No internet on GREEN network

Hi there,

I just made a new install of IPFire and I can’t get internet on GREEN interface.

My setup is:
RED + GREEN

RED - Static IP (Fiber Internet - all configured as specified, client, gateway, dns IP addresses)
GREEN - DHCP Enabled

I can ping everything from IPFire command line terminal, e.g. ping 8.8.8.8 or my ISP’s gateway and they are just response fine without any loss, but can’t open/navigate to any internet page “page cannot be displayed”.

Same config on the low cost TP-Link Wireless Router working from the box.

Is there any internal setting that need to be enabled to get internet on the GREEN interface?

Thank you for the answer,

Kind regards,
Viktor

Hi,

first, welcome to the IPFire community. :slight_smile:

I can ping everything from IPFire command line terminal, e.g. ping 8.8.8.8 or my ISP’s gateway and they are just response fine without any loss, but can’t open/navigate to any internet page “page cannot be displayed”.

This sounds like your client queries IPFire for resolving DNS, and it fails to do so. A common root cause for this are broken or misconfigured upstream resolvers breaking DNSSEC. Could you please post a screenshot of your DNS configuration and the assigned DNS servers here?

Thanks, and best regards,
Peter Müller

Dear Peter,

I can’t post you right now any screenshots, because the IPFire box is in the office and I can’t access it from home.

I tough for the same about upstream and DNSSEC, but the IPFire resolves the given DNS addresses as: resolver3.stcable.net and resolver4.stcable.net without any issue and the DNS configuration is same as on the picture shown on the WIKI link.

I used IPCop for maybe 8-10 years and I didn’t had any similar issues with it.

Any other suggestions maybe?

Kind regards,
Viktor

Hi,

Any other suggestions maybe?

not really, and since you do not have access to the machine, the following questions/suggestions won’t be helpful, but anyway:

  • Could you please search /var/log/messages for lines containing unbound and SERVFAIL and post the results here?
  • What happens if you run dig soa ipfire.org on a client behind IPFire?
  • Do the clients even use IPFire as a DNS resolver or are they trying to reach something else for DNS queries?
  • Are the system clocks of both IPFire and the clients set correctly?

Thanks, and best regards,
Peter Müller

Dear Peter,

I will give you answers and screenshots tomorrow from the office!

Thank you for helping me out!

Kind regards,
Viktor

Hi @beicnet.

First of all, I would advise you to do this to rule out physical problems in the connection:

In IPFire SSH, put “ethtool green0” and check that it is linked and if it auto-negotiates well.

imagen

This has happened to me several times and with this command I have solved the physical problems.

Tell Us something.

Regards.

1 Like

Hi @roberto

I tested it over Terminal “ethtool green0”, and it’s the same output as yours!

Thanks for the suggestion!

Kind regards,
Viktor

Hi @pmueller

As I promised you, here is the screenshot:

What I figured out, if I put the Googles DNS addresses into the DHCP Servers DNS addresses it will work.

But, I don’t understand, before in IPCop or any other low cost Router DHCP Servers DNS addresses can be left empty and it will work normally.

What is my (what was) issue here? Why can’t be left empty the DHCP Servers DNS addresses?

Kind regards,
Viktor

Did you check the DNS servers, yet?
I get a time-out error.

The rDNS you are using are not recommended in https://wiki.ipfire.org/dns/public-servers

If you untick the servers in the top half of your screenshot, then save, the default settings in the lower half should still provide a working DNS.

Hi Viktor,

first, I’d like to apologise for replying that late. :expressionless:

Second, I get a timeout error while querying those DNS servers as well, so I cannot determine whether they support DNSSEC or strip out signature information needed by IPFire in order to validate DNSSEC.

But, I don’t understand, before in IPCop or any other low cost Router DHCP Servers DNS addresses can be left empty and it will work normally.

As far as I am aware, IPCop did not enforce DNSSEC validation (I am not sure whether it was even supported), and low-cost routers usually do not know anything about that technique. However, with IPFire, DNSSEC becomes mandatory: If you are running an IPFire machine, you will be validating DNSSEC. :slight_smile:

Could you please try removing the tick at “use ISP-assigned DNS servers”, select some (two to four should be sufficient) DNS servers from the list here and try again?

Further recommendations regarding DNS configuration is available here:

Thanks, and best regards,
Peter Müller

1 Like

Hi Rodney,

The rDNS you are using are not recommended in https://wiki.ipfire.org/dns/public-servers

while I suspect those DNS servers being broken as well, not being listed as a recommended DNS resolver in the wiki does not necessarily mean an IPFire setup is broken. :slight_smile:

Unfortunately, the rDNS/PTR is not that telling either, as it can be omitted.

If you untick the servers in the top half of your screenshot, then save, the default settings in the lower half should still provide a working DNS.

If I understood @beicnet correctly, he is using the DNS resolvers assigned by his ISP. In this case, I do not think disabling them will make any difference, but we will see…

Thanks, and best regards,
Peter Müller