After running script, DNS resolves fail on client devices as well as on the USG P3

[mosfet]

I'm not sure if I'm doing something wrong, but on a freshly provisioned USG 3P, running the command seems to halt all DNS resolves, both on the device itself and on client devices.

I noticed the "Commit failed" when running, but I'm not sure if this is desired.

After re-provisioning the USG, it seems to work, but I don't believe that it's using cloudflared for resolves (as tested on https://www.cloudflare.com/ssl/encrypted-sni/ )

Any troubleshooting or debugging steps would be appreciated.

lanman@USG:~$ bash <(curl -s https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/install.sh)
Installing cloudflared
INFO[0000] Using Sysv
Not running
Starting cloudflared
Nothing to delete (the specified node does not exist)
[ firewall name WAN_OUT ]
calling cfgPathGetValue() without config session

Commit failed
Saving configuration to '/config/config.boot'...
Done
lanman@USG:~$

[mosfet]

A bit more playing around, I ran the commands in the install script manually, but skipped all of the firewall stuff (blocking outgoing dns requests) and everything seemed to work.

I created the firewall rule manually through the Controller UI and that was successful. The difference on the UI vs the CLI is that the UI expected a port group rather than just a port number.

Maybe the script needs to create a port group (with the single port 53 in it) and assign that to the firewall rule instead of just a port number?

edit: Maybe not? After a few minutes of it appearing to work, it stopped doing lookups.

[Twanislas]

Hi !

Thanks @mosfet for opening this issue :)

I'll try and have a look today.

It's been a while so most likely Vyatta was updated and I just need to update the commands...

Cheers !

[Twanislas]

Hi !

So I successfully ran the folowing snippet on a USG3 and USG4P :

delete firewall name WAN_OUT rule 1000
set firewall name WAN_OUT rule 1000 action drop
set firewall name WAN_OUT rule 1000 description "Block all outgoing DNS requests on WAN_OUT"
set firewall name WAN_OUT rule 1000 protocol tcp_udp
set firewall name WAN_OUT rule 1000 destination port 53
set firewall name WAN_OUT rule 1000 log enable

Maybe it was just cloudflared that needed an update... I updated the binary. Would you mind trying again from the start ?

Cheers !

[Twanislas]

Hi !

Friendly bump :) Any news ?

Cheers !

[mosfet]

Looks like no error messages when running the install script, but afterwards, I'm unable to do any DNS resolves from a client computer, and no pings from the USG itself...

I also notice that cloudflared is running high on the process list (over 100% in top), so I'm not sure if its something wrong with it or something else.

Any troubleshooting hints?

[Twanislas]

Allright, thanks for the update. I'll look into it further :)

Cheers !

[Twanislas]

Any troubleshooting hints?

You could try to manually run cloudflared when connected via SSH (not in config edit mode) and look at its console output and logs

[mosfet]

Ah, I did just that, and a lot of spam:

ERRO[0013] failed to connect to an HTTPS backend "https://1.1.1.1/dns-query"  error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"

ERRO[0013] failed to connect to an HTTPS backend "https://1.0.0.1/dns-query"  error="failed to perform an HTTPS request: Post https://1.0.0.1/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"

Further, my previous test may have been invalid, I had run the commands in the install script manually one by one. When running the full install.sh script, it did give me the "Commit Failed" message:

lanman@USG:~$ bash <(curl -s https://raw.githubusercontent.com/Twanislas/ubnt-cloudflared/master/install.sh)
Installing cloudflared
INFO[0000] Using Sysv
Not running
Starting cloudflared
Nothing to delete (the specified node does not exist)
Nothing to delete (the specified node does not exist)
[ firewall name WAN_OUT ]
calling cfgPathGetValue() without config session

Commit failed
Saving configuration to '/config/config.boot'...
Done

[Twanislas]

Hi,

I'm sorry for the latency here. but life happens and I migrated my home setup to AdGuard Home, thus I'm not using this anymore and will archive the repo. Sorry for the inconvenience...