New install, no internet access, but can ping IP address

swust

this is on Windows 10. can't think of anything that might interfere. the two that I suspected are Eset Internet Security and Private Internet Access, and shutting them both down didnt help.

I am able to use the same client PC with no change to the set up, on my current WAN (ISP) --> Unifi USG --> Unifi Switch --> PC setup.

JKnott

@swust

Well, maybe you created rules or something that's causing the problem. If you use 8.8.8.8 in W10 for DNS but can't go to google.com, there must be a rule somewhere.

I've been running pfsense for almost 6 years and it works fine for me.

stephenw10

It's unclear where you tried setting the DNS server.

In the pfSense DHCP server? By default it hands out it's own interface IP for DNS.

In the client it self directly?

For use by pfSense in System > General Setup?

Try resolving in pfSense itself in Diag > DNS Lookup. That has to work first if clients are trying to use pfSense.

Steve

swust

@jknott

I thought i did so i fresh install everything and made no changes to the default out of the box setting. it is weird.

swust

@stephenw10 said in New install, no internet access, but can ping IP address:

It's unclear where you tried setting the DNS server.
In the pfSense DHCP server? By default it hands out it's own interface IP for DNS.
In the client it self directly?
For use by pfSense in System > General Setup?
Try resolving in pfSense itself in Diag > DNS Lookup. That has to work first if clients are trying to use pfSense.

I tried all you mentioned above

In pfsense DHCP server, client see its IP address as DNS --> doesn't work

In the client, i tried public DNS manually under --> doesnt work

For use by pfsense in system > general setup ---> also doesn't work

DNS Lookup under diag also doesn't work.

At this point i'm not sure what else to tried.

JKnott

@swust

As an experiment, try editing your hosts file to include a known good IP address for a host and see what happens when you try that host name. This will remove DNS from the equation. You could include an IP address for something on your local network and give it a host name. If that works and something on the Internet doesn't, that could be a clue. However, I don't know why a fresh install doesn't work for you, unless something else is causing the problem, as pfsense should just work, right out of the box.

Gertjan

@jknott said in New install, no internet access, but can ping IP address:

I don't know why a fresh install doesn't work for you

I think this Initial Setup Wizard page is misleading :

General Information Screen

alt text

The text in the documentation is far more clear :

The IP address of the Primary DNS Server and Secondary DNS Server, if known.

These DNS servers may be left blank if the DNS Resolver will remain active using its default settings. The default configuration has the DNS Resolver active in resolver mode (not forwarding mode), when set this way, the DNS Resolver does not need forwarding DNS servers as it will communicate directly with Root DNS servers and other authoritative DNS servers. To force the firewall to use these configured DNS servers, enable forwarding mode in the DNS Resolver or use the DNS Forwarder.

The option to make it work 'no matter what' is : leave the two fields as they are : leave them empty.

I see far to many videos that say : "You have to enter two DNS IP's here". That's clearly wrong. You don't. If we had to do so, Netgate would have pre entered 8.8.8.8 and 4.4.4.4 - or any other known 'public' resolver, already.
Guess what : they didn't - because none is needed.

The "DNS Server Override" should also be unchecked.
(don't if that is default, or if it is checked)
These days, DNS info that come over from the upstream DHCP server should be ignored.
This could be our ISP router (WAN IP is RFC1918), and in that case the DNS forwarder in the ISP box will chain to some ISP DNS (or your ISP sells your DNS traffic directly to '8.8.8.8', which will surely reduce their peering costs).

There is just ONE possibility that the default pfSense setting won't work : that is if the ISP intercepts / blocks / does something with DNS requests. None needs to be explained for what to do next : say goodbye to your ISP.

swust

@JKnott @gertjan

OK I think I found the problems.

My ISP seems to have specific DNS address that I need to use otherwise nothing works.

Once I put those DNS server addresses under System > General Setup, disable DNS Resolver and enable DNS Forwarder, things works fine. I then deleted these DNS servers from System > General Setup and things still bizarrely work fine (DNS Server Override checked). My FireTV also can access internet now. nslookup show that DNS query is handled by pfsense (192.168.1.1)

Now the DNS servers on my dashboard show 127.0.0.1 and my ISP Modem IP address. (192.168.18.1)

I will leave these for a couple of days, and perhaps will try reset pfsense to default and try setup again to see if I can replicate the problem and solve the issue if it comes up again before putting it in service permanently.

This setup also solve my issue with slow webgui loading, now everything is smooth.

I guess my next question is, anything I can do to address the issue re: specific DNS servers from my ISP (not many other options in the market to be honest) or any worry on using DNS Forwarder rather than DNS Resolver?

Thank you.

JKnott

@swust

WTF???
Why didn't you mention that USG before???

In your first post you said:
ISP (WAN) ---> pfSense ---> PC

I don't see any mention of the USG. Why do you have both???

swust

@jknott

no no, i never use them together. for the purpose of testing out pfsense, it's always been WAN >> pfsense >> PC

I only mentioned USG in my last edited post to show that using USG doesn't replicate the same issue as pfsense.

viragomann

@swust said in New install, no internet access, but can ping IP address:

My ISP seems to have specific DNS address that I need to use otherwise nothing works.

I'd kick the ISP in his...
and move to another one.

ISP ... Internet Service Provider
So he should provide Internet, not restrict it in any way as his pleases. You pay for it.

swust

@viragomann

unfortunately I live in Indonesia. we have censorship here, and restricting DNS is one of the way they use to do this. too bad, but I don't really have a choice :)

I'm still a bit confused though why now it works because I did try enabling DNS forwarder before (and disabling Resolver) and it didn't work! the only difference now is I inputted the "approved" DNS server addresses from my ISP for a while before deleting them and now somehow everything work like magic.

viragomann

@swust said in New install, no internet access, but can ping IP address:

unfortunately I live in Indonesia. we have censorship here, and restricting DNS is one of the way they use to do this. too bad, but I don't really have a choice :)

I see. That's deplorable.

the only difference now is I inputted the "approved" DNS server addresses from my ISP for a while before deleting them and now somehow everything work like magic.

Did you restart the DNS forwarder after that?

stephenw10

Yeah pretty awful. Have you tried using DNS-over-TLS? Though I imagine they filter that too.

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html

Steve

swust

@viragomann

yes I restarted. works fine, i guess because now the ISP Modem is the DNS server, and it defaulted to the approved standard ISP DNS.

swust

@stephenw10

I will try next. i'm new to pfsense, so will slowly setup as I go. thank you for all the inputs.