Pfsense blocking all but pings to IP addresses

d4t4str34m

I am new to pfsense and am trying to set up a new firewall. I believe I have all my configurations over from my old firewall. I put pfsense in line replacing my old firewall and I cannot get any web traffic to come through.

I can ping by IP all the way through and can ping 4.2.2.2 but can't ping by name. I made sure that my dns numbers are correct and that port 53 is allowed on both interfaces to and from any but I still can't get any names through. When I look at the firewall logs it shows everything being blocked. I still have the default allow rules on the LAN interface.

I have pfsense taken out now and the old firewall back in so I can get on the net. Sorry for the brief post. Any help is appreciated.

deajan

Can you post a quick network schema + firewall rules ?

KOM

Yes, nobody can help you without seeing your LAN configuration and firewall rules.

borgotech

Your DNS Forwarder is enabled ?

KOM

Resolver is the default in 2.3, not Forwarder.  Resolver can also work as a forwarder if you check its checkbox.

d4t4str34m

Here are some notes that I took while poking around trying to figure something out:

Interface status on WAN
In out error 0/39
Collisions 2499

Pinging by name from firewall diagnostic but not from laptop.

What is the best way to get the lan and firewall rules configurations off the firewall and uploaded here?

johnpoz

simple screenshot..

example

d4t4str34m

Lol, easy enough. Should be attached below.

KOM

Those 5 rules you added are useless since all traffic is handled by the Default Allow LAN to Any rules at the bottom.  Nothing in your rules should be interfering with LAN traffic since they're all allow rules.  A default install of pfSense blocks all from WAN and blocks nothing from LAN, so your LAN clients should literally be able to do anything.  Can you post a screen of System - General Setup?

d4t4str34m

I want to lock it down so I will disable the default allow rule. I want to get it working first though before I mess around with that.

KOM

I want to lock it down so I will disable the default allow rule. I want to get it working first though before I mess around with that.

That's actually the opposite of how you should work on this.  Keep the default Allow All on LAN rules.  Get rid of your custom rules.  Get everything working that you need to get working, then start locking down if that's what you need to do.  Unless you're living with criminals, locking down LAN can be a real exercise in pain.

When I try those DNS servers you have listed, they both fail to resolve anything for me but this might be a security issue.  What happens if you replace them with 8.8.8.8, 8.8.4.4?  Are you using the pfSense DNS Resolver or Forwarder?

deajan

Yep, google dns (8.8.8.4 & 8.8.4.4) or opendns (208.67.222.123 & 208.67.220.123).
Also, affect those DNS to a gateway.

Connect to your pfSense box via ssh and try

nslookup www.google.com

What's the output ?

d4t4str34m

I have tried with DNS forwarder enabled and disabled. Results from nslookup using both sets of DNS numbers is below. I also used the ping utility on pfsense and that is below as well. It hits outside IP addresses fine but the only name it hit was google.com. Wouldn't get a reply from cnn.com. I have also attached a screenshot of some of my firewall log.

Server: 207.28.65.6
Address: 207.28.65.6#53

Non-authoritative answer:
Name: www.google.com
Address: 209.56.124.176
Name: www.google.com
Address: 209.56.124.166
Name: www.google.com
Address: 209.56.124.154
Name: www.google.com
Address: 209.56.124.177
Name: www.google.com
Address: 209.56.124.163
Name: www.google.com
Address: 209.56.124.170
Name: www.google.com
Address: 209.56.124.165
Name: www.google.com
Address: 209.56.124.144
Name: www.google.com
Address: 209.56.124.181
Name: www.google.com
Address: 209.56.124.148
Name: www.google.com
Address: 209.56.124.185
Name: www.google.com
Address: 209.56.124.152
Name: www.google.com
Address: 209.56.124.174
Name: www.google.com
Address: 209.56.124.187
Name: www.google.com
Address: 209.56.124.159
Name: www.google.com
Address: 209.56.124.155

