2 weeks still nothing.
-
I have resorted to posting here as I’m feeling dumb and that I know nothing despite being at least fairly proficient with networks. I post here in the hope I can find the obviously simple solution to my problem(s?).
My intention (I’m sure someone will ask) is to route all dns to my own server which is currently configured and working on the rest of my admittedly small network. I want to connect wireless clients through the pfsense and redirect all dns to my own server. I originally wanted to route all traffic through pfsense however this cannot be done as almost all clients connect direct to my modem router and cannot be in range of pfsense.
From the top - pfsensemsetup was fighting me from the very start. I loaded it onto a stick, booted it and installed to a second usb. This was fine, the first problem was the installer insisted on 2 interfaces being set up my problem is the device I was using only has one wired port and wireless - but of course how can you configure a wireless before setup? Anyway my creative solution was to set up a vlan to trick the setup into allowing me to get to the console where I could then enable the wireless. Once in the gui I removed vlan after configuring the Wifi in ap mode. I then bridged the connections and tested and immediately lost all connection to the device. I won’t bore you with specifics right now because I tried a lot of stuff and this is already a book.
The short version is currently any device connected to the wireless interface can access the internet but not the wired lan devices.
Also the firewall cannot ping any internet host, however enabling dhcp does allow this but still nothing directs the traffic to my dns server.
I have tried dns resolver dns redirector followed numerous tutorials etc to get the traffic to the correct place but nothing seems to work. In fact I don’t even know if the traffic is getting to it from pfsense.
I have pfsense wired to modem/router, I have dns server wired to router, I have dns set on the router to point at my dns server and have multiple wired devices directly connected to the modem/router.
Hope this covers everything but pretty sure it won’t. This has been the most difficult network job I have ever attempted.
Help, advice, suggestions etc will be answered and hopefully I can get to the bottom of the problem and maybe I might even learn a thing or two.
-
@pfsensenewbie1 Can you post a diagram?
It sounds like your wireless clients are in the pfSense WAN. Is pfSense providing NAT to its LAN? And the DNS server is on LAN?
If so you would need to get wireless clients to use pfSense's WAN IP for DNS, and make a NAT port forward to redirect port 53 (TCP and UDP) to your DNS server on LAN.
If wireless devices are already using the ISP router, what is the goal of using pfSense for the wired devices? We do set up pfSense behind an ISP all the time, but then set up an access point on the LAN side of pfSense.
-
@steveits hey thanks for replying. I should have been a bit more clear - this will be confusing. I had to configure pfsense wireless as the lan interface and configured the pfsense wan as the wired connection to my router - this is backward because I couldn’t make it work any other way but I’m just seeing that maybe this is part of the problem. I cannot use pfsense for the wired clients mainly due to lengths but also because the pfsense router only has a single Ethernet port.
I don’t know if Nat is forwarding however a Nat rule was set for the dns but I’m not sure it’s working.
Yes my dns server is on my lan same subnet as all devices. 192.168.1.x
I did try setting a rule for lan in pfsense but I think I need to look at it again I’m definitely getting mixed up over wan being lan and lan being wireless.
I’ll try and get a diagram up but it’s technically quite simple - pfsense wired to modem/router and dns server wired to modem router also. Anything else connects wired to the modem router and is not really relevant at this point. Only need wireless clients connected to pfsense to be directed to the dns server and obviously have internet access.
-
@pfsensenewbie1 Can you use a site like https://lucid.app to put together a quick diagram?
-
@rcoleman-netgate I didn’t know such a thing existed. Will sign up and post when I have one.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
pfsense wired to modem/router and dns server wired to modem router also
You mean a gateway then. And there would be nothing special to do with such a setup.
Out of the box pfsense lan rule is any any.. So if pfsense wan is 192.168.2/24 for example, and you have some device behind pfsense on say 192.168.1/24 it would by default be able to talk to anything on the 192.168.2 network.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
Only need wireless clients connected to pfsense to be directed to the dns server and obviously have internet access
And these wireless are behind pfSense? Then you could set up pfSense to forward requests to your DNS server.
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html
see "DNS query forwarding" section.If this is to resolve a private domain there are also domain or host override settings.
Might be easier to get it functioning, then try to redirect DNS.
-
@johnpoz yes the modem router I suppose is acting as a gateway.
Have attached diagram.
The wan on pfsense is actually the lan in my network. Confusing I know.
