Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out)

johnpoz

@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

I tried setting internal DNS in Browser, and added internal firewall IP to DNS list for Operating System Network settings.

huh??

What dns does your device this browser is running point to??

If it points to pfsense for dns.. All that is a simple host override.. For example..

If it points to some other dns on your network, you would have to create the record there.

phantom99

Like this?
Network settings for the Device running the browser

Host override in DNS resolver

Thx

johnpoz

@phantom99 you should only have 1 dns in there.. Your pfsense IP... You have no control over which IP your dns client will ask.. What if it asks 8.8.8.8? What is the point of adding multiple entries for other IPs on pfsense? If unbound is down, it would be down on all of them, etc.

phantom99

Removed all but 10.1.20.10 DNS to no avail.
(And now being past the boundary of my knowledge, a troubleshooting guess)...
I removed reference to the WANs Gateway. Internet access was understandably not available, but URL access still didn't work. Also noticed I had listen on ports 53/853 in Resolver, so made them blank.
Still no access.

johnpoz

@phantom99 does your client resolve the fqdn

Lets see a simple nslookup on your device your trying to access it with..

this is first thing to check, if unbound on pfsense is not handing out the IP for the fqdn you want to use - then its never going to work..

phantom99

Here are some nslookup results.

10.1.20.10
Server: 10.1.20.10
Address: 10.1.20.10#53

10.20.1.10.in-addr.arpa name = pfsense.mydomain.me.

10.1.20.10
Server: 10.1.20.10
Address: 10.1.20.10#53

10.20.1.10.in-addr.arpa name = pfsense.mydomain.me.

google.com
Server: 10.1.20.10
Address: 10.1.20.10#53

Non-authoritative answer:
Name: google.com
Address: 172.217.167.78

pfsense.mydomain.me
Server: 10.1.20.10
Address: 10.1.20.10#53

Name: pfsense.mydomain.me
Address: 10.1.10.10
Name: pfsense.mydomain.me
Address: 10.1.20.10

I don't understand this line:
10.20.1.10.in-addr.arpa name = pfsense.mydomain.me.

johnpoz

@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

10.20.1.10.in-addr.arpa name = pfsense.mydomain.me.

that is the PTR.. Ie when you look up a IP what is the reverse name set..

what are you using? what command are you actually typing? When you do a nslookup it will do a PTR query for the IP of the dns your pointing too.

That you don't get an answer to that PTR and you get this

Server: 10.1.20.10
Address: 10.1.20.10#53

Something is messed up.. It should return pfsense name via the PTR, is that not pfsense LAN IP?

phantom99

I just typed in fqdn or LAN ip at the nslookup prompt. (Forgive my lack of expertise here)
When I get a minute I will lookup what commands I should use.

I have multiple LANS:
10.10 (1st physical i/f )
20.10 (2nd physical i/f )
+3 more

I have been setting manual ip on the device accessing the 20.10 LAN as I don’t seem to be able to get from device/ browser to 10.10 I/F even when I set device ip to match i.e. 10.1.10.xx. So i have been accessing via 20.10 and it’s why i set the resolver override to 10.1.20.10.

phantom99

pfsense.au61.au -type=ptr
Server: 10.1.20.10
Address: 10.1.20.10#53

Name: pfsense.mydomain.me
Address: 10.1.10.10
Name: pfsense.mydomain.me
Address: 10.1.20.10

johnpoz

@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

I have multiple LANS:

what is the iP of the one called LAN.. this is pfsense IP address for any PTR lookup

pfsense.au61.au -type=ptr

That is not a valid ptr lookup.. PTR lookup would be look like this

253.9.168.192.in-addr.arpa.

look at the sniff of what happens when I do a nslookup

$ nslookup www.google.com
Server:  sg4860.home.arpa
Address:  192.168.9.253

Non-authoritative answer:
Name:    www.google.com
Address:  172.217.0.164

phantom99

Sorry for lack of response to previous....
Once you had commented that something was messed up, I decided to do a clean (re-)install from 2.7.2 img and hopefully stop wasting your time and mine.

All I have done so far is:

• changed LAN IP and GUI port
• In advanced, I have added Alternative hostnames of pfsense.home.arpa and pfsense.mydomain.me
• Installed ACME
• DNS resolver is enabled
• DNS Override: pfsense home.arpa 10.1.10.10
• No custom Firewall rules yet/ No NAT entries except Standard 2x WAN Auto rules

Current NSLOOKUP response (still returns server as IP only)
pfsense.home.arpa -type=ptr
Server: 10.1.10.10
Address: 10.1.10.10#53

Name: pfsense.home.arpa
Address: 10.1.10.10

I know this is not an interactive tutorial, but... before I attempt creating SSL cert with ACME/LE is there anything in particular I should setup?

Just to CONFIRM.... are the following assumptions and outcomes correct:

• Change default pfsense.home.arpa hostname to pfsense.mydomain.me
• Assume mydomain.me is held at external registrar
• Create CNAME record pfsense.mydomain.me at external registrar where domain is held.
• Do not assign a public IP A record to mydomain.me (or should I say not necessary if external access not required)
• Create an ACME/LE certificate for pfsense.mydomain.me.
• Configure new certificate under: System | Advanced | Admin Access | SSL/TLS certificate

I should then be able access from the LAN: pfsense.mydomain.me, despite not having a public IP in an A record.

