Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Buckers365]

Thanks for the reply. I'm using Pfblocker so would prefer to use Dns Resolver/Unbound rather than Forwarder/DNSmasq. I might have a choice to make if I can't get the Resolver working though! I'll take a look at DNSsec.

Would appreciate resolver config details from someone who has this working so I can troubleshoot any differences.

[Alex Atkin UK]

Are you using pfBlockerNG-devel?  Confusingly this is the supported version, they're just waiting on pfSense 2.5 to rename it back from -devel.

Also do you use the DNS blocking?  I only use it for firewall rules not the DNS functionality, so no idea if it might cause issues there.

[Buckers365]

Hi, I'm using regular PFBlockerNG (as far as I can tell - I can't see any dev reference in the menus). I am blocking malicious domains.

I've switched DNS Resolver back on with DNSSec disabled as you suggested.  I've also allowed DNS records with a TTL=0 under Advanced settings, which I think was mentioned earlier in the thread.

There's no immediate packet loss showing, but it can take a while to develop. I'll keep monitoring.

Would be good to understand the cause of this problem and what Resolver setting is implicated.

Thanks...

[Alex Atkin UK]

You have to remove PFBlockerNG in packages and install the PFBlockerNG-devel package.  Its the only one that supports all blocklists due to needing a free subscription for MaxMind now.

[Buckers365]

Thanks Alex, I'm still monitoring the WAN link after the earlier changes.  No packet loss (which is good) but I am seeing occasional latency spikes. Having re-read the thread, and looked at your comment above, I've disabled PFBlocker for the moment because I realise it forces Unbound to reload and may impact latency.  I will now monitor again but the Virgin line behaviour seems to vary a fair bit so it's difficult to be definitive about the effect of the changes.

Do you know if the newer version of PFBlocker avoids a need to reload UnBound?

[Alex Atkin UK]

Do you know if the newer version of PFBlocker avoids a need to reload UnBound?

Good question, I'm not sure, I do think its supposed to open up some new options thanks to the Unbound Python support but I haven't looked into it as it works fine for my needs as it is.

Unbound restarting shouldn't really be relevant to the TBB monitor though, that would only be noticeable from actual use of the network.  It would be the firewall reloading that would show packet loss from the outside as for a second or so ping packets will be rejected.  It shouldn't happen often though, just however often you have it set to refresh the blocklists, which shouldn't be THAT often.

[underzone]

This pfBlockerNG-devel (ver:3.0.0_3) option is present (which I use):


Resolver Live Sync
Enable When enabled, updates to the DNS Resolver DNSBL database will be performed Live without reloading the Resolver.
This will allow for more frequent DNSBL Updates (ie: Hourly) without losing DNS Resolution.
This option is not required when DNSBL python blocking mode is enabled.
Note: A Force Reload will run a full Reload of Unbound

[Alex Atkin UK]

Ah yes, that's right, but its still the firewall restarting that may cause momentary loss of ping responses but I do not believe it impacts active connections.  I've certainly never noticed anything but then my ping chart doesn't show those spikes either.

[Buckers365]

This pfblockerNG option is present (which I use):


Resolver Live Sync
Enable When enabled, updates to the DNS Resolver DNSBL database will be performed Live without reloading the Resolver.
This will allow for more frequent DNSBL Updates (ie: Hourly) without losing DNS Resolution.
This option is not required when DNSBL python blocking mode is enabled.
Note: A Force Reload will run a full Reload of Unbound

Thanks for this, I appreciate the help. I can't find this option in my PfBlockerNG install - is it only available in the Dev version?

More generally I've seen some sixeable latency spikes on the Monitor today with some minor packet loss (better than over Xmas, but worse than in recent days). Difficult to tell whether this is the Virgin Media link failing (again) to cope with lockdown, or some underlying issue with PFSense config. I'll continue to monitor in the next day or so to see if there is a pattern, and may disable DNS Resolver again to try to do a performance comparison. I'll report back.

 

[underzone]

Added: pfBlockerNG-devel (ver:3.0.0_3)

to my post...

[Alex Atkin UK]

The current version is 3.0.0_7.

[Chrysalis]

Hi, I'm using regular PFBlockerNG (as far as I can tell - I can't see any dev reference in the menus). I am blocking malicious domains.

I've switched DNS Resolver back on with DNSSec disabled as you suggested.  I've also allowed DNS records with a TTL=0 under Advanced settings, which I think was mentioned earlier in the thread.

There's no immediate packet loss showing, but it can take a while to develop. I'll keep monitoring.

Would be good to understand the cause of this problem and what Resolver setting is implicated.

Thanks...

Hi just to make sure I understand, what do you mean by allow records with a ttl of 0, I am guessing the serve expired option, which is good if you turned it on, but I just want to be sure thats what you meant.

[adhawkins]

Coming back to this, as I've noticed a few firmware upgrade on the SH3 since originally getting this issue.

I've just turned off DNS Forwarding mode in the DNS resolver, will monitor by BQM graphs to see if anything has improved.

Andy

[adhawkins]

Ok, made the change (turning off DNS forwarding mode in the DNS resolver) yesterday afternoon. Doesn't look to have been too bad since:



Anyone else fancy making the same change to see if they've fixed the issue?

Andy

[Ronski]

Just turned off forwarding mode.