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: www.google.com
Address: 209.56.124.185
Name: www.google.com
Address: 209.56.124.155
Name: www.google.com
Address: 209.56.124.166
Name: www.google.com
Address: 209.56.124.165
Name: www.google.com
Address: 209.56.124.170
Name: www.google.com
Address: 209.56.124.177
Name: www.google.com
Address: 209.56.124.144
Name: www.google.com
Address: 209.56.124.148
Name: www.google.com
Address: 209.56.124.187
Name: www.google.com
Address: 209.56.124.174
Name: www.google.com
Address: 209.56.124.176
Name: www.google.com
Address: 209.56.124.159
Name: www.google.com
Address: 209.56.124.163
Name: www.google.com
Address: 209.56.124.154
Name: www.google.com
Address: 209.56.124.152
Name: www.google.com
Address: 209.56.124.181

PING google.com (209.56.124.159): 56 data bytes
64 bytes from 209.56.124.159: icmp_seq=0 ttl=61 time=8.028 ms
64 bytes from 209.56.124.159: icmp_seq=1 ttl=61 time=7.957 ms
64 bytes from 209.56.124.159: icmp_seq=2 ttl=61 time=8.001 ms

–- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.957/7.995/8.028/0.029 ms

PING cnn.com (157.166.226.26): 56 data bytes

--- cnn.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

KOM

I was asking if you could replace your DNS servers in System - General Setup with the Google ones.

I have tried with DNS forwarder enabled and disabled.

pfSense has two built-in DNS services.  I was asking which one you are using.  You shouldn't use both simultaneously.  If you are using DNS Forwarder only and you turn it off then you have no DNS at all.

Here is what I would do:

• Disable DNS Forwarder.

• Enable DNS Resolver.

• Check the DNS Query Forwarding checkbox under Services - DNS Resolver - General settings.

• Replace your DNS servers under System - General Setup - DNS Server Settings with Google 8.8.8.8 and 8.8.4.4.

• Save & test.

johnpoz

is this pfsense virtual?

Your blocks are OUT of state blocks.. not blocking of syn packets..  Do you have asymmetrical routing issue.  How are you clients connect to pfsense.. And they use pfsense as their only gateway right??

d4t4str34m

Here is what I would do:
Disable DNS Forwarder.
Enable DNS Resolver.
Check the DNS Query Forwarding checkbox under Services - DNS Resolver - General settings.
Replace your DNS servers under System - General Setup - DNS Server Settings with Google 8.8.8.8 and 8.8.4.4.
Save & test.

Tried the DNS resolver and it didn't work. I have changed the dns numbers in the general setup and that didn't work.

is this pfsense virtual?

Your blocks are OUT of state blocks.. not blocking of syn packets..  Do you have asymmetrical routing issue.  How are you clients connect to pfsense.. And they use pfsense as their only gateway right??

It is the pfsense appliance. It is not virtual. The pfsense box is the only gateway. As soon as I unplug pfsense and hook up the old cipa firewall everything works. It has the dns numbers in it that I have given you.

d4t4str34m

For some reason when I plug my pfsense box in, it is doing something to my dns server. I have to manually put a dns address into client machine settings to get dns working and get them on the internet. Machines are getting ip settings properly from my dhcp server but the dns is not working. The dhcp and dns reside on the same server.

I just noticed that pfsense works as a dns fine if I put that in my dhcp server to hand out.

phil.davis

I just noticed that pfsense works as a dns fine if I put that in my dhcp server to hand out

Well then, pfSense is good.
If you have an internal DNS server, and the gateway address of your pfSense LAN side is not the same as the LAN side gateway address of the previous router, then you will have to tell that internal DNS server what is the new way to get to the internet (and thus to resolve external DNS). Once that is working, then your internal DHCP server should be able to give out the internal DNS server IP, and the internal DNS server will successfully lookup all names.

(I am guessing a bit about what exactly you have on your internal network and how it all talked before putting pfSense in place)

d4t4str34m

If you have an internal DNS server, and the gateway address of your pfSense LAN side is not the same as the LAN side gateway address of the previous router, then you will have to tell that internal DNS server what is the new way to get to the internet (and thus to resolve external DNS).

I have it all set up with the same addresses as the last firewall so nothing should have changed. I had a rule for tcp/udp port 53 open for all and I figured that would allow my internal DNS to get DNS info from the net. I disabled all my rules to try and figure out what the issue was. I will start re-enabling them tomorrow and see if I can figure out what is causing the problem.

d4t4str34m

So now the issue is my internal DNS server is not getting out. I can ping the IP of the firewall, LAN IP and WAN IP. I cannot ping the WAN gateway IP. I can from the other machines on the network. I cannot figure out why the Mac OD servers are having so many issues.