HELP: CANNOT BROWSE AFTER INSTALLING PFSENSE

TheWall2

I also had a look at the command window in pfSense inside VB, there's an error message: arprequest_internal: cannot find matching address

stephenw10

Ok, that seems good.

Can you ping 8.8.8.8 and/or google.com from Kicksecure?

stephenw10

Does it show the address that is failing in that arp error?

TheWall2

@stephenw10 No, if I ping them in Kicksecure (same browser used to access pfSense webgui but different tab) it doesn't work, it says it cannot contact google.com server. I've tried also using Tor in Kicksecure, it doesn't resolve any address so it's not a browser-related issue. I also pinged 8.8.8.8. in Kicksecure's terminal window, it didn't work.

In pfSense webgui main window I can see the following DNS servers: 127.0.0.1, 10.0.0.243, 192.168.1.1, 8.8.8.8, 8.8.4.4

Moreover, in the same window the USER is admin@192.168.1.100 (Local Database), so I don't know if 192.168.1.100 is Kicksecure. Anyway, this address is the only one shown in DHCP Leases.

TheWall2

@stephenw10 It doesn't show the address that is failing in that arp error, just the error message I wrote in my previous post. Also, note that in pfSense command window inside VB I didn't set any option (Assign interfaces, Set interfaces IP address, etc.)

stephenw10

@TheWall2 said in HELP: CANNOT BROWSE AFTER INSTALLING PFSENSE:

No, if I ping them in Kicksecure (same browser used to access pfSense webgui but different tab) it doesn't work,

You can't run ping from a browser you need to run that from a command prompt in Kicksecure. I've never run that so I can't help you directly but since it's Linux based there will be a terminal of some sort.

@TheWall2 said in HELP: CANNOT BROWSE AFTER INSTALLING PFSENSE:

In pfSense webgui main window I can see the following DNS servers: 127.0.0.1, 10.0.0.243, 192.168.1.1, 8.8.8.8, 8.8.4.4

Ok, that's an anomaly, you should not see the LAN IP address as a DNS server.

Go to Status > Gateways. You should only see the VBox dhcp gateways shown there. The IPv4 gateway will be 10.0... It will probably also show an IPv6 gateway that is 'pending'
You should not see a gateway on LAN.

TheWall2

@stephenw10 I pinged 8.8.8.8. in Kicksecure's terminal window, it didn't work. Kicksecure is Linux Debian.

In Status > Gateways I see a WAN_DHCP 10.0.2.2, its status is Offline: Packetloss 100%

There's also a WAN_DHCP6 in pending status

Which is the LAN IP address? 127.0.0.1 or 192.168.1.1? How can I remove it from the DNS servers?

stephenw10

The LAN IP address is 192.168.1.1 by default.

Check the DNS servers listed in System > General Setup.

The WAN gateway, which is the VBox internal router, may not respond to ping I that case you should either disable the monitoring or set a different monitoring IP.
In System > Routing > Gateways first check there are only WAN gateways present.
Then edit the WAN_DHCP gateway and set a new monitoring IP. For example use 8.8.8.8 or 1.1.1.1.

The gateway should then show as up.

Go to Diag > Routes and make sure there is a default route and it's via the VBox gateway.

JonathanLee

Can you ping your DNS?

TheWall2

@stephenw10 In System > General Setup the DNS Servers are 8.8.8.8 and 8.8.4.4 (I set them during the initial setup).

In System > Routing > Gateways there's a WAN_DHCP and a WAN_DHCP6.

I edited the WAN_DHCP gateway and set a new monitoring IP 8.8.8.8.

The gateway is now up.

In Diag > Routes there's a default gateway 10.0.2.2, Flag UGS, Uses 8, MTU 1500 and Interface em0. There are 7 more IPv4 Routes.

Also, in Diag > Routes do I need to enable "Resolve names" under Routing Table Display options?

FINAL RESULT: I still cannot reach any website in my Kicksecure browsers, except for Tor which works fine. I rebooted pfSense but I still cannot browse through Firefox in Kicksecure. I tried with Brave as well, same result. Should I change anything in the browser's network settings maybe? Tor is working and can reach any websites, I don't know why.

I went to Diag > Ping and pinged both 8.8.8.8 and google.com, it worked.

stephenw10

When you tested in Diag > DNS Lookup do you see all configured DNS servers responding?

If Torbrowser is working from the Kicksecure VM then it must have a route out. Pings to an external IP should also work?

