Can't ping any LAN hosts by host name
-
@redbearak easier to just post a screen shot of your rules.
but if your saying your default rules are the default lan any any rule?
And you don't have anything in floating?
So are you saying you can lookup say google via nslookup pointing to your 10.3.9.1 address, just not local resources?
If you change your server to 10.3.9.1 in nslookup and then ask for say www.google.com - that works?
user@NewUC:~$ nslookup > server 192.168.2.253 Default server: 192.168.2.253 Address: 192.168.2.253#53 > www.google.com Server: 192.168.2.253 Address: 192.168.2.253#53 Non-authoritative answer: Name: www.google.com Address: 142.251.32.4 Name: www.google.com Address: 2607:f8b0:4009:81c::2004 >
-
Actually no, I noticed that if I requested public domains like www.google.com I got the same "connection refused". So... I guess the Linux host isn't really talking to 10.3.9.1 for DNS at all?
I have four LAN ports bridged together, so here are the floating rules and the bridge/BR0 and LAN1 rules. There's nothing on LAN2/3/4.
-
@redbearak said in Can't ping any LAN hosts by host name:
I got the same "connection refused". So... I guess the Linux host isn't really talking to 10.3.9.1 for DNS at all?
Then where is getting dns from?
Your lan rules there show no evaluations at all thos 0/0 B
And you have no bridge rules - so how is anything using pfsense to get to anywhere?
Oh my bad - your no rules are on br0
I would remove all that bridging nonsense - you mention you have a switch.. remove all the bridge stuff and just use 1 port.. On pfsense..
-
I'd much rather just make sure the bridge is actually working as intended. It's a 6-port fanless box with Intel i225v3 2.5GbE ports. Having three leftover 2.5GbE ports that will never be able to do anything seems like a huge waste. But if it's actually a problem I can follow the instructions in reverse and remove the bridge setup.
The Linux laptop seems to just talk to itself (127.0.0.53) and then I guess it goes right to the external DNS servers. It's never seemed to be a problem. The response is very quick.
nslookup www.google.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: www.google.com Address: 74.125.199.147 Name: www.google.com Address: 74.125.199.103 Name: www.google.com Address: 74.125.199.105 Name: www.google.com Address: 74.125.199.106 Name: www.google.com Address: 74.125.199.99 Name: www.google.com Address: 74.125.199.104 Name: www.google.com Address: 2607:f8b0:400e:c09::68 Name: www.google.com Address: 2607:f8b0:400e:c09::69 Name: www.google.com Address: 2607:f8b0:400e:c09::93 Name: www.google.com Address: 2607:f8b0:400e:c09::6aOn the other hand, the Mac mini definitely talks directly to the pfSense box IP for DNS. At least that's what the response from nslookup showed.
None of this makes any sense to me. The LAN ports are bridged but there is still only a single LAN cable plugged in so far, going to a 16-port switch, and from the 16-port switch to another 8-port switch upstairs in the small office where the Mac mini is located. If the bridge was affecting anything it should also have the same affect on the Mac mini.
-
@redbearak said in Can't ping any LAN hosts by host name:
The LAN ports are bridged but there is still only a single LAN cable plugged
Then why bridge anything?? Makes no sense to complicate your setup with a bridge..
-
@redbearak said in Can't ping any LAN hosts by host name:
it should also have the same affect on the Mac mini.
Lets see you mac mini do a directed query and look up local resources.
-
The point of the bridge is to potentially (in the future) use the extra LAN ports on the pfSense box to provide a 2.5GbE backbone to up to 4 different locations in the house with 2.5GbE switches, without needing yet another 2.5GbE switch at the location of the pfSense box, costing probably another $200.
Another point of the bridge is just to learn how to set up a bridge. And consumer routers pretty much all come with a few switch ports so the device is a bit more useful to home users on a budget. I just wanted to see if a pfSense box could do something similar. It can, and I haven't really seen any logical arguments online for why it's not a valid idea.
All the bridged ports do work as expected, and hand out DHCP leases from the BR0 virtual interface. I just haven't added any other direct connections yet while I'm making sure the basic routing stuff is actually working like I want.
The Mac mini has always shown that it was connecting to 10.3.9.1 when I used nslookup. I made it explicit with the server directive and I get the same instant response for the local domain hosts from the pfSense box.
