MultiWAN DNS and rejecting issue on OPT1
-
I get the same failure message by unbound, so it's the same bug to me.
We have 1x ADSL and 2x LTE (one LTE is private and not over pfsense). I get these 145 IPs on each internet access for google (not always, sometimes only for .com) and I could ping them on ADSL (pfsense WAN) and LTE private (easy box LTE but having 8.8.8.8/8.8.4.4 as DNS) but since 2.2 not on OPT1 (LTE company) anymore.
-
No, it's not the same bug if you see this on 2.2.1, sorry. Maybe you have screwed filesystem or something else. Definitely not the unbound 1.5.2 issue. If your user db is screwed, you indeed should do a clean reinstall.
As for the rest - dude, fix your DNS so that it does not resolve Google to bullshit. Ping is totally irrelevant. Those IPs are NOT (let me repeat - NOT) pingable. They do NOT respond to ping. That is NOT your problem.
-
If I would be able "to fix my DNS" I wouldn't have to open this topic to begin with.
If my ISP messes up and gives me those IPs, ok w/e if google's working [and it's been at least a year now with this IP range]. But when the pfsense does now reject access to google on OPT1 while it worked since first installation, I search a way to fix pfsense not my DNS (which I can't if my ISP has its hand on it in the end).
-
Christ almighty. No, pfSense does NOT reject acess to Google. There is NO Google on those BS IPs. There is pretty much nothing running on 145.253.36.110 - as you can check with some port scanner. Such as here. Ditto for 145.253.36.96.
-
Yes, I understood there is no google on these IPs.
But you are in no way a help. If my ISP sets these IPs / messes with my DNS even though I am using google DNS servers, then I don't care whose IPs they are.
If my ISP sets 145* to access google on my side, then I can't do anything about it.It's always been this way and also always been this way with pfsense and multi wan. And now OPT1 gets 145 as IP for google, gives it to the client but rejects it (ok, as there is nothing but why since 2.2 and before it always worked the same it does for WAN which also gets 145).
Yes, it's not google, it's Arcor/Vodafone, my ISP - I don't care, I just want pfsense to do this what it did in the past.
-
Go complain to your ISP if they are hijacking your DNS… this issue has absolutely nothing to do with pfSense. OpenDNS has DNS servers on 5353, you might try those. You can specify those like
server=208.67.222.222#5353or
server=208.67.220.220#5353in the DNS forwarder's advanced options.
As a last resort, there are DNSCrypt servers on TCP/443.
-
So I deleted all DNS servers in general tab, added the line in DNS Forwarder advanced.
Restarted DNS Forwarder service, did ipconfig flushdns on client (and also booted a netbook for 2nd test fresh) and … still got 145.
The weird thing is: The Vodafone LTE router (which has google DNS server configured) gives
173.194.113.191
So I wonder if pfsense gets the 145 from WAN which is ADSL (so login at pfsense and router being bridge, while in LTE router is router and has set DNS servers) but uses it also for client queries on OPT1. (Well, idc if 145 is on WAN as there google is reachable. But if OPT1 does not do resolve via its set DNS server on OPT1 then I would need to get pfsense to not use default WAN for resolving on OPT1).
-
You have Outgoing Network Interfaces in DNS Resolver. Perhaps you could go and reinstall your box to get that working, no?
-
As I said: On 2.2 when DNS Resolver was working, I tried that already and it did not work.
btw. instead of installing dnscrypt on windows machines, I could also set google's dns servers instead of firewall, because (as was written already) that works.
-
I tried that already and it did not work.
You already tried WHAT?
I could also set google's dns servers instead of firewall, because (as was written already) that works.
If you call hijacked Google to be something that works, yeah, sure… have fun. I actually don't know what you are even describing, since this:
pfsense gives 145.253.36.88 as IP for google.de while using 8.8.8.8/8.8.4.4 as DNS on a PC (instead of pfsense)
makes absolutely no sense. pfSense gives NOTHING when you NOT using it at all as your DNS server on the clients.
To conclude this, your issue essentially seems to be is that you are load ballancing but the bullshit hijacked Google is NOT accessible from anywhere but from the network of the idiotic ISP who is hijacking that. So, when the traffic goes out via the sane ISP and tries to hit the hijacking idiots because it resolved to them, it gets blackholed.
I'd get rid of the moronic ISP and call it good riddance, if you ask me. Absolutely not acceptable behaviour, would not pay a cent for that.
-
I already tried using DNS Resolver in 2.2 with DNSSEC enabled, no forwarding, no DNS servers in general tab and using LAN/Localhost for network interfaces and WAN/OPT1 for outgoing interfaces.
But as I still got a rejected 145 I rolled back to 2.1.5 unfortunately even with a configuration restore from that date pfctl or so failed so no internet was working at all even though all gateways could be pinged in apinger.
So that's why I manually updated to 2.2.1 and have the unbound bug as stated now in the other thread.ANY-WAY.
For some reason having 8.8.8.8 as DNS on wan and as monitoring IP and having 8.8.4.4 as DNS on opt1 and as monitoring IP. I now (which I forgot before) also replaced the google servers on the monitoring IP fields with the opendns servers.
I have no idea why, but now I get 173.194.113.184 on WAN and on OPT1 YAY (I hope it's the right IP range this time).
Let's just hope it stays that way.
I want to thank you for your patience and answers, I know I can be stubborn persistent and hard to handle sometimes, especially when sitting 5 hours on a problem, being frustrated while just every man in the office expects being able to google on monday again …
So, I don't know what time it is at your zone, but it's 9pm here and I'm finally going home and I wish you a nice, uhm rest time of the day (:D).
Thank you and (for me) good night =)
-
Have a nice weekend. And yeah, give them a call. (None of madness this would be possible if Google signed their DNS with DNSSEC.)