No connection on red

barny · 28 April 2024 19:55

I have installed ipfire core 185. With network red-green-orange, all IP’s are manually, The ipfire is running on a proxmox server standing in the internet.
I could not reach the WebGui, and I can ping the 8.8.8.8 from the ipfire and the green and orange IP’s from another server, and from the other sever to the ipfire. So the internal networks are working. But if I try to ping url from the ipfire I get: “name or service not known”. It seems, the DNS Service is not correct. How can I check and fix that over console. If I had opend port 444 in the firewall it must work?

Regards
Bernd

ms · 29 April 2024 08:49

Hello,

No you don’t have to open any ports for DNS to work in the default configuration but it looks like something around DNS has not been set up right.

barny · 29 April 2024 12:35

Hello Michael,

I made a new install, and after the reboot I got these errors:

grafik

barny · 29 April 2024 18:02

If I try with dig with the server:

dig 8.8.8.8 google.com
DiG 9.16.48 <<>> 8.8.8.8 google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

;; connection timed out; no servers could be reached

Why couldn’t be reached no server, where could be the problem

Regards
Bernd

bbitsch · 29 April 2024 18:15

If you want 8.8.8.8 as DNS server the command should be
dig @8.8.8.8 google.com

If this succeeds try with 8.8.8.8 as DNS server in the DNS page of the WUI.

hvacguy · 29 April 2024 21:30

I would look at your proxmox configuration.
My knowledge of virtual ipfire is zero.

barny · 30 April 2024 18:12

@bbitsch
If I call: dig @8.8.8.8 google.com I got the same answer:
grafik
If I ping one homepage with the IP it works, with the url it doesn’t work.
The must be a Problem with DNS
I fond in the message log:

Could that be the problem that DNS is not working?

@hvacguy
The proxmox configuration must be OK, every connection is working from the outside
ping google.com

So the problem must be at DNS from the ipfire.
My problem is, I cann’t reach the WebGui from the ipfire to check everything.
Is there a possibility to check fron the console if everything is working?

Regards
Bernd

nickh · 30 April 2024 19:13

I’ve been getting this a few times recently when testing IPF on my LAN. To get round it I had to disable DNSSEC.

Create a file, /etc/unbound/local.d/anything_you_like.conf, and in it put:

server:
    module-config: "iterator"

Then restart unbound /etc/init.d/unbound restart or change something in the DNS menu and save it.

hvacguy · 30 April 2024 21:50

Normally you connect to WUI from your Green network.
https:// ipfire green intreface ip :444
if you have a console or SSH connection.
You can use “elinks” to setup DNS page in IPfire.

barny · 1 May 2024 14:54

@nickh
Hi nick,
I tried your version, but without success, it’s the same like before. Do I need e second network card, especially for the red interface from the ipfire.
In the past I worked with VMware esxi, and there it was working with one network card.

@hvacguy
My problem is, the other device is not reachable, because the connection goes over the ipfire and thats not working.

pike_it · 1 May 2024 15:23

Ok. Back to basics.
Which ip address should IPFire receive from the… internet connection on RED? If it’s a public one, do not share it but state that’s public.
Which ip address IPFire have on green adapter?

barny · 1 May 2024 15:43

@pike_it
The red is a public address, and the green one is 192.168.1.1

ms · 1 May 2024 16:26

Why would you have to reconfigure Unbound?

Either you have no connectivity to the configured DNS servers or there is something on the way that filters it.

Simple tests are to check if you can ping your default gateway, ping the DNS servers.

The posted log suggests that there is something that filters it. Changing DNS settings to use TCP or even TLS might be a good workaround.

nickh · 1 May 2024 16:31

When I had the issue, it was with IPF on my LAN for testing. I had to disable DNSSEC because upstream there is an intercepting DNS resolver which was not able to give back a valid response and I saw a lot of SERVFAIL messages. There was nothing I could do on the UI to get unbound working. The only thing that did was disabling DNSSEC.

ms · 1 May 2024 19:35

Generally we don’t like that, because well… where would I even start?

nickh · 1 May 2024 19:42

Agreed, but it was the only way to get a testing IPF working on my LAN…

hvacguy · 1 May 2024 19:42

Did you try DNS over TLS?
Some else solved a similar problem that way.

nickh · 1 May 2024 19:44

I tried enabling the flag but it didn’t work. Don’t I have to do something else as well? If it is still on port 53, the upstream DNS server will intercept or block it.

hvacguy · 1 May 2024 19:55

DNS over TLS is on port 853 if I remember correctly. It is encrypted DNS.

bbitsch · 1 May 2024 20:06

That isn’t true!
I suppose you used the red interface as true WAN connection. Then you can use a DNS server that speaks DNSSEC.