And... That's a big clue. I think I just figured out my problem. Some of my hosts happen to be using individual VPN client software, for work purposes and privacy on public hotspots, and the Mac mini usually isn't connected to one. Of course the VPN client software typically automatically sets things up to bypass the ISP -- and usually the local -- DNS servers when you're connected to the VPN.
So there we go. I'll have to configure the VPN clients to use local DNS or find some other solution if I want to be able to ping/connect to the LAN hosts by name with the pfSense DNS resolver while still on the VPN.
Funny how this has never been an issue over the years when using the mDNS/Bonjour/zeroconf decentralized ".local" domain names. So I didn't think of the VPN software until now as a possible cause of the issue. No wonder it was working perfectly on one host but not others. There's actually nothing wrong with the pfSense box configuration. It's the hosts that are the problem.
Setting the VPN client software to use "Existing DNS" solves the issue, but is a definite blow to basic privacy if used like that outside my home network. I hesitate to try and put the whole network on a VPN because most of the VPN services I've tried tend to cause streaming services to throw a fit and demand that you disconnect from the VPN, even when I make sure it's on a US server.
The only way I can think of to bypass that kind of issue is setting up a custom VPN on Linode or something, and making sure it has a US IP address. But with how testy the streaming services are getting these days if you're using any kind of proxy it wouldn't surprise me if they are already blocking or planning to block all IP blocks connected with hosting companies like Linode.
Thanks for the feedback in trying to figure out the source of the problem. PEBKAC, as usual, right?
Only remaining problem is I still can't ping the pfSense box itself by its configured hostname, even from within the pfSense UI or SSH. So that's pretty weird. It's not even giving me the invalid 10.10.10.1 address anymore.
But since Avahi is installed, I can connect to it from LAN hosts with "pfSense.local". Except from within itself. It's at that hostname according to the rest of the network, but internally it has no idea that it's at that hostname.
Can't solve every mystery all at once, I guess.
-
@redbearak said in Can't ping any LAN hosts by host name:
The point of the bridge is to potentially (in the future) use the extra LAN ports on the pfSense box to provide a 2.5GbE backbone to up to 4 different locations in the house with 2.5GbE switches, without needing yet another 2.5GbE switch at the location of the pfSense box, costing probably another $200.
Bridging in BSD should be used in a very sparing, limited function. It's not a switch, it's a router. You're asking it to switch packets -- that's what we have switches for.
In my experience bridging on pfSense is best done in very limited, very short-term, and very last-resort scenarios.
-
I see. I suppose that means consumer routers actually have hardware switch chips running the LAN ports and connecting the switch to the "router" part.
Are we talking about stability issues if pfSense is asked to handle multiple 2.5GbE LAN-to-LAN streams on the bridge, even without any additional filtering rules? It's an Intel N5105 with 16GB of RAM and all Intel NICs. I was assuming BSD on this hardware would have enough juice and stability that the lack of hardware switching wouldn't really be an issue, at least for a home network. BSD has long had a reputation of being very efficient at handling high network traffic. Especially with Intel NICs.
It's only using a tiny fraction (2-4%) of the available memory and CPU so far. But that's on a low-bandwidth ADSL connection.
If bridging is really something BSD can't do reliably, I'll have to think about removing the bridge, or at least just not using more than the one LAN port. But all the discussions I've seen online just basically say that it will take up CPU resources and a switch will be more efficient at the job. Which, well, of course.
-
@rcoleman-netgate said in Can't ping any LAN hosts by host name:
Bridging in BSD should be used in a very sparing, limited function. It's not a switch, it's a router.
@redbearak said in Can't ping any LAN hosts by host name:
If bridging is really something BSD can't do reliably,
If you really wanted bridging on your hardware you could run a Hypervistor such as Proxmox which does support bridging via underlying Linux. pfsense can then be run in a VM.
A Linux bridge emulates a switch (not Hub by default) but may still be inferior to a dedicated switch. The complexity of running a hypervisor just to create a switch is likely to be poor use of your time.
I run pfsense under Proxmox but pass through the NICs used by pfsense to optimise pfsense function and minimise the exposure surface however may others use VirtIO
