Access from blue stopped working - Core-Update 183?

Networking
1

Hi there!

I don’t have very little knowledge about networking but use IPFire quite a time without problems. However, last week I ran some updates to get the the most recent version of IPFire.
Turns out all clients on blue lost access to red / the internet.
Here’s the setup in more details:

  • green - standard LAN DHCP 192.168.0.0/24 255.255.255.0
  • blue - LAN to WLAN AP DHCP 172.17.2.0/24 255.255.255.0
  • PiHole DNS Server in Green at 192.168.0.253 for green and blue
  • Firewall Rule to access the PiHole DNS from blue:
    TCP / UDP port 53: open from blue to green
  • Access to Blue: 172.17.2.0/24 / MAC filter off

I ran this setup without problems since a couple of years actually, but I have no clue how to find the error. maybe anyone with a lot of patience helps me to dig trough the fog step by step?

Any comments are appreciated!
Chris

2

Hello Chris,
Welcome to the IPFire Community!

From the blue network can you ping addresses like 8.8.8.8 or any IP addresses?

If you go to menu Logs > Firewall Logs are there BLUE zone items that are dropped? Please post some of the log.

On the PiHole device, what are the Upstream DNS Servers you have added?

3

Maybe check this post to see if you have the same problem.

https://community.ipfire.org/t/after-to-upgrade-to-release-183-blue-no-exist/11072

1 Like
4

Hello Jon!
Thanks for picking up my topic!
I can reach the WebGUI of my AP and there is a ping tool. Tried it and,

  • yes, I can ping 8.8.8.8 or other IPs outside on red.

  • But I can’t ping 192.168.0.253, which would be my DNS (PiHole Machine)

  • In the Logs I can find several entries for the the blue interface
    FORWARDFW blue0 UDP from [172.17.2.253] to [192.168.0.253]
    DROP_FORWARD blue0 ICMP from [172.17.2.253] to [192.168.0.253] (which might be the ping?)
    But a lot of
    DROP_CTINVALID for the IP of my phone:
    DROP_CTINVALID IN=blue0 OUT=green0 SRC=172.17.2.12 DST=192.168.0.253 LEN=576 TOS=0x00 PREC=0xC0 TTL=63
    I guess that means that my phone (and other clients) can’t access the the DNS service?

  • MY updastream DNS serveron the PiHole is - of course - the IPFire maching which then get’s it’s information from outside DNS machines. This works flawlessly … at least on green.

5

Thanks Adolf!
If I understand correctly the issue there is a missing / broken hardware driver / module. In my case it’s a simple LAN card that is connected to the AP only. I can access my AP and therefor I don’t think my problem is similar.
Thanks for having a look anyway!
Chris

6

Do not worry about these. They are OK. There are other posts about these:
https://community.ipfire.org/search?q=DROP_CTINVALID%20order%3Alatest

Can you post your Firewall Rule? Click on the Edit pencil for the long page and post that.

Are there other firewall rules?

7

Here we go.
The forum software tells me to only embedd one image per post
DNS Rule Blue to PiHole DNS in green

dns-rule
dns-rule988×939 60.5 KB

1 Like
8

There is one more rule for a squeezebox music server service I run on green and want to access from blue. This also worked until the recent update.

squeezbox-server
squeezbox-server988×1006 68.8 KB

9

groups for dns and the squeezebox server

dns-group
dns-group988×939 53.1 KB

The web group I used a time ago to access a server in the DMZ. But at the moment I don’t have a DMZ setup.

1 Like
10

Hmmm. Let’s check one more thing.

Please post the DHCP Config WebGUI page:

Screen Shot 2024-02-25 at 11.20.21 AM
Screen Shot 2024-02-25 at 11.20.21 AM1960×1094 243 KB

Is the Primary DNS for BLUE (and really for GREEN) set to the PiHole address?

11

yes

dhcp
dhcp988×1006 89 KB

12

I have a wild guess… Can you try setting port 53 to UDP only (as a test)? And set it as a destination port?

Like this:

Screen Shot 2024-02-25 at 11.27.39 AM
Screen Shot 2024-02-25 at 11.27.39 AM1978×1906 274 KB

EDIT:
I have my PiHole device setup slightly different. Maybe your issues is why I originally changed it…

13

sometimes it needs a little walk to get the head right… Thank God I owe a dog!
IPFire was not the problem! On the same day I upgraded PiHole also, and changed a small setting
image
The red circle was activated!
That basically prevented PiHole to respond to clients on the blue network, because they need to make at least two hops to reach PiHole.
Now everything works again.
My band, sorry for wasting your time. Thanks for your help!
Chris

1 Like
14

Glad you got it figured out!

For what it is worth, I set my pihole differently with two network interfaces. The on-board Ethernet talks to green and a USB-to-Ethernet adapter talks to blue.

436c691651bed3255b8e574d6d7729ea2b8d9f0b
436c691651bed3255b8e574d6d7729ea2b8d9f0b1906×940 93.8 KB

And I set the Potentially dangerous options to Permit all origins.

There is no need to change your set-up. This is just an FYI.

1 Like