Bug #16906
closed
Unbound configuration may be generated with duplicate interface bindings
100%
Description
unbound.conf can contain duplicate interface entries in a specific VIP/RA/Multi-WAN scenario. The duplicate interface entries prevent unbound from starting. Problem occurs with 26.03.1 but not 24.11.
pfSense is configured as follows.
- Two WAN interfaces. First (igc0) is v4+v6. Second (igc1.95) is v4 only.
- The v4 part of the first interface and the second interface are configured as an IPv4 failover gateway group (igc0 is tier 1, igc1.95 is tier 2).
- Three internal interfaces -- igc1.{15,20,40} -- are configured for Track Interface to get respective GUA prefixes from the ISP on the first WAN interface.
- Each of those internal interfaces has a corresponding ULA VIP of the form fd04:f95f:5a7f:{15,20,40}::1/64.
- The RA for each of those interfaces advertises the v6 prefix from the ISP and the respective ULA VIP prefix as an "RA Subnet."
If the configured VIP (Firewall>VIP) and the configured RA (Services>Router Advertisements>[interface]>RA Subnet(s)) for an interface are literally identical, in the failover scenario unbound.conf will contain repeated entries for that interface and fail to start. In a non-failover situation, literally identical addresses do not result in a corrupt unbound.conf. For example, fd04:f95f:5a7f:20::1 and fd04:f95f:5a7f:0020::1 are not literally identical even though they refer to the same address. One contains :20: while the other contains :0020:.
Four example snippets from unbound.conf below, "(A,B)" denotes a VIP address of A and an advertised prefix of B.
Non-Identical Addresses (works in failover and non-failover situations)(fd04:f95f:5a7f:20::1, fd04:f95f:5a7f:0020::1) non-failover, no repeated addresses
# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.20.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.40.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:20::1
interface: 127.0.0.1
interface: ::1
(fd04:f95f:5a7f:20::1, fd04:f95f:5a7f:0020::1) failover, no repeated addresses
# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 192.168.20.1
interface: 192.168.40.1
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:20::1
interface: 127.0.0.1
interface: ::1
Identical Addresses (non-failover works, but failover does not)
(fd04:f95f:5a7f:0020::1, fd04:f95f:5a7f:0020::1) non-failover, no repeated addresses
# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.20.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.40.1
interface: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:20::1
interface: 127.0.0.1
interface: ::1
(fd04:f95f:5a7f:0020::1, fd04:f95f:5a7f:0020::1) failover, repeated addresses
# Interface IP addresses to bind to
interface: 192.168.15.1
interface: 192.168.20.1
interface: fd04:f95f:5a7f:20::1
interface: 192.168.40.1
interface: 192.168.10.2
interface: 192.168.99.1
interface: 192.168.50.1
interface: 192.168.51.1
interface: fe80::e63a:6eff:fe61:c5ee%igc1.15
interface: fe80::e63a:6eff:fe61:c5ee%igc1.20
interface: fe80::e63a:6eff:fe61:c5ee%igc1.40
interface: fe80::e63a:6eff:fe61:c5ee%igc1.95
interface: fe80::e63a:6eff:fe61:c5ee%igc1
interface: fe80::e63a:6eff:fe61:c5ef%igc2
interface: fe80::e63a:6eff:fe61:c5f0%igc3
interface: fd04:f95f:5a7f:15::1
interface: fd04:f95f:5a7f:40::1
interface: fd04:f95f:5a7f:0020::1
interface: 127.0.0.1
interface: ::1
In this situation, unbound fails to start because of the repeated fd04:f95f:5a7f:20::1.[26.03.1-RELEASE][admin@pfSense.home.arpa]/root: /usr/local/sbin/unbound -d -vvv -c /var/unbound/unbound.conf
[1781721749] unbound[19248:0] notice: Start of unbound 1.25.1.
[1781721749] unbound[19248:0] debug: setting ip-ratelimit-slabs: 4
[1781721749] unbound[19248:0] debug: setting ratelimit-slabs: 4
[1781721749] unbound[19248:0] debug: setting dnscrypt-shared-secret-cache-slabs: 4
[1781721749] unbound[19248:0] debug: setting dnscrypt-nonce-cache-slabs: 4
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.15.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.15.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.20.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.20.1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:20::1 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fd04:f95f:5a7f:20::1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.40.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.40.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.10.2 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.10.2 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.99.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.99.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.50.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.50.1 53
[1781721749] unbound[19248:0] debug: creating udp4 socket 192.168.51.1 53
[1781721749] unbound[19248:0] debug: creating tcp4 socket 192.168.51.1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ee 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5ef 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5ef 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fe80::e63a:6eff:fe61:c5f0 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fe80::e63a:6eff:fe61:c5f0 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:15::1 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fd04:f95f:5a7f:15::1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:40::1 53
[1781721749] unbound[19248:0] debug: creating tcp6 socket fd04:f95f:5a7f:40::1 53
[1781721749] unbound[19248:0] debug: creating udp6 socket fd04:f95f:5a7f:20::1 53
[1781721749] unbound[19248:0] error: bind: address already in use
[1781721749] unbound[19248:0] fatal error: could not open ports
Files
Updated by Marc Goldburg 4 days ago
Correction: Problem occurs with 26.03.1 but not 25.11.1 (or previous releases to that dating back to at least 24.03)
Updated by Marcos M 3 days ago
- Status changed from New to Incomplete
Presumably both fd04:f95f:5a7f:20::1 and fd04:f95f:5a7f:0020::1 are VIPs since you mentioned the interfaces are set to "Track Interface". If so then I'm not sure how those addresses would have been added since the input validation for adding VIPs prevents adding a duplicate address. If there's a bug then it seems to me that it will be whatever allowed the entry of the duplicate address. I suggest taking this discussion to the forum (feel free to reference the post here).
