No connection on red

I have installed ipfire core 185. With network red-green-orange, all IP’s are manually, The ipfire is running on a proxmox server standing in the internet.
I could not reach the WebGui, and I can ping the from the ipfire and the green and orange IP’s from another server, and from the other sever to the ipfire. So the internal networks are working. But if I try to ping url from the ipfire I get: “name or service not known”. It seems, the DNS Service is not correct. How can I check and fix that over console. If I had opend port 444 in the firewall it must work?



No you don’t have to open any ports for DNS to work in the default configuration but it looks like something around DNS has not been set up right.

1 Like

Hello Michael,

I made a new install, and after the reboot I got these errors:


If I try with dig with the server:

DiG 9.16.48 <<>>
;; global options: +cmd
;; connection timed out; no servers could be reached

;; connection timed out; no servers could be reached

Why couldn’t be reached no server, where could be the problem


If you want as DNS server the command should be
dig @

If this succeeds try with as DNS server in the DNS page of the WUI.

I would look at your proxmox configuration.
My knowledge of virtual ipfire is zero.

1 Like

If I call: dig @ I got the same answer:
If I ping one homepage with the IP it works, with the url it doesn’t work.
The must be a Problem with DNS
I fond in the message log:

Could that be the problem that DNS is not working?

The proxmox configuration must be OK, every connection is working from the outside

So the problem must be at DNS from the ipfire.
My problem is, I cann’t reach the WebGui from the ipfire to check everything.
Is there a possibility to check fron the console if everything is working?


I’ve been getting this a few times recently when testing IPF on my LAN. To get round it I had to disable DNSSEC.

Create a file, /etc/unbound/local.d/anything_you_like.conf, and in it put:

    module-config: "iterator"

Then restart unbound /etc/init.d/unbound restart or change something in the DNS menu and save it.

Normally you connect to WUI from your Green network.
https:// ipfire green intreface ip :444
if you have a console or SSH connection.
You can use “elinks” to setup DNS page in IPfire.

1 Like

Hi nick,
I tried your version, but without success, it’s the same like before. Do I need e second network card, especially for the red interface from the ipfire.
In the past I worked with VMware esxi, and there it was working with one network card.

My problem is, the other device is not reachable, because the connection goes over the ipfire and thats not working.

Ok. Back to basics.
Which ip address should IPFire receive from the… internet connection on RED? If it’s a public one, do not share it but state that’s public.
Which ip address IPFire have on green adapter?

1 Like

The red is a public address, and the green one is

Why would you have to reconfigure Unbound?

Either you have no connectivity to the configured DNS servers or there is something on the way that filters it.

Simple tests are to check if you can ping your default gateway, ping the DNS servers.

The posted log suggests that there is something that filters it. Changing DNS settings to use TCP or even TLS might be a good workaround.

1 Like

When I had the issue, it was with IPF on my LAN for testing. I had to disable DNSSEC because upstream there is an intercepting DNS resolver which was not able to give back a valid response and I saw a lot of SERVFAIL messages. There was nothing I could do on the UI to get unbound working. The only thing that did was disabling DNSSEC.

Generally we don’t like that, because well… where would I even start?

1 Like

Agreed, but it was the only way to get a testing IPF working on my LAN…

Did you try DNS over TLS?
Some else solved a similar problem that way.

1 Like

I tried enabling the flag but it didn’t work. Don’t I have to do something else as well? If it is still on port 53, the upstream DNS server will intercept or block it.

DNS over TLS is on port 853 if I remember correctly. It is encrypted DNS.


That isn’t true!
I suppose you used the red interface as true WAN connection. Then you can use a DNS server that speaks DNSSEC.