TheWall2

@stephenw10 I entered 8.8.8.8 and google.com in Diag > DNS Lookup and this is the result:

• 127.0.0.1, 10.0.0.243 and 192.168.1.1 DNS servers responded
• 8.8.8.8 and 8.8.4.4 DNS servers didn't respond

I didn't change any settings in Tor nor in the other browsers, nevertheless Tor seems to have a route out. Any idea?

stephenw10

Tor doesn't rely on the system DNS servers.

But it still needs a valid route. Did you try to ping out from Kicksecure to an external IP as I asked? That should also work. Try 1.1.1.1 since you have added static roues for google's DNS servers.

Did Diag > DNS Lookup show valid responses for the query for the servers that did respond.

TheWall2

@stephenw10 I went to Diag > Ping and pinged 1.1.1.1, it worked. I'm not sure if this is what you asked me to do.

In Diag > DNS Lookup I made a DNS lookup for 1.1.1.1, it showed valid responses for the query for the 3 servers that did respond (query time 2 msec, 32 msec and 2 msec). 8.8.8.8 and 8.8.4.4 did not respond.

stephenw10

@stephenw10 said in HELP: CANNOT BROWSE AFTER INSTALLING PFSENSE:

Did you try to ping out from Kicksecure to an external IP as I asked?

Test pings from he Kicksecure VM not from pfSense, we know it works from pfSense.

@TheWall2 said in HELP: CANNOT BROWSE AFTER INSTALLING PFSENSE:

In Diag > DNS Lookup I made a DNS lookup for 1.1.1.1,

You need to query an FQDN like google.com not an IP address.

TheWall2

@stephenw10 Sorry, I pinged now 1.1.1.1 from the terminal window of Kicksecure VM and it worked.

In Diag > DNS Lookup I made a DNS lookup for proton.me, it showed valid responses for the query for the 3 servers that did respond (query time 4 msec, 55 msec and 3 msec). 8.8.8.8 and 8.8.4.4 did not respond.

In Firefox's network settings the "Use system's proxy settings" option is selected, I've never changed it since Firefox has been installed.

stephenw10

Hmm, OK.
So why are 8.8.8.8 and 8.8.4.4 not responding.... though it shouldn't matter because by default pfSense resolves dircetly with Unbound and passes that to clients to use.

Did you enter a gateway for those DNS servers in System > General Setup?

However the actual problem here appears to be that the Kicksecure VM has no DNS. Which is odd because, as I say, pfSense will have passed it 192.168.1.1 to use for DNS.

Does Kicksecure use it's own DNS or something weird?

Try to resolve something from a terminal there like:

steve@steve-NUC9i9QNX:~$ dig netgate.com

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> netgate.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15033
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;netgate.com.			IN	A

;; ANSWER SECTION:
netgate.com.		2	IN	A	199.60.103.104
netgate.com.		2	IN	A	199.60.103.4

;; Query time: 8 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri May 10 17:06:58 BST 2024
;; MSG SIZE  rcvd: 72

That's in Mint where (unfortunately) systemd caches everything locally so you can see 127.0.0.1 as the reported server.

TheWall2

@stephenw10 In System > General Setup I didn't enter any gateway since no default values have been modified.

I don't know if Kicksecure uses its own DNS. I know for sure that, when making updates to its packages, it connects through Tor.

I forgot to say that the host system runs a VPN and Kicksecure VM uses that VPN when it's in NAT mode. However now it's set to intnet.

I found this link:

https://www.kicksecure.com/wiki/DNS_Security#Browser_Tests

and in Kicksecure terminal window I entered "dig +multiline . DNSKEY", the result is:

; <<>> DiG 9.18.24-1-Debian <<>> +multiline . DNSKEY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51152
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;. IN DNSKEY

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri May 10 16:19:20 UTC 2024
;; MSG SIZE rcvd: 28

I've tried to enter also "dig netgate.com", this is the result:

; <<>> DiG 9.18.24-1-Debian <<>> netgate.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2721
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;netgate.com. IN A

;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri May 10 16:39:46 UTC 2024
;; MSG SIZE rcvd: 40

I entered "dig +dnssec nic.cz @localhost" and this is the result:

;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.18.24-1-Debian <<>> +dnssec nic.cz @localhost
;; global options: +cmd
;; no servers could be reached

stephenw10

@TheWall2 said in HELP: CANNOT BROWSE AFTER INSTALLING PFSENSE:

https://www.kicksecure.com/wiki/DNS_Security#Browser_Tests

Oh so it's configured to use DNSSec by default?

Ok I would install Ubuntu in a new VM and test that first. Kicksecure has a bunch of features that are getting in the way and just confusing the testing.

I think in fact pfSense is working fine. Though it's unclear why 8.8.8.8/8.8.4.4 will not resolve.

TheWall2

@stephenw10 I will do it, thanks a lot for your patience and your help