New installation of 2.2.6 (also tried beta 2.3) no internet, but ping works
-
Resolver/Unbound is very early and fast up during (re)boot, that's to say when your WAN is not connected yet (MoDem, PPPoE, etc.) Then you experience no DNS. So you have to restart Resolver/Unbound.
-
Another thing that confuses me is that when I click on save to save a change, most times it takes 1-2 minutes to update a setting.
I did a factory reset now and turned on DNS Query Forwarding. I also enabled "Do not use the DNS Forwarder as a DNS server for the firewall". And now it works.
But is this normal?
-
no its not normal, resolver should work out of the box unless there is something in your connectivity that blocks dns to the public internet. Resolver needs to be able to talk to all the roots and tlds and any and all authoritative name servers for whatever domain your looking for.. If you have something that blocks this then yeah the resolver is going to fail.
In such case you need to fix that connectivity, or use forwarder mode to some dns that your allowed to talk to that can resolve for you. Out of the box pfsense should only talk to itself for name resolution, which will then either use resolver or forwarder mode how you have configured it and be able to resolve records you have setup in pfsense.
To be honest the only dns you should see in pfsense is pointing to 127.0.0.1, this is all that should be required in a normal setup using the resolver (unbound)
-
Exactly. I have used pfSense for years and not seen this before. I have to wait until tomorrow to talk to a colleague about the line here. Will get back.
Probably a result of the same problems - I am gettting "Unable to check for updates" in the dashboard.
-
Yeah I would assume so too if pfsense can not resolve shit, it wouldn't be able to check for updates either ;)
-
Got confirmation today that it is not possible to use any other DNS than the two on campus. External DNS'es are blocked - or rather, the port is blocked. Which should be fine, I guess.
Will this impact pfSense in any way?
Also, have you seen this thread? https://forum.pfsense.org/index.php?topic=109179.0
Looks very similar to what I am experiencing.
-
well if all you can use is your dns on your network, then yeah resolver would not be an option for you… You would have to forward to these dns servers you can get to resolve for you.
-
So, anything in particular I should turn on or off?
Also, how do I get the update to work in an environment like this?
-
Update works fine like that, you just need to point pfsense itself to its own forwarder. I personally would just turn off the resolver and enable the forwarder dnsmasq its forwarding features are better than unbound because it can be set to send to all of them and use the fastest response.
-
The firewall is now fully up and running. Thank you very much johnpoz for your help!
We are using 2.3.1 now on this hardware:
https://www.supermicro.nl/products/system/1U/5018/SYS-5018A-FTN4.cfm
One thing that had me scratching my head for a while was that when I installed pfSense, things were working ok. Then I set up fixed IP and it did not work. My very silly mistake was that for some reason, /32 is standard when setting manual IP. After changing to /24 things were working again.
Also, as mentioned above, we had to use the campus DNS'es.
So far, things are working smooth. I also hope we can get a feed from our broadcast clock that is synced to GPS so our whole network will be completely in sync with the clocks on the walls. But that is a project for another day - as well as setting up a second firewall as redundancy.
-
As to the /32 - well it has to default to something. So it could be either a non viable option like select me I guess, or some other mask. What do you feel should be the default mask? /24 - while that might be common on a lan side interface, normally that wouldn't be correct for a static wan.. I would guess something smaller for a common public IP range.
When setting a static IP it would seem realistic to expect the person setting it to validate they are are indeed setting the correct mask for their use ;)
Glad you got it sorted.. I would assume you can query your campus ntp via unicast as well, and not just rely on broadcast. I don't see a way in the gui to select broadcastclient mode.. Guess it would always be viable to edit the ntp conf directly vs using the gui, but this is normally not a good idea. Such edits don't normally survive service restarts unless you edit the actual pfsense files that start and stop the services - which these do not survive updates to pfsense, etc.
Would seem odd they would only provide broadcast as a means of sync to ntp.
