Jails Unable to Resolve Domain Names

Vertigo 7

Explorer
Joined
May 8, 2021
Messages
78
well, have you tried just shutting down that vm and see what happens on your network? Id start walking back things one at a time, as much as you can, and see what changes have an impact, if any. It would at least narrow down the culprit, a bit.
 

aiden21c

Dabbler
Joined
Sep 6, 2021
Messages
29
well, have you tried just shutting down that vm and see what happens on your network? Id start walking back things one at a time, as much as you can, and see what changes have an impact, if any. It would at least narrow down the culprit, a bit.
I HAVE FOUND THE CULPRIT! I rolled back the update which disabled my OpenVPN server, and it turns out that as soon as I set a specific tuneable in the openVPN server setup, the jails and VM can no longer access the internet. I have attached a screenshot of the culprit. Essentially, my problem now is that without this tunable, when connected to the VPN i am only able to access the NAS webUI and nothing else on the network (or public internet), however my desired outcome is to be able to use the VPN to have access to my entire home network where the NAS resides. the em0 interface specified in the tuneable is the ethernet connection between my NAS and the modem, so that is what appears to be causing the problems. I'm unfortunately not sure where to go from here, as the tutorial i followed above specified that adding this tuneable is a necessary step for the VPN to work.
 

Attachments

  • tunable.PNG
    tunable.PNG
    11.6 KB · Views: 308

Vertigo 7

Explorer
Joined
May 8, 2021
Messages
78
I'm no expert in tunables but that doesn't look right. Based on some info I gleamed around the web, your tunable variables for rc.conf should be set to the following:

firewall_enable = "YES"
firewall_type = "open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em0"
natd_flags="-dynamic -m"

copy and paste that in and give that a shot and see what that does.
 

aiden21c

Dabbler
Joined
Sep 6, 2021
Messages
29
I'm no expert in tunables but that doesn't look right. Based on some info I gleamed around the web, your tunable variables for rc.conf should be set to the following:

firewall_enable = "YES"
firewall_type = "open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em0"
natd_flags="-dynamic -m"

copy and paste that in and give that a shot and see what that does.
I just double checked what i already have set in my tuneables, and it appears that i have already set what you have specified. This is exactly what was outlined in the tutorial i watched as well. For some reason, as soon as i enable the natd_ointerface, the jails and VM can no longer resolve host names. Its like a see saw, for full VPN access, the jails and VMs break, and for jails and VMs to work, i have to sacrafise some VPN functionality.

With the natd_interface disabled, i can access VMs on the nas through VNS viewer remotely, so what i am thinking of doing for a temporary fix is to set up a linux VM (maybe crunchbang++) that i can start remotely, and then VNC into that and use that as a computer on my local network for troubleshooting. At least until ive fixed this.
tunables.PNG
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Why are you enabling NAT and firewalling on the NAS itself? Generally one should not do that.
You can run OpenVPN in a VNET jail with its own IP address and no NAT ... I used to do that a couple of years ago so I know it works.
 

aiden21c

Dabbler
Joined
Sep 6, 2021
Messages
29
Why are you enabling NAT and firewalling on the NAS itself? Generally one should not do that.
You can run OpenVPN in a VNET jail with its own IP address and no NAT ... I used to do that a couple of years ago so I know it works.
I guess the few tutorials online that I have seen that go through using the inbuilt OpenVPN server function on TrueNAS (I think it was introduced with TrueNas 12) do it this way. I see your point as to the reasoning behind not handling Nat and the firewall on the Nas itself, but i guess I'd rather do.it through the in built openVPN server function rather than setting up a whole seperate jail for this. Is there any benefit to doing it either way? (Given that both ways potentially methods theoretically equally as well)
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Ah - get it now. But why NAT? you can dedicate a subnet to OpenVPN - which you probably already did - and just route, i.e. add a route to that subnet in your Internet router.
 

aiden21c

Dabbler
Joined
Sep 6, 2021
Messages
29
Ah - get it now. But why NAT? you can dedicate a subnet to OpenVPN - which you probably already did - and just route, i.e. add a route to that subnet in your Internet router.
This tutorial is what i followed essentially to set up OpenVPN, and i guess i set it up that way following the tutorial. I believe i did set up a subnet to the OpenVPN (10.20.0.0/24) which is outside my local network of 192.168.0.0. I guess are you saying to add a static route to this network in my router, and use the TrueNas as the next hop to access this network? (Essentially set up a static route with destination 10.20.0.0, with next hop 192.168.0.15)?

