or 2.3.0. >> We have configured the DNS-Forwarder to listen on the interface and >> sockstat show it's listening on *:53. We have a rule allowing >> everything to pass to "self" on port 53. >> >> With tcpdump I can see that the queries reach the firewall but no >> responses get send out. >> >> The log of the DNS-Forwarder shows many entries like "Jul 27 14:36:22 >> dnsmasq 83840 failed to send packet: Host is down". >> >> Is this a known problem? Is there anything I can do? > > Check the system routing table. From the sound of the errors, it would > appear that the firewall routing table does not include a route back to > the VPN client subnet. Interesting: The routing table has an entry for the VPN network: DestinationGatewayFlags Netif Expire [...] 10.1.2.0/2410.1.2.2 UGS ovpns2 10.1.2.2 link#16UH ovpns2 But since the OpenVPN is configured as "net30" the gateway 10.1.2.2 is not on the same network as most of the querying systems... Why has this worked until yesterday? Cheers, Philipp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
On 07/27/2016 08:45 AM, Philipp Tölke wrote: > since the update to 2.3.2 yesterday our external devices do not get > DNS-Replies anymore. What version was this firewall running previously? > We have configured the DNS-Forwarder to listen on the interface and > sockstat show it's listening on *:53. We have a rule allowing everything > to pass to "self" on port 53. > > With tcpdump I can see that the queries reach the firewall but no > responses get send out. > > The log of the DNS-Forwarder shows many entries like "Jul 27 14:36:22 > dnsmasq 83840 failed to send packet: Host is down". > > Is this a known problem? Is there anything I can do? Check the system routing table. From the sound of the errors, it would appear that the firewall routing table does not include a route back to the VPN client subnet. Jim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] DNS-forwarder through OpenVPN "stopped working" with 2.3.2
Hi all, since the update to 2.3.2 yesterday our external devices do not get DNS-Replies anymore. We have configured the DNS-Forwarder to listen on the interface and sockstat show it's listening on *:53. We have a rule allowing everything to pass to "self" on port 53. With tcpdump I can see that the queries reach the firewall but no responses get send out. The log of the DNS-Forwarder shows many entries like "Jul 27 14:36:22 dnsmasq 83840 failed to send packet: Host is down". Is this a known problem? Is there anything I can do? Regards, Philipp ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold