DNS forwarding throwing error

dennisN86 · October 3, 2019, 11:55am

Hello, I’m new to vyos trying an initial install on my pcengines APU2C4 which ran openWRT until now.

I read the documentation and build the vyos.iso for my hardware as described here: https://wiki.vyos.net/wiki/PC_Engines#Installation_for_Version_1.2.x

I followed the Quick Start Guide: https://vyos.readthedocs.io/en/latest/quick-start.html

Since my APU2C4 board starts enumerating eth ports starting with eth1 as outbound and eth2 as the inbound interface. The only change in comparison to the Quick Start Guide, other then naming ones, is that the eth1 interfaces receives a fixed IP other then via dhcp.

Now when I’m executing the script, I receive the following error:

vyos@vyos:~$ chmod +x script.sh
vyos@vyos:~$ sg vyattacfg -c ./script.sh
[ service dhcp-server ]
Traceback (most recent call last):
File “/usr/libexec/vyos/conf_mode/dhcp_server.py”, line 822, in
apply(c)
File “/usr/libexec/vyos/conf_mode/dhcp_server.py”, line 811, in apply
os.mknod(lease_file)
FileNotFoundError: [Errno 2] No such file or directory

[[service dhcp-server]] failed
[ service dns forwarding ]
Error: DNS forwarding requires an allow-from network

[[service dns forwarding]] failed
Commit failed
Warning: you have uncommitted changes that will not be saved.

Saving configuration to ‘/config/config.boot’…
Done

Following a manual

vyos@vyos# set service dns forwarding allow-from ‘0.0.0.0/0’

I receive another error:

vyos@vyos# commit
[ service dns forwarding ]
Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option

[[service dns forwarding]] failed
Commit failed

Can someone lend me a hand and tell me what I’m doing wrong?

To ease my life I put the entire configuration in a script.sh, which reads the following:

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

Configuration mode

configure

Set Interfaces

set interfaces ethernet eth1 address ‘10.10.10.10/24’
set interfaces ethernet eth1 description ‘WAN’
set interfaces ethernet eth2 address ‘192.168.0.1/24’
set interfaces ethernet eth2 description ‘LAN’

Enable SSH

set service ssh port ‘22’

Set DHCP-Server

set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router ‘192.168.0.1’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server ‘192.168.0.1’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name ‘internal-network’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease ‘86400’
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start 192.168.0.9
set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop ‘192.168.0.254’

Set DNS

set service dns forwarding cache-size ‘1000’
set service dns forwarding listen-address ‘192.168.0.1’
set service dns forwarding name-server ‘8.8.8.8’
set service dns forwarding name-server ‘8.8.4.4’
#set service dns forwarding allow-from ‘0.0.0.0/0’

Set NAT

set nat source rule 100 outbound-interface ‘eth1’
set nat source rule 100 source address ‘192.168.0.0/24’
set nat source rule 100 translation address masquerade

Set Firewall

set firewall name WAN-IN default-action ‘drop’
set firewall name WAN-IN rule 10 action ‘accept’
set firewall name WAN-IN rule 10 state established ‘enable’
set firewall name WAN-IN rule 10 state related ‘enable’
set firewall name WAN-LAN default-action ‘drop’
set firewall name WAN-LAN rule 10 action ‘accept’
set firewall name WAN-LAN rule 10 state established ‘enable’
set firewall name WAN-LAN rule 10 state related ‘enable’
set firewall name WAN-LAN rule 20 action ‘accept’
set firewall name WAN-LAN rule 20 icmp type-name ‘echo-request’
set firewall name WAN-LAN rule 20 protocol ‘icmp’
set firewall name WAN-LAN rule 20 state new ‘enable’

Set SSH access

set firewall name WAN-LAN rule 30 action ‘drop’
set firewall name WAN-LAN rule 30 destination port ‘22’
set firewall name WAN-LAN rule 30 protocol ‘tcp’
set firewall name WAN-LAN rule 30 recent count ‘4’
set firewall name WAN-LAN rule 30 recent time ‘60’
set firewall name WAN-LAN rule 30 state new ‘enable’
set firewall name WAN-LAN rule 31 action ‘accept’
set firewall name WAN-LAN rule 31 destination port ‘22’
set firewall name WAN-LAN rule 31 protocol ‘tcp’
set firewall name WAN-LAN rule 31 state new ‘enable’

Apply Firewall policies

set interfaces ethernet eth1 firewall in name ‘WAN-IN’
set interfaces ethernet eth1 firewall local name ‘WAN-LAN’

commit

save

exit

c-po · October 3, 2019, 12:37pm

Thank you for this detailed report. What exact VyOS version are you running?

dennisN86 · October 3, 2019, 12:53pm

I’m using the following version:

Linux vyos 4.19.67-amd64-vyos

c-po · October 3, 2019, 2:05pm

This is the OS kernel version. I need your VyOS version. show version

dennisN86 · October 3, 2019, 2:18pm

Sure, my apologies:

vyos@vyos:~$ show version
Version: VyOS 1.2-rolling-201908311322
Built by: autobuild@vyos.net
Built on: Sat 31 Aug 2019 13:22 UTC
Build UUID: e402d795-a05c-4c66-adba-921d5fba4773
Build Commit ID: 372bad3d5d1157

Architecture: x86_64
Boot via: livecd
System type: bare metal

Hardware vendor: PC Engines
Hardware model: APU2
Hardware S/N: -64
Hardware UUID: Unknown

c-po · October 3, 2019, 4:14pm

This is a very “old” rolling release. Please retest with the latest rolling.

Dmitry · October 3, 2019, 9:05pm

Also you need add
set service dns forwarding listen-address 192.168.0.1

dennisN86 · October 4, 2019, 7:12pm

@c-po: Isn’t it just a month or something old? Sure it’s better to use to latest build but this is not ages old.

@Dmitry: This is already part of the script. Therefore, this cannot cause the issue

dennisN86 · October 5, 2019, 10:41am

I build vyos for APU2 with the latest .iso

vyos@vyos:~$ show version
Version: VyOS 1.2-rolling-201909210118
Built by: autobuild@vyos.net
Built on: Sat 21 Sep 2019 01:18 UTC
Build UUID: 41c80f4e-e0da-4780-bf12-6c93ca0f8c3a
Build Commit ID: ae5e390d84c19f

Architecture: x86_64
Boot via: livecd
System type: bare metal

Hardware vendor: PC Engines
Hardware model: APU2
Hardware S/N: -64
Hardware UUID: Unknown

The error remains the same…

[ service dhcp-server ]
Traceback (most recent call last):
File “/usr/libexec/vyos/conf_mode/dhcp_server.py”, line 822, in
apply(c)
File “/usr/libexec/vyos/conf_mode/dhcp_server.py”, line 811, in apply
os.mknod(lease_file)
FileNotFoundError: [Errno 2] No such file or directory

[[service dhcp-server]] failed
[ service dns forwarding ]
Error: DNS forwarding requires either a listen-address (preferred) or a listen-on option

[[service dns forwarding]] failed
Commit failed
Warning: you have uncommitted changes that will not be saved.

Saving configuration to ‘/config/config.boot’…
Done
[edit]

No matter if I put in

set service dns forwarding listen-address ‘192.168.0.1’

or

set service dns forwarding listen-on ‘eth1’

May someone with a German VDSL ISP be so nice to support me with his/her configuration?

Dmitry · October 6, 2019, 4:50pm

@dennisN86 I was try your config in new rolling release, and don’t seen any error. Just uncomment set service dns forwarding allow-from '0.0.0.0/0'

vyos@vyos:~$ chmod +x script.sh 
vyos@vyos:~$ sg vyattacfg -c ./script.sh
vyos@vyos:~$ show version 
Version:          VyOS 1.2-rolling-201910061306

dennisN86 · October 6, 2019, 6:19pm

Thanks for your support @Dmitry, yet, there error is still there

[ service dhcp-server ]
Traceback (most recent call last):
File “/usr/libexec/vyos/conf_mode/dhcp_server.py”, line 822, in
apply©
File “/usr/libexec/vyos/conf_mode/dhcp_server.py”, line 811, in apply
os.mknod(lease_file)
FileNotFoundError: [Errno 2] No such file or directory

However, when I edit the path in /usr/libexec/vyos/conf_mode/dhcp_server.py to:

/opt/vyatta/config/dhcpd.leases

The scritps runs smoothly to it’s end without throwing an error. I found the description how to tackle the situation here: https://forum.vyos.io/t/dhcp-service-mknod-error/3392

Sadly, the newly applied and saved config does not survive the reboot. Do I have to explicitly select a new bootable vyos squashfs.img on boot?

Dmitry · October 6, 2019, 7:14pm

Seems you use old rolling, look line 811 empty.

github.com

vyos/vyos-1x/blob/current/src/conf_mode/dhcp_server.py#L811


      
          #!/usr/bin/env python3
          #
          # Copyright (C) 2018-2023 VyOS maintainers and contributors
          #
          # This program is free software; you can redistribute it and/or modify
          # it under the terms of the GNU General Public License version 2 or later as
          # published by the Free Software Foundation.
          #
          # This program is distributed in the hope that it will be useful,
          # but WITHOUT ANY WARRANTY; without even the implied warranty of
          # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
          # GNU General Public License for more details.
          #
          # You should have received a copy of the GNU General Public License
          # along with this program.  If not, see <http://www.gnu.org/licenses/>.
          
          import os
          
          from ipaddress import ip_address
          from ipaddress import ip_network
          from netaddr import IPRange
          from sys import exit
          
          from vyos.config import Config
          from vyos.pki import wrap_certificate
          from vyos.pki import wrap_private_key
          from vyos.template import render
          from vyos.utils.dict import dict_search
          from vyos.utils.dict import dict_search_args
          from vyos.utils.file import write_file
          from vyos.utils.process import call
          from vyos.utils.process import run
          from vyos.utils.network import is_subnet_connected
          from vyos.utils.network import is_addr_assigned
          from vyos import ConfigError
          from vyos import airbag
          airbag.enable()
          
          ctrl_config_file = '/run/kea/kea-ctrl-agent.conf'
          ctrl_socket = '/run/kea/dhcp4-ctrl-socket'
          config_file = '/run/kea/kea-dhcp4.conf'
          lease_file = '/config/dhcp4.leases'
          systemd_override = r'/run/systemd/system/kea-ctrl-agent.service.d/10-override.conf'
          
          ca_cert_file = '/run/kea/kea-failover-ca.pem'
          cert_file = '/run/kea/kea-failover.pem'
          cert_key_file = '/run/kea/kea-failover-key.pem'
          
          def dhcp_slice_range(exclude_list, range_dict):
              """
              This function is intended to slice a DHCP range. What does it mean?
          
              Lets assume we have a DHCP range from '192.0.2.1' to '192.0.2.100'
              but want to exclude address '192.0.2.74' and '192.0.2.75'. We will
              pass an input 'range_dict' in the format:
                {'start' : '192.0.2.1', 'stop' : '192.0.2.100' }
              and we will receive an output list of:
                [{'start' : '192.0.2.1' , 'stop' : '192.0.2.73'  },
                 {'start' : '192.0.2.76', 'stop' : '192.0.2.100' }]
              The resulting list can then be used in turn to build the proper dhcpd
              configuration file.
              """
              output = []
              # exclude list must be sorted for this to work
              exclude_list = sorted(exclude_list)
              range_start = range_dict['start']
              range_stop = range_dict['stop']
              range_last_exclude = ''
          
              for e in exclude_list:
                  if (ip_address(e) >= ip_address(range_start)) and \
                     (ip_address(e) <= ip_address(range_stop)):
                      range_last_exclude = e
          
              for e in exclude_list:
                  if (ip_address(e) >= ip_address(range_start)) and \
                     (ip_address(e) <= ip_address(range_stop)):
          
                      # Build new address range ending one address before exclude address
                      r = {
                          'start' : range_start,
                          'stop' : str(ip_address(e) -1)
                      }
                      # On the next run our address range will start one address after
                      # the exclude address
                      range_start = str(ip_address(e) + 1)
          