Thank you for your time and attention to this issue.

Basic Architecture FYI:

johnpoz

@phantom99 said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

DNS Override: pfsense home.arpa 10.1.10.10

it wouldn't be DNS override - it would be HOST override..

Any host override would provide a PTR..

What actual nslookup are you using - does it not do a ptr for the IP your set to your dns? windows nslookup always do this - but maybe your linux client doesn't?

That could be red herring.. What you should be able to do is do a query for your host override does it return your IP you set, does it do a ptr when you query for it?

Gertjan

@phantom99

Is this modern networking or just plain wrong :

johnpoz

@Gertjan hahaha - I took that is he was just rying to obfuscate his actual IP space.. if rfc1918 never understand that.. but prob something like rfc1918.10.10/24 and rfc1918.20.10/24 for his other interface.. And was just wanting to show he has multiple networks.. Sure hope that switch is vlan capable and setup correctly.

phantom99

I have replicated all the same steps and seem to get the same responses except for the very first one where the nslookup server is IP not domain.

Here is where server is IP only

Using same dummy Host override (IP is not in the LAN range)

dig on "any" host override.

Right - I never did answer that question, sorry about that. I am using NSLOOKUP in interactive mode via Terminal on MAC OSX v12

I believe the above screenshots answer the final questions:

@johnpoz said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

query for your host override does it return your IP you set

The "any" Host override is returned from dig pfsense.mydomain.me as 10.1.10.1 (not a valid LAN address - proving it came from override settings)

@johnpoz said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

does it do a ptr when you query for it?

dig -x 10.1.10.1 returns PTR pfsense.mydomain.me

---

And now for the embarrassing answers:
YOU: it wouldn't be DNS override - it would be HOST override..
ME: My bad. Wrong terminology.

@Gertjan said in Can ping & traceroute 'pfsense.mydomain.me' but can't access in browser as URL (times out):

Is this modern networking or just plain wrong :

There's two parts to this:

1. Yes it was kind of obfuscation, but more so trying to simplify the diag; as I'd previously disclosed the first half anyway. Admittedly never added the /24.
2. The second part is my true moment of stupidity. Two LAN connections going to the same switch. (In my part defense I only had DHCP on LAN, and I manually set my my client IP to match LAN not OPT1 and there were no other clients on either LAN interface yet.) Haven't got into VLANs yet, so the stupidity would have kicked in had I proceeded with trying to get that to work. Thanks @Gertjan for bringing this to the surface.

Revised diag. ;)

johnpoz

@phantom99 well it seems your nslookup just isn't doing a ptr for the IP you have set, but that is something on the nslookup client..

I rarely use nslookup to be honest, I am a dig guy.. but many windows machines I might be on don't have dig installed, like my personal machines. And they always do a ptr out of the gate.

So that was just red herring it seems, my bad - but clearly your A and PTR queries are returning your setting for that record - so what is not working exactly?

phantom99

I can't seem to address pfsense machine using FQDN or Hostname, only IP.
Mainly, I wanted to be able to establish a secure connection by using a FQDN/SSL connection without browser warnings.
Despite having established a cert with ACME/LE I can't address with a cert/FQDN.

The SSL cert almost seem to become secondary to the problem that I can only address pfsense with IP address and not by hostname (or FQDN).

(Hope of stated all this clearly and correctly.)

I keep thinking I am missing something really basic.

Am I right in thinking I need to get hostname addressing working and then subsequently create a cert to enable SSL/FQDN?

johnpoz

@phantom99 and that screams your browser is not using your dns, ie its using doh.. Because clearly your OS just doing a query for that resomves it to the ip

So from you cmd line on your os when you do a ping pfsense.home.arpa it comes back with that IP right.

phantom99

@johnpoz Yup.

phantom@MAC-client ~ % ping pfsense.home.arpa
PING pfsense.home.arpa (192.168.10.10): 56 data bytes
64 bytes from 192.168.10.10: icmp_seq=0 ttl=64 time=0.431 ms
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.580 ms

And yet...
Through DHCP: DNS server is set to LAN
Search domain: home.arpa

********** STOP PRESS ***************
You have solved this!!

OM*G - After a clean install, I somehow knew there was something basic at the heart of this. Of course it takes knowledge and expertise to narrow down on where the issue might lie.
And that is what you have done.
On top of that, you have had the patience and grace to stick this out and not fob me off, whilst undoubtedly doing the same for many others.
I am most grateful.

I now can access (firstly using hostname), and now also FQDN.
Without security warnigns of course. ;)

I suspect there was something else I had clutzed that started this entire thread....prior to the clean re-build , but again it was your help that guided me to the right place.

After your definitive statement that it was Browser not using pfsense DNS, I found I could access using hostname on others browsers - Safari, Chrome, but had been using Brave. Somehwere down the line I suspect I had followed a tip on Privacy of DNS searches and changed Braves security/DNS settings to use OpenDNS. (Embarrassed. )

For completeness I am posting the Brave setting.
Thanks again, @johnpoz you are a legend and DNS God. <Nows, tips hat and swirls hand in a manner fit to introduce a King>

Finally, I hope this is not considered a waste of your time. You have taught me quite a bit along the way

johnpoz

@phantom99 just glad you got it sorted.. I could talk for hours and hours about dns ;)