DNS requests issue

johnpoz

Where are you pointing your clients to for dns?  Dns Forwarder is the common way to accomplish this.  But your clearly behind another nat.  Pfsense should point to your 192.168.0.1 since you say thats your dns.

Clients on the pfsense lan should point to pfsense lan of 192.168.4.1 for dns.  Pfsense then asks 192.168.0.1, who then goes and asks whoever you setup it up to ask.

Did you turn off blocking private IP on the wan since your wan in pfsense clearly private address space.

Layers

Thank you for your fast response.

I'm currently not blocking Private addresses. My client is pointing to 192.168.0.1 for DNS. Changing this to pfSense did not fix the issue, however since this is a test network for a bigger environment there will be a nameserver on the LAN. Sorry for not mentioning this.

I have tried to configure DNS forwarding however i was still unable to get pfSense to forward any requests.

johnpoz

Dude this should work out of the box.. If you client can not query 192.168.0.1 for dns.. What is your lan rules?

The default lan rule is any any.. So you clearly should be able to query any dns server paste pfsense.

example

C:>dig @4.2.2.2 www.google.com

; <<>> DiG 9.10-P2 <<>> @4.2.2.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64299
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.        83      IN      A      74.125.225.49
www.google.com.        83      IN      A      74.125.225.48
www.google.com.        83      IN      A      74.125.225.52
www.google.com.        83      IN      A      74.125.225.50
www.google.com.        83      IN      A      74.125.225.51

;; Query time: 20 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Mon Jun 23 07:05:49 Central Daylight Time 2014
;; MSG SIZE  rcvd: 123

Are you blocking dns at your lan rules?  What is your current lan rules?  Post them..  And your wan rules should be default..  There is no reason to edit any rules on the wan for dns to work.

I would suggest you do a simple sniff to make sure the dns query left pfsense to where you sent it..  If you don't get an answer than you have connectivity issue, where your doing the query doesn't answer your IP..  I have to assume your natting your lan to your wan pfsense IP.  This is the default out of the box setup.

Layers

Here are my firewall rules, I have not set any floating rules.
Please note that seting these rules is unsafe and is not encouraged.

the screenshots of my firewall rules are here:
http://i.imgur.com/R4erV1c.png
http://i.imgur.com/cehbD36.png

I have not changed any NAT settings because, as said, this should work out of the box.

Connection issue would be weird because I can go to google based on the IP address, so I do know I have an internet connection.

johnpoz

well your rule on your lan is default, any any rule..  Your wan rule is BAD, and WRONG to do – your answers to pfsense or clients doing a query will be allowed by state.  Remove that rule.  But point about rules on your wan..  Your behind a NAT, so those rules are pretty much useless unless you have put pfsense into dmz on the device in front of it - or have forwarded traffic to pfsense wan IP.

So do a simple sniff..  Do your queries even leave pfsense?  Do you see the answer?

example - hmm not able to added images.  Let me add them remotely

here you can see details in wireshark

Layers

After doing a packet capture I have determined that pfSense does receive the requests

In order to see if pfSense actually forwards any requests I have switched the router with a wireshark equipped client.
Wireshark did not capture and DNS related packages, I think this means pfSense is not doing anything with the packages.

Which again is pretty confusing to me.

Thanks for showing the package capture diagnostic, I didn't even know pfSense had it.

Package capture:
http://imgur.com/mmLyzQ1

johnpoz

where are you seeing answer in that picture??  There are not responses to those queries..  Where is the capture on your wan interface of pfsense showing the response??  Like in my picture?

I see dns queries to 192.168.0.1 and 8.8.8.8 but no response, since the IP is your client, your not sniffing on the wan of pfsense(192.168.0.92)

Layers

I did sniff the wan, there was no response. After this i checked if 192.168.0.1 would actually get a request. Which it did not.

I did not include a picture of my WAN capture because it was empty. And no request was forwarded to 192.168.0.1 to return back to the WAN.

johnpoz

Your wording is what is confusing - saying there is no response would mean query went out but no "response" to your query.  You say pfsense "does receive the requests.  I would take that you saw the answer come back from the dns server and hit the pfsense wan.

Dude your problem is your firewall rule is NOT default or any any - its TCP only..  DNS is mostly UDP, some tcp sure with like a zone xfer, etc.  But your lan rule is only TCP..  This is not the default rule set which is any any..  That is why nothing gets sent past pfsense for dns.

you have udp/tcp on the wan - but again that rule is pointless.  So I didn't catch that only tcp on the lan the first time..

Layers

Well, now i feel stupid.

I was convinced my rule allowed both tcp and udp.
I have corrected this and it works now.

thanks for your help!

johnpoz

No problem - sorry I missed it the first time I looked at the rules ;)