                      # on subsequent exclude addresses we can not
                      # append them to our output
                      if not (ip_address(r['start']) > ip_address(r['stop'])):
                          # Everything is fine, add range to result
                          output.append(r)
          
                      # Take care of last IP address range spanning from the last exclude
                      # address (+1) to the end of the initial configured range
                      if ip_address(e) == ip_address(range_last_exclude):
                          r = {
                            'start': str(ip_address(e) + 1),
                            'stop': str(range_stop)
                          }
                          if not (ip_address(r['start']) > ip_address(r['stop'])):
                              output.append(r)
                  else:
                    # if the excluded address was not part of the range, we simply return
                    # the entire ranga again
                    if not range_last_exclude:
                        if range_dict not in output:
                            output.append(range_dict)
          
              return output
          
          def get_config(config=None):
              if config:
                  conf = config
              else:
                  conf = Config()
              base = ['service', 'dhcp-server']
              if not conf.exists(base):
                  return None
          
              dhcp = conf.get_config_dict(base, key_mangling=('-', '_'),
                                          no_tag_node_value_mangle=True,
                                          get_first_key=True,
                                          with_recursive_defaults=True)
          
              if 'shared_network_name' in dhcp:
                  for network, network_config in dhcp['shared_network_name'].items():
                      if 'subnet' in network_config:
                          for subnet, subnet_config in network_config['subnet'].items():
                              # If exclude IP addresses are defined we need to slice them out of
                              # the defined ranges
                              if {'exclude', 'range'} <= set(subnet_config):
                                  new_range_id = 0
                                  new_range_dict = {}
                                  for r, r_config in subnet_config['range'].items():
                                      for slice in dhcp_slice_range(subnet_config['exclude'], r_config):
                                          new_range_dict.update({new_range_id : slice})
                                          new_range_id +=1
          
                                  dhcp['shared_network_name'][network]['subnet'][subnet].update(
                                          {'range' : new_range_dict})
          
              if dict_search('failover.certificate', dhcp):
                  dhcp['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True)
          
              return dhcp
          
          def verify(dhcp):
              # bail out early - looks like removal from running config
              if not dhcp or 'disable' in dhcp:
                  return None
          
              # If DHCP is enabled we need one share-network
              if 'shared_network_name' not in dhcp:
                  raise ConfigError('No DHCP shared networks configured.\n' \
                                    'At least one DHCP shared network must be configured.')
          
              # Inspect shared-network/subnet
              listen_ok = False
              subnets = []
              failover_ok = False
              shared_networks =  len(dhcp['shared_network_name'])
              disabled_shared_networks = 0
          
          
              # A shared-network requires a subnet definition
              for network, network_config in dhcp['shared_network_name'].items():
                  if 'disable' in network_config:
                      disabled_shared_networks += 1
          
                  if 'subnet' not in network_config:
                      raise ConfigError(f'No subnets defined for {network}. At least one\n' \
                                        'lease subnet must be configured.')
          
                  for subnet, subnet_config in network_config['subnet'].items():
                      # All delivered static routes require a next-hop to be set
                      if 'static_route' in subnet_config:
                          for route, route_option in subnet_config['static_route'].items():
                              if 'next_hop' not in route_option:
                                  raise ConfigError(f'DHCP static-route "{route}" requires router to be defined!')
          
                      # Check if DHCP address range is inside configured subnet declaration
                      if 'range' in subnet_config:
                          networks = []
                          for range, range_config in subnet_config['range'].items():
                              if not {'start', 'stop'} <= set(range_config):
                                  raise ConfigError(f'DHCP range "{range}" start and stop address must be defined!')
          
                              # Start/Stop address must be inside network
                              for key in ['start', 'stop']:
                                  if ip_address(range_config[key]) not in ip_network(subnet):
                                      raise ConfigError(f'DHCP range "{range}" {key} address not within shared-network "{network}, {subnet}"!')
          
                              # Stop address must be greater or equal to start address
                              if ip_address(range_config['stop']) < ip_address(range_config['start']):
                                  raise ConfigError(f'DHCP range "{range}" stop address must be greater or equal\n' \
                                                    'to the ranges start address!')
          
