upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access'

stephenw10

Nice. Yes that's a much better setup if you don't need them on the same subnet.

skubany2

A related question. As I moved to unbridged LAN and WiFi networks, I noticed that a device on WiFi interface can't reach a device on LAN interface using it's host name. Using IP works.

What do I need to change in my firewall to fix this? I assume DNS is not propagating correctly.

When the two networks were bridged, this was not an issue.

stephenw10

Hmm, by default both subnets would use the pfSense interface IP as the DNS server. The would be Unbound in pfSense and if LAN devices are registered there then they should resolve for both subnets.

First try resolving from the wifi client and see how it fails. Perhaps that device is using a hardcoded DNS server? Did you ever include firewall rules to redirect DNS?

skubany2

When the WiFi client is wired (cable) then it can access the other device via it's host name, because they're both on LAN at that point.

WiFi client is assigned DNS Servers by DHCP Server running on WiFi interface. I tried adding LAN's DNS Server as secondary entry under WiFi interface's DHCP Server but that did not change anything. I did notice at that point that WiFi client was showing two DNS Servers configured, instead of the usual one.

I did not explicitly set any DNS redirection firewall rules.

stephenw10

@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

I did notice at that point that WiFi client was showing two DNS Servers configured, instead of the usual one.

And they are both the pfSense interface addresses? Or are you using other DNS servers?

If you try to resolve one of these hosts on a wifi client what error do you see?

skubany2

@stephenw10 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

And they are both the pfSense interface addresses?

Yes.

The issue is on my parent's network and they're far away from me. On my home network I have WiFi client running VNC Server so I'll use that for testing. Using VNC I can connect from LAN to WiFi client fine when using it's IP, but when I use it's host name VNC can't resolve the name.

While testing with VNC when I capture packets on the LAN interface I see LLMNR (Link-local Multicast Name Resolution) requests and NBNS (NetBIOS Name Service) requests for the host name but don't think they're being responded to by anyone. Nothing of interest on WiFi or WAN interfaces.

stephenw10

How are you testing? Try to dig at pfSense on each address directly like:

2.8.1-RELEASE][admin@cedev-2.stevew.lan]/root: dig @172.21.16.1 +short plusdev-2.stevew.lan
172.21.16.167
[2.8.1-RELEASE][admin@cedev-2.stevew.lan]/root: dig @192.168.126.1 +short plusdev-2.stevew.lan
172.21.16.167

One thing you might be seeing is the client device not sending the domain the in query automatically for servers outside the domain.

But both IP addresses should be able to resolve the FQDN. The are both the same server server and data.

skubany2

I've done some testing yesterday. Testing was largely about reaching shared folder on LAN client from WiFi client. I was testing host name vs IP.

I have to make sure that DNS queries are not blocked. In my configuration WiFi interface in general can only reach WAN, not LAN and I have many disabled rules that I activate (one at a time) when I need to reach a LAN client.

I noticed that turning off Windows firewall on the LAN client helped in allowing WiFi client to reach it but I think this was in the case of using IP. Host name still did not work. Windows firewall was never an issue but that is when I only had Win7 machines at home. Now that I have added Win11 to the mix they might not be playing nice with each other with default settings.

Adding secondary DNS (of the other interface) under each interface's DHCP Server may also be needed. I will also look at the DNS Resolver and Forwader to see if I need to change anything there.

I will be testing DNS (rules/settings) and Windows firewall settings while running packet capture. This will take a few days but I know what to focus on and will report back with my findings.

stephenw10

@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

I was testing host name vs IP.

Make sure you use the full hostname with the domain. Without that Windows will (probably) add it's own domain which may or may not be correct.

johnpoz

@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':

Adding secondary DNS (of the other interface) under each interface's DHCP Server may also be needed.

Why would you think you would need to do that.. What would be the point of handing your clients 2 different IPs on pfsense? If pointing them to stuff other than pfsense. How would they resolve your local resources?

If pointing to 1 local (pfsense) and 2nd other outside dns like googledns or something you have no idea which one it might ask.. Such a setup is always asking for having a bad day at some point.

I capture packets on the LAN interface I see LLMNR (Link-local Multicast Name Resolution) requests and NBNS (NetBIOS Name Service) requests for the host name

That would only ever be able to resolve hosts on the same network as the guy asking for it.. Those would not resolve some host on some other network.

skubany2

@johnpoz
"secondary DNS"
Under LAN DHCP Server I would have the LAN IP as primary DNS (default) and WiFi IP as secondary DNS.
Under WiFi DHCP Server I would have the WiFi IP as primary DNS (default) and LAN IP as secondary DNS.

stephenw10

Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.