New install, no internet access, but can ping IP address
-
@jknott said in New install, no internet access, but can ping IP address:
I don't know why a fresh install doesn't work for you
I think this Initial Setup Wizard page is misleading :
The text in the documentation is far more clear :
The IP address of the Primary DNS Server and Secondary DNS Server, if known.
These DNS servers may be left blank if the DNS Resolver will remain active using its default settings. The default configuration has the DNS Resolver active in resolver mode (not forwarding mode), when set this way, the DNS Resolver does not need forwarding DNS servers as it will communicate directly with Root DNS servers and other authoritative DNS servers. To force the firewall to use these configured DNS servers, enable forwarding mode in the DNS Resolver or use the DNS Forwarder.
The option to make it work 'no matter what' is : leave the two fields as they are : leave them empty.
I see far to many videos that say : "You have to enter two DNS IP's here". That's clearly wrong. You don't. If we had to do so, Netgate would have pre entered 8.8.8.8 and 4.4.4.4 - or any other known 'public' resolver, already.
Guess what : they didn't - because none is needed.The "DNS Server Override" should also be unchecked.
(don't if that is default, or if it is checked)
These days, DNS info that come over from the upstream DHCP server should be ignored.
This could be our ISP router (WAN IP is RFC1918), and in that case the DNS forwarder in the ISP box will chain to some ISP DNS (or your ISP sells your DNS traffic directly to '8.8.8.8', which will surely reduce their peering costs).There is just ONE possibility that the default pfSense setting won't work : that is if the ISP intercepts / blocks / does something with DNS requests. None needs to be explained for what to do next : say goodbye to your ISP.
-
OK I think I found the problems.
My ISP seems to have specific DNS address that I need to use otherwise nothing works.
Once I put those DNS server addresses under System > General Setup, disable DNS Resolver and enable DNS Forwarder, things works fine. I then deleted these DNS servers from System > General Setup and things still bizarrely work fine (DNS Server Override checked). My FireTV also can access internet now. nslookup show that DNS query is handled by pfsense (192.168.1.1)
Now the DNS servers on my dashboard show 127.0.0.1 and my ISP Modem IP address. (192.168.18.1)
I will leave these for a couple of days, and perhaps will try reset pfsense to default and try setup again to see if I can replicate the problem and solve the issue if it comes up again before putting it in service permanently.
This setup also solve my issue with slow webgui loading, now everything is smooth.
I guess my next question is, anything I can do to address the issue re: specific DNS servers from my ISP (not many other options in the market to be honest) or any worry on using DNS Forwarder rather than DNS Resolver?
Thank you.
-
WTF???
Why didn't you mention that USG before???In your first post you said:
ISP (WAN) ---> pfSense ---> PCI don't see any mention of the USG. Why do you have both???
-
no no, i never use them together. for the purpose of testing out pfsense, it's always been WAN >> pfsense >> PC
I only mentioned USG in my last edited post to show that using USG doesn't replicate the same issue as pfsense.
-
@swust said in New install, no internet access, but can ping IP address:
My ISP seems to have specific DNS address that I need to use otherwise nothing works.
I'd kick the ISP in his...
and move to another one.ISP ... Internet Service Provider
So he should provide Internet, not restrict it in any way as his pleases. You pay for it. -
unfortunately I live in Indonesia. we have censorship here, and restricting DNS is one of the way they use to do this. too bad, but I don't really have a choice :)
I'm still a bit confused though why now it works because I did try enabling DNS forwarder before (and disabling Resolver) and it didn't work! the only difference now is I inputted the "approved" DNS server addresses from my ISP for a while before deleting them and now somehow everything work like magic.
-
@swust said in New install, no internet access, but can ping IP address:
unfortunately I live in Indonesia. we have censorship here, and restricting DNS is one of the way they use to do this. too bad, but I don't really have a choice :)
I see. That's deplorable.
the only difference now is I inputted the "approved" DNS server addresses from my ISP for a while before deleting them and now somehow everything work like magic.
Did you restart the DNS forwarder after that?
-
Yeah pretty awful. Have you tried using DNS-over-TLS? Though I imagine they filter that too.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
Steve
-
yes I restarted. works fine, i guess because now the ISP Modem is the DNS server, and it defaulted to the approved standard ISP DNS.
-
I will try next. i'm new to pfsense, so will slowly setup as I go. thank you for all the inputs.