-
@pfsensenewbie1 That simplifies it for me. :) Setting it to forward DNS to your DNS server IP should work.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
Confusing I know.
no not at all.. And again - the default rules in pfsense would allow you to talk to anything on its wan, or anything beyond that - ie the internet
You talking your dns server on pfsense "wan" is no different than you talking to say 8.8.8.8 for dns.
This would work out of the box for your wireless clients. Unless you were policy routing traffic out some vpn you setup on pfsense. Or you turned off the automatic outbound nat pfsense would be doing. Or you created rules on pfsense lan that prevented access.
Or you have overlapping networks on pfsense wan and its lan.
-
@steveits yep, precisely what I’m trying to do. Currently cannot access gui of pfsense from my lan but can access through wireless devices. Pfsense cannot see internet at all unless dhcp is used and dns-resolver appears to not be working (or I did something wrong). I know I’m nearly there as wireless clients can get on the net, meaning bridge is working and firewall is forwarding it’s just the small parts that are causing issues mainly not having the gui from lan devices and pfsense not doing Nat for whatever reason.
-
@pfsensenewbie1 No you wouldn't be able to access pfsense gui on its "wan" address because out of the box nothing is allowed, and there is also the default block rfc1918 (source) into pfsense even if you create a rule to allow access on pfsense "wan"
If you point your wireless clients to your dns server - lets call it 192.168.10.100 - out of the box they would be able to talk to that server. So unless you did or are doing some of the things I mentioned before - your wireless client should have no issues talking to the IP address of your dns server. Now maybe your dns servers firewall is blocking? Seems unlikely because out of the box clients would be coming from the pfsense "wan" IP because of the automatic nat.
-
@johnpoz not sure tbh that’s a lot to check and think about but honestly I have been banging my head on a wall for too long. Anyway the pfsense cannot ping anything on internet but can all devices on lan wired or wireless. If I enable dhcp this part changes but still the Nat doesn’t seem to be going to my server.
-
@pfsensenewbie1 pfsense "wan" that is plugged into your gateway should be set to dhcp - it would get an IP address from your gateway just like any other device on that network.
You just need to make sure the "lan" network does not overlap that. If your isp devices network is 192.168.1/24, then use 192.168.2/24 for devices on your pfsense "lan"
This works out of the box there is nothing for you to do for this to work.. Turn on pfsense, and this would work - as long as pfsense is actually getting an IP on your gateways network. And the pfsense lan network doesn't overlap that network.
-
@johnpoz hmmm so to get gui access I either have to find a way to allow lan clients to access it or just use wireless. What about the dhcp issue any ideas on that? I would prefer the iPhone to not change hence I prefer static but if pfsense can’t see the internet can I be sure the Nat is forwarding to my dns?
-
@pfsensenewbie1 what are you using for wireless behind pfsense - if your trying to use the wireless of your "gateway" device - that no there is not going to work and is a complete mess.
-
@pfsensenewbie1 said in 2 weeks still nothing.:
can I be sure the Nat is forwarding to my dns?
You can for setup pfsense to forward to yoru dns server, and clients behind it points to pfsense lan IP for dns.. If that is what you want.
But you seem to be confused on what - what network is your gateway handing out, what network are you using? 192.168.0, .1. what?
What network is pfsense lan network? What is providing the wireless for devices behind pfsense?
-
@johnpoz yes I had issues with dhcp not getting an ip but seems randomly to not work. Today I checked and dhcp had no ip on wan so went to static - but perhaps this doesn’t matter as clients cannot get to the gui from lan anyway as was mentioned. Hmmm. Ok I’ll enable dhcp on wan and see if I can get access restored but surely static should work also?
-
@pfsensenewbie1 said in 2 weeks still nothing.:
but perhaps this doesn’t matter
Not getting a dhcp - the solution is not to go to static. Because if dhcp isnt working points to connectivity issue, so static never going to work either. I would of looked to why pfsense wan doesn't its dhcp address from your gateway.
And I have a funny feeling your trying to leverage wifi off your gateway as pfsense lan.. Or you have overlapping IP ranges.
But your setup as drawn is clicky clickly workie workie with really nothing to do.. Other than making sure your pfsense wan and lan network do not overlap.. And your not trying to leverage your gateway wifi as pfsense lan network.
-
@johnpoz ok - so lan interface on pfsense must be on a different subnet? That’s one thing I didn’t do. Can wan interface be on same subnet as modem/router? My entire network is currently using 192.168.1.x.