Updated by Marc Goldburg 3 days ago
- File clipboard-202606180928-e7mza.png clipboard-202606180928-e7mza.png added
- File clipboard-202606180933-rfc0w.png clipboard-202606180933-rfc0w.png added
Only fd04:f95f:5a7f:20::1 is specified as a VIP (first screenshot). fd04:f95f:5a7f:0020::1 is included in in the RA Subnets field for the corresponding interface so that the (ULA) VIP prefix is advertised along with the dynamic GUA prefix obtained from the ISP (second screenshot).
If an interface has a prefix obtained through DHCPv6 and a VIP prefix defined through the GUI, are both prefixes automatically advertised via RA or does the VIP prefix need to be explicitly added in the RA config? I didn't find this addressed in the documentation or GUI help.
I previously posted this in the forum . No takers yet, but happy to move the discussion back.
Updated by Marc Goldburg 3 days ago
With the VIP definition for fd04:f95f:5a7f:20::1 in place but no corresponding RA Subnet entry, only the ISP-delegated prefix appears in the RA (first RA below, 2600:1700:xxxx:xxxx). With the VIP definition in place and fd04:f95f:5a7f:0020::1 as the corresponding RA Subnet entry, as above, both prefixes appear in the RA (second RA below). It appears that the RA Subnet entry is required to get the VIP prefix advertised.
As mentioned, if literally identical strings are used in the VIP and RA Subnet definitions, unbound.conf is fine in the non-failover case but has duplicate entries in the failover case.
[26.03.1-RELEASE][admin@pfSense.home.arpa]/root: tcpdump -i igc1.20 -n -vv 'icmp6 and ip6[40] == 134'
tcpdump: listening on igc1.20, link-type EN10MB (Ethernet), snapshot length 2xxxx4 bytes
10:04:34.157135 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::e63a:6eff:fe61:c5ee > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
hop limit 64, Flags [other stateful], pref high, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): 2600:1700:xxxx:xxxx::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s
0x0000: 40c0 0001 5180 0000 3840 0000 0000 2600
0x0010: 1700 xxxx xxxx 0000 0000 0000 0000
route info option (24), length 8 (1): ::/0, pref=high, lifetime=1800s
0x0000: 0008 0000 0708
rdnss option (25), length 24 (3): lifetime 1800s, addr: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
0x0000: 0000 0000 0708 2600 1700 xxxx xxxx e63a
0x0010: 6eff fe61 c5ee
dnssl option (31), length 24 (3): lifetime 1800s, domain(s): home.arpa.
0x0000: 0000 0000 0708 0468 6f6d 6504 6172 7061
0x0010: 0000 0000 0000
mtu option (5), length 8 (1): 1500
0x0000: 0000 0000 05dc
source link-address option (1), length 8 (1): e4:3a:6e:61:c5:ee
0x0000: e43a 6e61 c5ee
10:06:09.405997 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 152) fe80::e63a:6eff:fe61:c5ee > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 152
hop limit 64, Flags [other stateful], pref high, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
prefix info option (3), length 32 (4): 2600:1700:xxxx:xxxx::/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s
0x0000: 40c0 0001 5180 0000 3840 0000 0000 2600
0x0010: 1700 xxxx xxxx 0000 0000 0000 0000
prefix info option (3), length 32 (4): fd04:f95f:5a7f:20::1/64, Flags [onlink, auto], valid time 86400s, pref. time 14400s
0x0000: 40c0 0001 5180 0000 3840 0000 0000 fd04
0x0010: f95f 5a7f 0020 0000 0000 0000 0001
route info option (24), length 8 (1): ::/0, pref=high, lifetime=1800s
0x0000: 0008 0000 0708
rdnss option (25), length 24 (3): lifetime 1800s, addr: 2600:1700:xxxx:xxxx:e63a:6eff:fe61:c5ee
0x0000: 0000 0000 0708 2600 1700 xxxx xxxx e63a
0x0010: 6eff fe61 c5ee
dnssl option (31), length 24 (3): lifetime 1800s, domain(s): home.arpa.
0x0000: 0000 0000 0708 0468 6f6d 6504 6172 7061
0x0010: 0000 0000 0000
mtu option (5), length 8 (1): 1500
0x0000: 0000 0000 05dc
source link-address option (1), length 8 (1): e4:3a:6e:61:c5:ee
0x0000: e43a 6e61 c5ee
Updated by Marcos M 2 days ago
- Project changed from pfSense Plus to pfSense
- Subject changed from Unbound fails to start because of duplicate interface entries in config file, specific VIP/RA/Multi-WAN scenario to Unbound configuration may be generated with duplicate interface bindings
- Category changed from Multi-WAN to DNS Resolver
- Status changed from Incomplete to Feedback
- Assignee set to Marcos M
- Target version set to 2.9.0
- % Done changed from 0 to 100
- Affected Plus Version deleted (
26.03.1) - Plus Target Version set to 26.07
- Affected Architecture All added
- Affected Architecture deleted (
amd64)
Applied with e930a491f254ec359502565218e3e1851b960f0d. Patch: Show