Ive just had a quick look at my modem, and I dont seem to have the functionality to set up static routes. This may be blocked by my ISP (as the link suggests), but i could be wrong. Ive attached a screenshot of the routing table of my router (covered up my public IP). I would assume it would be on this page that i would have the functionality to add more routes, but that function does not appear to exist.

1631609356820.png
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I guess are you saying to add a static route to this network in my router, and use the TrueNas as the next hop to access this network? (Essentially set up a static route with destination 10.20.0.0, with next hop 192.168.0.15)?
Precisely. The NAT setup works around CPEs where you cannot set static routes.

Not knowing your device, just a guess: you are looking ad "Device Info". I would not expect to be able to change any setting in that submenu. What's under "Advanced Setup"?
 

aiden21c

Dabbler
Joined
Sep 6, 2021
Messages
29
Precisely. The NAT setup works around CPEs where you cannot set static routes.

Not knowing your device, just a guess: you are looking ad "Device Info". I would not expect to be able to change any setting in that submenu. What's under "Advanced Setup"?
I have just looked up some information from my ISP, and it appears on my main modem that I cannot assign static routes to this modem. I do have a secondary modem (192.168.2.1) that utilises the PiHole as it's DNS, and I guess I could use this device to set up a static route instead, aka changing the modem that the remote access connects through. My main issue with this is that I use an Ethernet over power link to connect the secondary modem to the main modem, so it's speed can be a bit choppy. On top of that, if the PiHole goes down for whatever reason (I reboot the NAS for example) I would also loose access through that modem until the PiHole restarts.

I have doubts this will work however, as due to being unable to set up static routes on my 192.168.0.0 network, the 192.168.2.1 network can access the .0.0 network, but not vice versa (my secondary modem can ping the NAS, but the Nas can't ping the .2.1 address of the secondary modem, or any other devices on the .2.0 network)
 

Flame Soulis

Cadet
Joined
Sep 18, 2021
Messages
1
Unfortunately, I'm stuck in the same situation.

I have another server that I set up VPN access on, but this was on Ubuntu. I reviewed both the tutorial on that and compared it to the ones regarding FreeBSD to try and figure out what to do, since not only does the Youtube video linked mention using NAT, but so does DigitalOcean and likely other sources.

Unfortunately, I seem to have similar issues, but weirder: if I ping within a jail, the pings go to the server, which I assume means it's going down the bridge for some weird reason, even if it isn't related to the VPN. If I disable ipfw, the VPN still works, but now it isn't allowing access to devices (which defeats the point).

In my case, my router does seem to offer static route management, so I guess I'll ask the following:
1. Am I better off having the router route all VPN connections (192.168.100.0/24) to the primary router (192.168.2.1) as defined by the router rather than the server?
2. If I am somehow unable to router do it for some reason, is my issue with a IPFW rule perhaps denying the vnet devices on the host?
 

StanTheMa

Dabbler
Joined
Jun 30, 2020
Messages
13
I had weirdly similar issues on an iocage jail which I have set as a local_unbound DNSserver for my LAN. I was just about to add wireshark to it to monitor DNS traffic and no resolving of pkg repos in jail!

After much faff (technical term in networking) I then found another of my jail that allowed resolving pinging etc and compared settings in the TrueNAS gui. Strangely solution and only diff was to check Berkeley Packet Filter for the DNSserver jail. I think this allows all traffic to be filtered at the jail but no idea why it fixed resolve for the jail?
 
Top