Set up freebsd as a home router, and can't get dns to work properly

R

RedRain

I set up the system to function as a router using isc-dhcpd, pf, and was going to use unbound to send encrypted dns requests to Cloudflare's 1.1.1.1, but I can't even get it to work without that yet.

As it is, when I access a website from my pc connected to the router, the websites don't completely load properly. Some search engines work, and some will not.
At first I thought it was 1.1.1.1 (not encrypted for now) that was wrong, but this happens no matter which dns servers I choose. (And they all work fine on my old Linksys router.)
Other than these programs and their configuration files below, this should be a completely vanilla install of FreeBSD 11.2.

Code: 
##resolv.conf
# Generated by resolvconf
# nameserver 192.168.1.1

nameserver 1.1.1.1 1.0.0.1
#options edns0


Code: 
##dhcpd.conf
#There is a "sleep 10" at the start of /usr/local/etc/rc.d/isc-dhcpd
#to make sure other things are loaded first.
option domain-name-servers 1.1.1.1, 1.0.0.1;
default-lease-time 600;
max-lease-time 7200;

authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
}


Code: 
##rc.conf
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="squared"
ifconfig_re0="DHCP"
ifconfig_re1="inet 192.168.0.1 netmask 255.255.255.0"
gateway_enable="YES"
#unbound_enable="YES"
sshd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
dhcpd_enable="YES"
dhcpd_ifaces="re1"
pf_enable="YES"
pf_rules="/etc/pf.conf"


Code: 
##pf.conf
int_if = "re1"
ext_if = "re0"

#Ping requests
icmp_types = "echoreq"

#Block traffic from these addresses
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

set block-policy drop
set loginterface $ext_if
set skip on lo0

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

#Filter rules
block all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

My problem may have nothing to do with DNS, I don't know, so any insight or troubleshooting methods would be appreciated. It should be noted that I am completely new to *BSD, as well as building a router.
 
Have you read the FreeBSD handbook yet about gateways & routers? That would be a good place to start though it's not too extensive.

Anyway, your problem description is a bit vague (it could be anything, for all I know it could be a bad connection between the clients and the FreeBSD box) but I did notice one thing: your pf nat rules lack the inet keyword to specify the used address family. See also pf.conf(5).

Now, I doubt that this will make a huge difference, but because it is generally used throughout all the examples I also think it might be better to do the same.

What happens if you try to contact websites from the FreeBSD host? If you don't have X installed just use a console browser such as www/lynx.

Also: do your logfiles mention anything specific?
 
I know it's not my connection between my computer and router because I plug the FreeBSD box into the same two Ethernet ports my old router uses, and whenever I switch back to that router it works fine.

I added in the inet keyword where appropriate, and everything acts the same.

I installed www/lynx on the host and it works just fine. https://www.startpage.com is one site that doesn't work properly from my pc (I can load the page, but when I search something it does nothing and eventually times out. It does this in both firefox and lynx) but it worked just fine on the host in www/lynx.

The only log I really knew to check was pf, which I accessed with pfctl -s info, and it seemed normal. I've read that there is supposed to be a log file in /var/log/, but it is not there, I'm guessing because I don't have logging set up properly.

Please let me know if there is some way I can alter the logging settings in pf, or specifically what other logs I should be looking at to help solve this problem.
 
This is an error:
RedRain said:
Code: 
nameserver 1.1.1.1 1.0.0.1
Click to expand...
You can have up to three DNS servers but only one per keyword.
Code: 
nameserver 1.1.1.1
nameserver 1.0.0.1

Code: 
     nameserver  Internet address (in dot notation) of a name server that the
                 resolver should query.  Up to MAXNS (currently 3) name
                 servers may be listed, one per keyword.
From resolv.conf(5).
 
I went ahead and fixed that, but it still acts the same. I guess with it written the way it was it used 1.1.1.1 and just ignored the 1.0.0.1.
 
You should try to use another public DNS (8.8.8.8, 8.8.4.4) or your ISP's DNS servers to see if that makes a difference. If it works, it's likely your attempts to use the CloudFlare DNS are being refused for some reason.