                              for network in networks:
                                  start = range_config['start']
                                  stop = range_config['stop']
                                  if start in network:
                                      raise ConfigError(f'Range "{range}" start address "{start}" already part of another range!')
                                  if stop in network:
                                      raise ConfigError(f'Range "{range}" stop address "{stop}" already part of another range!')
          
                              tmp = IPRange(range_config['start'], range_config['stop'])
                              networks.append(tmp)
          
                      # Exclude addresses must be in bound
                      if 'exclude' in subnet_config:
                          for exclude in subnet_config['exclude']:
                              if ip_address(exclude) not in ip_network(subnet):
                                  raise ConfigError(f'Excluded IP address "{exclude}" not within shared-network "{network}, {subnet}"!')
          
                      # At least one DHCP address range or static-mapping required
                      if 'range' not in subnet_config and 'static_mapping' not in subnet_config:
                          raise ConfigError(f'No DHCP address range or active static-mapping configured\n' \
                                            f'within shared-network "{network}, {subnet}"!')
          
                      if 'static_mapping' in subnet_config:
                          # Static mappings require just a MAC address (will use an IP from the dynamic pool if IP is not set)
                          for mapping, mapping_config in subnet_config['static_mapping'].items():
                              if 'ip_address' in mapping_config:
                                  if ip_address(mapping_config['ip_address']) not in ip_network(subnet):
                                      raise ConfigError(f'Configured static lease address for mapping "{mapping}" is\n' \
                                                        f'not within shared-network "{network}, {subnet}"!')
          
                                  if ('mac' not in mapping_config and 'duid' not in mapping_config) or \
                                      ('mac' in mapping_config and 'duid' in mapping_config):
                                      raise ConfigError(f'Either MAC address or Client identifier (DUID) is required for '
                                                        f'static mapping "{mapping}" within shared-network "{network}, {subnet}"!')
          
                      # There must be one subnet connected to a listen interface.
                      # This only counts if the network itself is not disabled!
                      if 'disable' not in network_config:
                          if is_subnet_connected(subnet, primary=False):
                              listen_ok = True
          
                      # Subnets must be non overlapping
                      if subnet in subnets:
                          raise ConfigError(f'Configured subnets must be unique! Subnet "{subnet}"\n'
                                             'defined multiple times!')
                      subnets.append(subnet)
          
                      # Check for overlapping subnets
                      net = ip_network(subnet)
                      for n in subnets:
                          net2 = ip_network(n)
                          if (net != net2):
                              if net.overlaps(net2):
                                  raise ConfigError(f'Conflicting subnet ranges: "{net}" overlaps "{net2}"!')
          
              # Prevent 'disable' for shared-network if only one network is configured
              if (shared_networks - disabled_shared_networks) < 1:
                  raise ConfigError(f'At least one shared network must be active!')
          
              if 'failover' in dhcp:
                  for key in ['name', 'remote', 'source_address', 'status']:
                      if key not in dhcp['failover']:
                          tmp = key.replace('_', '-')
                          raise ConfigError(f'DHCP failover requires "{tmp}" to be specified!')
          
                  if len({'certificate', 'ca_certificate'} & set(dhcp['failover'])) == 1:
                      raise ConfigError(f'DHCP secured failover requires both certificate and CA certificate')
          
                  if 'certificate' in dhcp['failover']:
                      cert_name = dhcp['failover']['certificate']
          
                      if cert_name not in dhcp['pki']['certificate']:
                          raise ConfigError(f'Invalid certificate specified for DHCP failover')
          
                      if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'certificate'):
                          raise ConfigError(f'Invalid certificate specified for DHCP failover')
          
                      if not dict_search_args(dhcp['pki']['certificate'], cert_name, 'private', 'key'):
                          raise ConfigError(f'Missing private key on certificate specified for DHCP failover')
          
                  if 'ca_certificate' in dhcp['failover']:
                      ca_cert_name = dhcp['failover']['ca_certificate']
                      if ca_cert_name not in dhcp['pki']['ca']:
                          raise ConfigError(f'Invalid CA certificate specified for DHCP failover')
          
                      if not dict_search_args(dhcp['pki']['ca'], ca_cert_name, 'certificate'):
                          raise ConfigError(f'Invalid CA certificate specified for DHCP failover')
          
              for address in (dict_search('listen_address', dhcp) or []):
                  if is_addr_assigned(address):
                      listen_ok = True
                      # no need to probe further networks, we have one that is valid
                      continue
                  else:
                      raise ConfigError(f'listen-address "{address}" not configured on any interface')
          
