New to pfSense: DNS seems not to be working

itchy

Hi,

thx for your response.

I have problems to understand what you want to say with the following text from a wording perspective.

So you are behind a NAT so did you forward whatever you want to allow get to pfsense wan on that device to pfsense wan IP of 192.168.2.20??  Until you do then no your not getting to pfsense wan from the internet no matter how many rules you create in pfsense.

Yes i am behind a NAT. I did not made any special entries/rules on my NAT / Router device for pfSense. PfSense is configured with a static IP within the Subnet of my "private WAN" / the network of the other router. I also tried DHCP configuration for pfSense on WAN side, but that made no differences.

I have no clue how my router from the ISP works in detail - should work like every "cheap" and stupid router on the market. So i changed pfSense from resolver to DNS forwarder (just enabled the option, no other changes).

Unfortunately the problem has not changed:

• I am able to ping external IP-Adresse (complete outsite of my private networks)

• I am not able to ping extneral webpages (based on their adress), no content in the "ping output box"

• I am able to execute tracerout only on external IP adresse, not on webpagees

• DNS Lookup has a query time for pfsense itself (127.0.0.1) but no response from all other servers

i tried to enter additional DNS Servers (System: General Setup). 8.8.8.8 (with my Gateway of 192.168.2.1) and 8.8.4.4 without gateway. I am not sure if i have to define a gateway for external DNS Servers, so i tried both. In addition there is also my "local" DNS defined: 192.168.2.1 (DNS of my ISP router)

itchy

update:

I disabled the firewall with: "pfctl -d" and i got responses from the DNS-Lookup within pfSense and was able to access pfSense from WAN side. I was not able to open any website within the pfsense network :(

after enableing the firewall again "pfctl -e" it was the same behaviour as before.

johnpoz

Dude I have no idea what you have done.. This really is clickity clickity out of the box working..

Do a simple freaking query on pfsense for dns lookup does this work?  What did you point it to for dns if you setup wan as static?  What does a dhcp client connected to your isp nat router get for dns?  Use that!!

Well no shit if you turned off the firewall you would be able to get to the wan of pfsense since you don't have the firewall running.  Out of the box pfsense blocks ALL inbound connections – so what do you want to access you would have to allow it and forward it on your isp router.

Installing pfsense accepting defaults is a working setup.. dhcp on wan.. Connect a dhcp client to your lan and it should work, even behind a NAT as long as the network that is your wan is not the default pfsense network of 192.168.1.0/24

"DNS Lookup has a query time for pfsense itself (127.0.0.1) but no response from all other servers"

Are you forwarding or resolving?  Where are you forwarding too?  Just redo pefsense select all the defaults and you should be up in running in 30 seconds!

You keep saying dns is not working.. But have given no details or example of it not working..  Please post screen shot of what you have setup in your forwarder and what pfsense resports for a dns query.

itchy

@johnpoz:

Dude I have no idea what you have done.. This really is clickity clickity out of the box working..

That is what i hoped and expected. I do not understand what is going wrong on my site. I re-installed already multiple times, but the problem still exists.

@johnpoz:

Do a simple freaking query on pfsense for dns lookup does this work?  What did you point it to for dns if you setup wan as static?  What does a dhcp client connected to your isp nat router get for dns?  Use that!!

My ISP router is providing 192.168.2.1 as a DNS value to the clients. I entered this adress also in pfSense. Please see attached screenshot.

@johnpoz:

Well no shit if you turned off the firewall you would be able to get to the wan of pfsense since you don't have the firewall running.  Out of the box pfsense blocks ALL inbound connections – so what do you want to access you would have to allow it and forward it on your isp router.

Even if i have disabled the "block private networks" option on the WAN device? I added a pfSense WAN Firewall rule: source any; destination any; pass (so: allow everything on wan device from any to any) but this is not solving the problem.

@johnpoz:

Installing pfsense accepting defaults is a working setup.. dhcp on wan.. Connect a dhcp client to your lan and it should work, even behind a NAT as long as the network that is your wan is not the default pfsense network of 192.168.1.0/24

I tried it. Network (ISP Router) is 192.168.2.0/24

@johnpoz:

"DNS Lookup has a query time for pfsense itself (127.0.0.1) but no response from all other servers"

Are you forwarding or resolving?  Where are you forwarding too?  Just redo pefsense select all the defaults and you should be up in running in 30 seconds!

I changed from resolver to forwarder as recommended by you.

@johnpoz:

You keep saying dns is not working.. But have given no details or example of it not working..  Please post screen shot of what you have setup in your forwarder and what pfsense resports for a dns query.

Please see attached screenshots.

Thx for your support and time you are investing here.


johnpoz

Well your router in front of pfsense is not answering queries..  And pfsense can not do queries outbound.  So to me it can not talk to your router even.

