Bug #2392
closed
Adding outgoing, floating rule for DNS on the WAN interface breaks DNS lookups.
0%
Description
Hi,
when adding a floating rule that allows outgoing traffic on the wan interface from the wan address to any tcp/udp with destport 53, the dnsmasq resolver stops working.
It's a pass rule and I'm NOT using the quick option. But I assign the traffic to an HFSC queue on the wan interface so that it gets preferred over other traffic. The queue is part of HFSC queues with a default traffic of 5% and a realtime of 5% (m2).
I can run dig on the pfsense box and it's working without any problems. Only the dnsmasq service stops working. A restart of the service doesn't solve the problem.
A dig to localhost (127.0.0.1) stops working as well.
KR,
Oliver
Updated by Jim Pingle about 12 years ago
Does it break without the QoS parts on the rule?
QoS on floating rules should be using the "match" action, not "pass", though I am unsure why a pass rule would cause this (it may be worth investigating), what you are doing isn't how things are intended to work on Floating rules.
Updated by Oliver Loch about 12 years ago
Hi,
yes it's also breaking if I don't assign the traffic to a queue.
The default queue is used anyway, which is also the case if I just delete the whole rule.
What am I missing when it comes to floating rules?
KR,
Oliver
Updated by Jim Pingle about 12 years ago
That's really a question for the forum, not the ticket system. Such discussion doesn't belong on here.
Updated by Oliver Loch about 12 years ago
Yeah, you're right, but when i try to differ between a bug and pebcak, one should be able to ask the question.
I'm using the floating rules on the wan interface to be able to prefer ack/small packets and ssh stuff over smtp/ftp uploads.
As I can only assign the traffic to a queue the moment it creates state, i have to use the outgoing floating rules on wan.
KR,
Oliver
Updated by Jim Pingle about 12 years ago
Well not meaning to be pedantic about it, but the bug/pebkac question should be solved on the forum before opening a ticket. The ticket system is meant for confirmed bugs, and discussing on the forum, mailing list, or IRC, to determine that status is a prerequisite.
Updated by Oliver Loch about 12 years ago
When I do what I wrote in the first post, the DNA lookup via dnsmasq stops working -> bug.
Oliver
Updated by Chris Buechler over 8 years ago
- Status changed from New to Feedback
this is probably something that's been fixed in a newer base OS version in the mean time.
Oliver, this still something you can replicate on 2.2.4?
Updated by Chris Buechler about 8 years ago
- Status changed from Feedback to Closed
no replicable issues here in current versions and no feedback