          
              if not listen_ok:
                  raise ConfigError('None of the configured subnets have an appropriate primary IP address on any\n'
                                    'broadcast interface configured, nor was there an explicit listen-address\n'
                                    'configured for serving DHCP relay packets!')
          
              return None
          
          def generate(dhcp):
              # bail out early - looks like removal from running config
              if not dhcp or 'disable' in dhcp:
                  return None
          
              dhcp['lease_file'] = lease_file
              dhcp['machine'] = os.uname().machine
          
              if not os.path.exists(lease_file):
                  write_file(lease_file, '', user='_kea', group='vyattacfg', mode=0o755)
          
              for f in [cert_file, cert_key_file, ca_cert_file]:
                  if os.path.exists(f):
                      os.unlink(f)
          
              if 'failover' in dhcp:
                  if 'certificate' in dhcp['failover']:
                      cert_name = dhcp['failover']['certificate']
                      cert_data = dhcp['pki']['certificate'][cert_name]['certificate']
                      key_data = dhcp['pki']['certificate'][cert_name]['private']['key']
                      write_file(cert_file, wrap_certificate(cert_data), user='_kea', mode=0o600)
                      write_file(cert_key_file, wrap_private_key(key_data), user='_kea', mode=0o600)
          
                      dhcp['failover']['cert_file'] = cert_file
                      dhcp['failover']['cert_key_file'] = cert_key_file
          
                  if 'ca_certificate' in dhcp['failover']:
                      ca_cert_name = dhcp['failover']['ca_certificate']
                      ca_cert_data = dhcp['pki']['ca'][ca_cert_name]['certificate']
                      write_file(ca_cert_file, wrap_certificate(ca_cert_data), user='_kea', mode=0o600)
          
                      dhcp['failover']['ca_cert_file'] = ca_cert_file
          
                  render(systemd_override, 'dhcp-server/10-override.conf.j2', dhcp)
          
              render(ctrl_config_file, 'dhcp-server/kea-ctrl-agent.conf.j2', dhcp)
              render(config_file, 'dhcp-server/kea-dhcp4.conf.j2', dhcp)
          
              return None
          
          def apply(dhcp):
              services = ['kea-ctrl-agent', 'kea-dhcp4-server', 'kea-dhcp-ddns-server']
          
              if not dhcp or 'disable' in dhcp:
                  for service in services:
                      call(f'systemctl stop {service}.service')
          
                  if os.path.exists(config_file):
                      os.unlink(config_file)
          
                  return None
          
              for service in services:
                  action = 'restart'
          
                  if service == 'kea-dhcp-ddns-server' and 'dynamic_dns_update' not in dhcp:
                      action = 'stop'
          
                  if service == 'kea-ctrl-agent' and 'failover' not in dhcp:
                      action = 'stop'
          
                  call(f'systemctl {action} {service}.service')
          
              return None
          
          if __name__ == '__main__':
              try:
                  c = get_config()
                  verify(c)
                  generate(c)
                  apply(c)
              except ConfigError as e:
                  print(e)
                  exit(1)

This file has been truncated. show original

Provide please output of command show version.

dennisN86 · October 6, 2019, 8:22pm

It’s the one liste two post before. I build it yesterday, with the newest rolling release

vyos@vyos:~$ show version
Version: VyOS 1.2-rolling-201909210118

Dmitry · October 6, 2019, 8:39pm

try update to vyos-1.2-rolling-201910061306
add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso

dennisN86 · October 9, 2019, 6:32am

@Dmitry: This worked out. The lastet rolling release fixed the issue. Thank you for your support.

edsonwolf · February 28, 2020, 2:46pm

set service dns forwarding system