General Questions

I'm seeing problems with the DNS forwarder.  It appears to fail after a while and stop answering requests.  I can get DNS working again by turning it off.  (And refreshing DHCP.)

I see this behavior on two different m0n0 firewalls.  The hardware platforms are a P3-1Ghz, AOpen motherboard and Intel NICs. The other is a Via EPIA 800MHz with an Intel NIC in a PCI slot.  My ISP is Verizon FIOS.
Version: 1.231
Build: generic-pc-cdrom

Any pointers on where I should begin troubleshooting?  This configuration only starting having problems since the 1.2 or 1.3 upgrade.

I am having the exact same problem. 
Hardware I am using is older though, using an old IBM 300GL P200 machine with 96Mb internal.
NIC's used, 2x 3Com 905-TX
Really have no clue where to look, since all seems to be configurated correctly.

Anybody an idea?? 

I forgot something.....

Seems that pinging webs from inside the M0n0wall machine is not a problem, I get response, but it stops serving DNS forwarding after a while to connected clients.
Memory usage is not an issue (28% used)

I'm havin DNS Forwarder problems myself. I noticed that after disabling the "webGUI anti-lockout rule" (after say...10-20 minutes) it's when I can't  surf the internet, but not sure just guessing here.

Using ver. 1.3b2

OK I could not surf right now anymore so I had to enable the webGUI anti-lockout rule to get back to surfing.

Forgot to mention that I have these rules for outbound

TCP    LAN net    *    *    80 (HTTP)    HTTP           
TCP    LAN net    *    *    443 (HTTPS)    HTTPS

and delete the allow all from LAN to WAN rule

Ok I have confirmed that by disabling "webGUI anti-lockout rule" rule and havind port 80 and 443 outbound rules in the LAN side DSN forwarder stops working.

Now my question is, what ports do the "webGUI anti-lockout rule" open that r bypassed by end-user rules so that i can disable "webGUI anti-lockout rule" and open the rule that effects DNS forwarder after disabling anti-lock?

I know I can ping ICMP monowall so i'm guessing the anti-lock rule opens that port even thought i dont have a outbound to allow ICMP in the LAN side.

any help is much apreciated, thanx.

What about allowing UDP 53 (DNS) from LAN network to m0n0wall LAN ip?

Yup, that works if I add DNS rule to monowall with antilock rule disabled. But I thought I didn't need to cause' mono does the DNS forwarding like this thread explains. http://forum.m0n0.ch/index.php?topic=649.0

Whont there be conflict with monos' DNS and my OS DNS?

thanx

You don't need to access any external DNS server from the LAN when using the DNS forwarder, however your LAN net needs to make DNS queries to mono's LAN IP, thus you must make a rule allowing your LAN net to access mono on UDP port 53 (192.168.1.1 by default, for example) if you have disabled the webGUI anti-lockout rule.

db

In my case turned out to be a faulty DNS server from my ISP.
I got 3 addresses viaDHCP, 1 is obviously not intended for us because does not allow recursive lookup:

-dnsmasq[1150]: nameserver xxx.xx.xx.xx refused to do a recursive query-

This is what I found in the log, what happens next is that the DNSmasq stops serving DNS forwarding.

I have now the 2 other DNS servers manually added in the general setup ,and now everything works fine.
But I still would love to have it configured via DHCP........(means I would have to tell M0n0wall to not use 3x DNS servers...but where??? )