You can also try using host google.com to see if it even resolves. If it doesn't then confirm your have an IP from your ISP ( ifconfig re0). If you don't then that's your first issue. If you do, then something is wonky with your DNS configuration (via DHCPD), or your connection isn't being forwarded properly (NAT).

I had an issue where my router would work intermittently. Some things would work, and some wouldn't. Some would partially load, while others not at all. It turned out something was/is switching sysctl net.inet.ip.forwarding to 0. So, to fix this, I set up a crontab that automatically toggles it. First, make sure sysctl net.inet.ip.forwarding is 1. Then, next time your unable to access a website/it partially loads: try toggling this flag from 0 sysctl net.inet.ip.fowarding=0 and then to 1 again sysctl net.inet.ip.fowarding=1, and see if it works after. If it does, this means your forwarding is being disabled - set up a crontab to toggle this back on automatically. There are number of things that could be wrong, but it might be worth a try.

Additionally, if you're using your original router as a switch by connecting it to your second NIC, be sure to disable any DHCP server it has (can cause a problem if more than one server is running on the same network), put it into bridge mode, and manually give it an IP on your subnet that's outside the range of the DHCP server your using on FreeBSD.
 
If you configure your pf.conf rules to log, enable pflog in rc.conf and then use tcpdump to view the logs you will be able to find your problem. Not having logs to use for troubleshooting this problem will take a long time to solve.
 
This occurs no matter which DNS servers I use, and I do get an ip from my ISP. sysctl net.inet.ip.forwarding=1 is enabled, and makes no difference when I turn it off and back on again. I'm not using my old router in anyway when using this new set up.

I enabled pf logging in rc.conf and changed block all in pf.conf to block log all.

I then did a test where I started it up, and from my PC connected to a few sites. Some would load, some wouldn't, and some only partially loaded. The same sites act the same way every time. For example, google search works fine. The Youtube home page half loads, Startpage will load but won't perform a seach, and forums.freebsd.org loads in basic html. I say again, every site loads differently, but the way each one loads is consistent every time.

I then stopped it and analyzed the log file with tcpdump -r /var/log/pflog, but I'm not really sure how to use this information (there's not really that much anyway.)

Could anyone help me out with reading this log file (Or how to generate a better one), and what I might look for in said file? I tried to upload the raw /var/log/pflog logfile, but it said it wasn't a supported extension.
 
This is the script I have to send pflog0 to syslog local0.info:

Code: 
#!/bin/sh
/usr/bin/nohup /usr/sbin/tcpdump -lneti pflog0 | /usr/bin/logger -t pf -i -p local0.info &
 
Turn off the firewall; pfctl -d. Check if the host itself can resolve anything first. Run a ping 8.8.8.8 to verify you're actually able to contact the outside world. Then try drill @1.1.1.1 www.google.com to see if the 1.1.1.1 address is usable. Try drill @8.8.8.8 www.google.com too.

If the first ping doesn't work you're not connected to the internet (or your routing isn't set up correctly). If there's no IP connectivity DNS isn't going to work either. If you're not connected verify the outputs of ifconfig re0 and netstat -4rn. Make sure the IP address, subnet masks and default routes are correct.
 
I haven't checked this but it should work to simplify your firewall:

Code: 
ext_if="re0"
int_if="re1"
int_net="192.168.0.0/24"

set block-policy drop
set loginterface $ext_if
set skip on lo0

nat on $ext_if from $int_net to !$int_net -> ($ext_if)

block log all
pass in on $int_if from any to any 
pass out on $int_if from any to any
pass out on $ext_if inet proto tcp from ($ext_if) to any
pass out on $ext_if inet proto udp from ($ext_if) to any
pass out on $ext_if inet proto icmp from ($ext_if) to any
 
For now I have switched to the simpler pf rules provided by alexseitsinger.
I performed the checks suggested by SirDice, and I can connect and resolve dns requests from the host just fine.
I used the script suggested by Datapanic and then set up syslog.conf to output the pf logs to file.

