Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarder on one of two Subnet in an multilan scenario is not working

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      g_savini
      last edited by

      Sorry my english. There is an strange behavior with DNS Forwarder in an scenario with two LAN and 2 WAN. I googled the problem with no answer.
      The subnetwork on LAN1 interface can surf internet and can resolve DNS queries without problems, but clients on second LAN2 can't. I believe  the problem is the DNS Forwarder.

      From LAN2 client i can ping to the google DNS host "8.8.8.8" but if i try to do an nslookup to www.google.com the answer an ip address of my Access Point.

      My hardware are confgured just like that:

      PfSense 2.1.5 amd64.

      LAN Interfase:
      Realtek PCI 10/100 Ethernet NIC
      IP: 192.168.0.3/24
      Conected to switch

      WIFI Interfase:
      Realtek PCI 10/100 Ethernet NIC
      IP: 192.168.2.1/24
      Connected directly to an Access Point Tp-Link TL-WN901nd (ip: 192.168.2.2) (doubt here, may be the cause the problem?)

      WAN1 and WAN2:
      PPOE clients
      Dynamic IP

      DHCP Server on WIFI Interface
      Range: 192.168.2.100 - 192.168.2.200
      Domain Name: syscomputacion.com.ar

      No statics entries.

      DHCP Server on LAN interfase.
      Range: 192.168.0.100 - 192.168.0.200
      Domain Name: None or syscomputacion.com.ar
      No statics entries.

      Firewall rules on WIFI interfase:

      | Action | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
      | block | * | Reserved/not assigned by IANA | * | * | * | * | * | * | Block bogon networks |
      | Pass | IPV4 UDP | WIFI net | 53(DNS) | 192.168.2.1 | 53(DNS) | * | none | | WIFI -> DNS |
      | Pass | IPv4* | WIFI net | * | * | * | MultiWan | none | | WIFI -> Internet |

      The following tests was made on a Windows 7 client on WIFI subnet connected via wireless:

      IP Address on Client (Assigned by DHCP): 192.168.2.100
      Domain Sufix: syscomputacion.com.ar
      Netmask 255.255.255.0
      DHCP Server: 192.168.2.1
      DNS Server: 192.168.2.1

      Ping Test:

      Ping 192.168.0.3 (pfsense) ok.
      Ping 8.8.8.8 (google DNS), ok.
      Ping 192.168.2.1 (Pfsense) ok.

      nslookup www.google.com

      • server: 1.2.168.192.in-addr.arpa
      • Address: 192.168.2.1
        Non Authoritative Answer:
      • Name: www.google.com.syscomputacion.com.ar (???????) If i remove Domain Name from DHCP server in WIFI Interface syscomputacion.com.ar is not appended after google.com, i don't know why this happens.
      • Address: 192.168.2.2 (the ip of Access Point). WHY why?

      I also tried modify the rule on port 53 to point 192.168.0.3 with no result.
      Viewing the firewall log i don't found  queries on port 53 blocked.

      Can anybody help me?.
      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That is your nslookup appending your configured domain name to its query.  nslookup is stupid.

        If you don't want that to happen, append a trailing period to your domain name:

        nslookup www.google.com.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          And do yourself a favor and make your pass rules for DNS UDP and TCP for port 53, not just UDP.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • G
            g_savini
            last edited by

            Thanks, i solved the problem.
            No DNS Forwarder problem o firewall rules mistake. It was an Access point TL-WA901ND V3 bug. I connected WIFI interfase and AP both to the same switch, then connect the client to the wired lan, all worked fine with the original configuration. So i discovered that the problem was an Access point bug.

            Googled some issues with this AP and DNS and found this

            "I got the DNS issue fixed only if I run the AP as DHCP Client. With a static IP (and yes still without default Gateway) any DNS request replies with the static IP address of the AP."

            So i changed  the fixed IP on the AP to a Dynamic IP and all worked fine on the wireless clients.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.