Cannot access internet, even with firewalld inactive

etienne · June 29, 2023, 11:18am

Problem Description

It’s been a few days since I’m not able to access internet from my FB, pretty much whenever the Debian 12 upgrade may have occurred. I thought at first that there was a problem with my firewall (I ended up reading and applying tips from Debian 12 (Bookworm) release and upgrading - #7 by Avron - but no luck).

Even after stopping the service (sudo systemctl stop firewalld.service), I get the following results upon an apt update or ping:

> sudo systemctl stop firewalld.service

> sudo apt update
...
W: Failed to fetch http://deb.debian.org/debian/dists/bookworm/InRelease  Could not resolve 'deb.debian.org'
W: Failed to fetch http://deb.debian.org/debian/dists/bookworm-updates/InRelease  Could not resolve 'deb.debian.org'
W: Failed to fetch http://security.debian.org/debian-security/dists/bookworm-security/InRelease  Could not resolve 'security.debian.org'
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye-backports/InRelease  Could not resolve 'deb.debian.org'

> ping google.com
ping: google.com: Name or service not known

Just in case, here’s the config of my external firewall-cmd zone:

> sudo firewall-cmd --list-all --zone=external

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit http https minetest-plinth ssh syncthing xmpp-bosh xmpp-client xmpp-server
  ports:
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I’m starting to believe that there’s a problem beyond the firewall then.

Would anyone have any idea? Did anyone run into the same problem?

Information

FreedomBox version: 23.6.2 (Debian 12)
Hardware: DigitalOcean droplet
How did you install FreedomBox?: Downloaded FB from apt, if I remember correctly (it was a long time ago)

jvalleroy · June 29, 2023, 12:43pm

Can you ping an IP address directly, such as ping 1.1.1.1?
That should tell us if it’s a network issue or DNS issue.

etienne · June 29, 2023, 1:05pm

Thanks @jvalleroy for your reply. Yes, I can ping 1.1.1.1:

> ping 1.1.1.1

PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=2.01 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=0.995 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=60 time=1.10 ms
...

I forgot to mention

there’s no additional firewall set up through DigitalOcean admin.
ufw is not present on the VPS

jvalleroy · July 1, 2023, 10:55am

Then it is definitely a DNS problem. Can you check the output of the following commands?

$ ls -al /etc/resolv.conf

$ cat /etc/resolv.conf

$ dig debian.org

etienne · July 1, 2023, 12:05pm

lrwxrwxrwx 1 root root 31 Aug 30  2020 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.18.12-1-Debian <<>> debian.org
;; global options: +cmd
;; no servers could be reached

etienne · July 9, 2023, 2:25am

Hello @jvalleroy I may have found a workaround.

I managed to find the following information here:

DigitalOcean’s DNS resolver addresses are:
67.207.67.2
67.207.67.3

Since my FreedomBox is installed on a DigitalOcean droplet, I added the following line in my /etc/resolv.conf file:

nameserver 67.207.67.2

I then managed to access internet from my FreedomBox and perform an update successfully!

However, after reboot, the nameserver 67.207.67.2 line disappears from /etc/resolv.conf. Is there a way to persist this line? Or maybe a better place to put it in?

Avron · July 9, 2023, 1:37pm

Look into /etc/resolv.conf if there is not some comment that this file is generated by some tools used by DigitalOcean with explanations how to customize what is generated.

I have never used DigitalOcean but I have seen such a thing from another VPS provider.

jonny · July 9, 2023, 4:38pm

This might help:

timmy · July 9, 2023, 6:22pm

If you are on Digital Ocean, first thing I’d check is if the Digital Ocean management packages are updated (droplet-agent and droplet-agent-keyring), since the /etc/resolv.conf file should just have the comment text you saw plus two lines for nameservers.

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
nameserver 67.207.67.2
nameserver 67.207.67.3

from one of my DO droplets.

However, your FB config may be overwriting this.
Log into your admin account, navigate System → Networks and click on the wired connection for your external path. Scroll through and see what the listed DNS server(s) are. If there are none set, try editing and setting the DO nameserver(s) there and see what happens.

Since you are on DO, snapshot it just in case you break something.

etienne · July 9, 2023, 9:16pm

Thanks everyone for your help.

I just ended up adding these two lines:

nameserver 67.207.67.2
nameserver 67.207.67.3

in /etc/resolvconf/resolv.conf.d/head.

After restarting my Freedombox, these two lines persist and I can access the internet from the server.

All good. Thanks again!