So leave you wan as dhcp.. And let it get an IP from your router..  Do the same test.  And then from pfsense diag can you ping your router?  Can you ping 8.8.8.8 ??

What does your router get for dns.. Its quite possible your isp only wants you to use them as dns??

Also what is the make and model of this isp device in front of pfsense?

itchy

Hi,

i attached the requested screenshots.

i can ping 8.8.8.8 and my router (192.168.2.1) from pfSense.

I already used other DNS Servers for testing purpose from my network when i used IPFire.

My ISP Router is a Speedport W 921V from Deutsche Telekom (it is a re-named Arcadyan device).

KR
Itchy


itchy

ok i think i have a solution now, but i do not really understand it. I changed the LAN and WAN device, and now my WAN is working fine and my LAN is not working any longer  :(

doktornotor

I have nothing against debugging, but your superbroken setup would be best flushed down the drain. Just restart from scratch.

johnpoz

what??

How do you have your devices connected?  Dude clearly your router 192.168.2.1 is not answering dns queries.. You can not query google.com from it.. So yeah that is broken..  Have you reastarted that device.  When you add 8.8.8.8 to your forwarders does that answer?

Here is how you should be setup

internet –- isp device --- 192.168.2.110 wan pfsense lan 192.168.1.1 --- 192.168.1.100 PC

With pfsense wan being directly connected to a port on your isp device and lan from pfsense going into a switch that your other devices are connected into.. Or you PC directly connected to the nic that is pfsense lan if you have no other devices..

itchy

Hi,

I am really really sorry that I was not able to respond earlier. I had to go on a business trip last week monday (unplanned) and when I got home a excavator has destroyed the cable with my Internet Connection - great weekend.

But now, back to our topic:

I tried the following scenarios:

1. WAN connected to USB LAN Adapter; LAN connected to onboard interface.
2. WAN connected to onboard interface; LAN connected to USB LAN Adapter.
3. Scenario 2 and in addition a W-LAN devices as OPT1.

My ISP Router has the IP-Adress 192.168.2.1. and the interfaces are connected in the right way.

In scenario 1 my router is not answering dns querier. I cannot query google.com. I have added 8.8.8.8 to my forwarder but nothing has changed. No response. In Scenario 2 (connected to pfSense from "WAN" site) and scenario 3, all problems (mentioned before) are sorted out. Only the LAN interface is not working.

My setup looks like this:

INTERNET –> ISP Router --> 192.168.2.110 WAN pfSense    --> 192.168.1.100 PC behind PfSense
                                      --> 192.168.2.125 Computer WAN

johnpoz

So when you use your onboard interface connected to your router.. It works from pfsense diag screen.  using 192.168.2.1 as your dns..  Post this screenshot.

Now on your lan side using usb.. Your clients get dhcp from pfsense 192.168.1.x and they point to what for dns??  Pfsense 192.168.1.??

What are you using in pfsense, the resolver or the forwarder?  By default resolver is used and pfsense try to directly query root servers.  So what are you using in pfsense for dns when your setup wan onboard, lan usb?

itchy

Hi,

yes, when i use my onboard interface as WAN on PfSense i am able to ping 192.168.2.1.

When i use my USB LAN interface on PfSense the clients recieve an IP-Adresse and the DNS entry points to pfsense (192.168.1.1).

I tried both on pfsense. Resolver and Forwarder, but it did not make any differences.

In the meantime i have an additional information: my USB LAN device has a AX88772C chipset, which is not supported by FREEBSD. The last AX88772 version, which is support is AX88772B.

KR
Itchy2

doktornotor

Awecome. Perhaps use non-shitty supported HW.

johnpoz

I really don't get why anyone would use a usb nic for anything than maybe an OLD school laptop that had no nic, or the lan onboard died, etc..

Why anyone would attempt to use a usb nic for any sort of router/firewall just make no sense to me..  You have multiple pieces of hardware and you want to run special distro as your router/firewall - so cleary your beyond the $20 soho router users.  But you can not afford a $10 nic to put in your machine or for that matter some $100 hardware to run your pfsense on?

itchy

Hi,

i have a system with only one LAN interface. The system has a very low power consumption and is working very well. I decided to use it as a test platform for PfSense before I decide to buy a "bigger solution". Just wanted to check out if it fullfills my requiremets.

KR
Itchy2

itchy

Hi,

I am still trying to get a usb lan dongle working - somehow. I bought a new one, which is definitly supported by FreeBSD (ASIX AX 88772). I am expieriencing the same problem, but in the console i have a new message: arprequest: cannot find matching adress.

Somebody an idea?

KOM

Start a new thread since your current problem has nothing to do with your last one.

itchy

I'm not sure if there is a connection between those two topics or not.

johnpoz

"arprequest: cannot find matching adress."

For what address?  Why don't you just get a REAL nic??

doktornotor

@johnpoz:

Why don't you just get a REAL nic??

And skip REALtek there. :P