This was from a test where I booted it up, and tried to connected to a few sites from my pc. (Again, some working, some half working, and some not at all.)

Code: 
Dec  6 11:10:20 squared pf[673]: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
Dec  6 11:10:20 squared pf[673]: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 262144 bytes
Dec  6 11:11:03 squared pf[673]: rule 0/0(match): block in on re0: 176.119.7.10.57916 > 47.13.121.189.29889: Flags [S], seq 2555527867, win 1024, length 0
Dec  6 11:11:15 squared pf[673]: rule 0/0(match): block in on re0: 176.119.7.90.43769 > 47.13.121.189.14658: Flags [S], seq 1719436551, win 1024, length 0
Dec  6 11:11:33 squared pf[673]: rule 0/0(match): block in on re0: 109.248.9.4.45535 > 47.13.121.189.58880: Flags [S], seq 3975860816, win 1024, length 0
Dec  6 11:11:36 squared pf[673]: rule 0/0(match): block in on re0: 185.176.26.39.42814 > 47.13.121.189.43231: Flags [S], seq 119017512, win 1024, length 0
Dec  6 11:11:38 squared pf[673]: rule 0/0(match): block in on re0: 5.188.206.14.56511 > 47.13.121.189.8222: Flags [S], seq 2549116329, win 1024, length 0
Dec  6 11:12:04 squared pf[673]: rule 0/0(match): block in on re0: 199.19.225.65.49195 > 47.13.121.189.22: Flags [S], seq 3496440368, win 65535, options [mss 536], length 0
Dec  6 11:12:15 squared pf[673]: rule 0/0(match): block in on re0: 176.119.7.26.41036 > 47.13.121.189.4450: Flags [S], seq 22664890, win 1024, length 0
Dec  6 11:12:23 squared pf[673]: rule 0/0(match): block in on re0: 29.91.128.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 339
Dec  6 11:12:25 squared pf[673]: rule 0/0(match): block in on re0: 29.91.128.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 339
Dec  6 11:12:43 squared pf[673]: rule 0/0(match): block in on re0: 10.214.134.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
Dec  6 11:13:00 squared pf[673]: rule 0/0(match): block in on re0: 10.214.134.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 353
Dec  6 11:13:00 squared pf[673]: rule 0/0(match): block in on re0: 10.214.134.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 353
Dec  6 11:13:22 squared pf[673]: rule 0/0(match): block in on re0: 22.11.164.129.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
Dec  6 11:13:22 squared pf[673]: rule 0/0(match): block in on re0: 22.11.164.129.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 349
Dec  6 11:13:25 squared pf[673]: rule 0/0(match): block in on re0: 5.188.206.14.56511 > 47.13.121.189.6554: Flags [S], seq 1861027917, win 1024, length 0

If it would help to up the verbosity, please let me know.
 
Maybe you need to tweak some settings in your unbound.conf file. I honestly don't know, and would have to admit that I gave up on getting unbound to work after several tries, partly because I was running out of time, and partly because it seemed like overkill for my limited purposes, even though it also seemed like a really cool program. But when I was working on it I found this to be an interesting read on the subject, best I was able to find: https://calomel.org/unbound_dns.html - It has an example of the unbound.conf file and talks about the inner workings of the unbound program.
 
I use dns/dnsmasq and it is very easy to setup. I highly recommend it. It handles DHCP and DNS.
My APU2 routers dnsmasq.conf
Code: 
server=8.8.8.8
server=8.8.4.4
dhcp-range=set:wlan0,192.168.100.10,192.168.100.25,255.255.255.0,24h
dhcp-range=set:igb1,192.168.101.10,192.168.101.25,255.255.255.0,24h
dhcp-range=set:igb2,192.168.102.10,192.168.102.25,255.255.255.0,24h
dhcp-option=wlan0,option:router,192.168.100.1
dhcp-option=igb1,option:router,192.168.101.1
dhcp-option=igb2,option:router,192.168.102.1
 
You must log in or register to reply here.
Back
Top