[Solved] Whats wrong here?
-
Hi,
I'm new to pfSense. I try to switch from Linux/ IPTables but the start is a little bit hurt
My psSense machine hat 4 NIC's
WAN - 192.168.3.0/24
LAN1 -192.168.14.0/24
LAN2 - 192.168.1.0/24
LAN3 - 192.168.2.0/24In my Network 192.168.14.0 I have DNS and some other servers and clients.
I will make it possible that my internal DNS server can query DNS Servers from my ISP or any other DNS server.I created a rule for this. FW log tell my all its OK but my internal Server can resolve external names (like www.google.com). If I shut down my pfSense box and start Linux DNS Query work without any problems.
If I change the rule from protocol UDP to TCP/UDP I have the same problem. DNS Resolver on pfSense box is not activated. Any idea whats wrong here?
![Bildschirmfoto 2016-08-09 um 17.58.30.png](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.58.30.png)
![Bildschirmfoto 2016-08-09 um 17.58.30.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.58.30.png_thumb)
![Bildschirmfoto 2016-08-09 um 17.59.41.png](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.59.41.png)
![Bildschirmfoto 2016-08-09 um 17.59.41.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.59.41.png_thumb) -
well looks like your wan is private.. So what is in front of pfsense? Maybe its blocking your dns traffic?
-
In front is my DSL Modem.
If I shut down pfSense and start my old Linux/IPTables box (same hardware-, same IP Addresses) all works without any problems.If I activate resolver on pfSense - I can resolve names on the pfSense box.
-
well why don't you sniff on pfsense wan and validate it sends the queries when your client sends them, if it does and you get no answer then problem is in front of pfsense. And then see what is different about the query when you resolve from pfsense..
Can your clients behind pfsense access internet.. Can they ping say pfsense gateway?
Did you mess with the default outbound nats or something? Did you put a gateway on any of your lan interfaces?
-
Now, I think its a bug in pfSense.
I have some tests done and I can "all" do except ask external DNS Server from any Client in my network. DNS queries works only I use pfSense box as DNS Resolver or Forwarder -
sure its a bug.. WTF anytime people have something they think is not working a freaking bug..
Nonsense its a bug, if it was a bug with dns resolution working through pfsense then there would be lot more then you having issues.
Here
dig @8.8.8.8 www.google.com
; <<>> DiG 9.10.4-P2 <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5762
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 173 IN A 216.58.192.228;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 11 04:17:46 Central Daylight Time 2016
;; MSG SIZE rcvd: 59I just queried to a server outside pfsense.. No Bug!!!
Did you do the sniff that takes 2 seconds to do?? See attached me sniffing on wan, doing a query to external dns.. You see pfsense send it out its wan, you see an answer. Do you see anything go out??
Your query to 216.239.36.10, that is a authoritative name server for google.. It's not going to answer to anything its not authoritative for..
dig @216.239.36.10 pfsense.org
; <<>> DiG 9.10.4-P2 <<>> @216.239.36.10 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61865
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available;; QUESTION SECTION:
;pfsense.org. IN A;; Query time: 46 msec
;; SERVER: 216.239.36.10#53(216.239.36.10)
;; WHEN: Thu Aug 11 04:25:26 Central Daylight Time 2016
;; MSG SIZE rcvd: 29dig @216.239.36.10 google.com ns
; <<>> DiG 9.10.4-P2 <<>> @216.239.36.10 google.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25980
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available;; QUESTION SECTION:
;google.com. IN NS;; ANSWER SECTION:
google.com. 345600 IN NS ns4.google.com.
google.com. 345600 IN NS ns1.google.com.
google.com. 345600 IN NS ns2.google.com.
google.com. 345600 IN NS ns3.google.com.;; ADDITIONAL SECTION:
ns4.google.com. 345600 IN A 216.239.38.10
ns1.google.com. 345600 IN A 216.239.32.10
ns2.google.com. 345600 IN A 216.239.34.10
ns3.google.com. 345600 IN A 216.239.36.10;; Query time: 39 msec
;; SERVER: 216.239.36.10#53(216.239.36.10)
;; WHEN: Thu Aug 11 04:27:06 Central Daylight Time 2016
;; MSG SIZE rcvd: 164
-
Nonsense its a bug,
Jupp you are right.
I can resolve names with "dig" like you from my clients in Network (192.168.14.0). Also "dig @8.8.8.8 www.google.com" work, but its not work from my DNS/DHCP Server. But my Server is in the same Network (192.168.14.0). And If I change pfsense with Linux Debian box its work.
Yesterday I changed my DNS config. I registered pfSense as DNS-Forwarder. On pfSense is now DNS-Forwarder running and this point work.
But the next no :(. Again my DNS/DHCP Server - On my pfSense box I started DHCP-Relay but the queries are coming to my DHCP Server and he will response, but the answer newer comes to client.
-
Sure sounds like you have issues with this box more than anything.. Can it even ping the outside? Do you have a gateway setup on it it? etc..
-
Hi,
here is a tcpdump with DHCP
XN0 is the interface with my DHCP Server, XN1 interface who is the client
DHCP-relay is activated on pfSense box.myhack01:~ robert$ tcpdump -r XN0.tdump reading from file XN0.tdump, link-type EN10MB (Ethernet) 12:34:10.223060 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:10.253801 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:11.944303 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:11.976186 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:14.531593 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:14.564944 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:19.066438 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:19.066732 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:20.698683 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:20.699012 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:23.158499 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:23.158782 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:27.562553 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:27.562797 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:35.772013 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:35.772310 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:36.636509 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302 12:34:36.721868 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:38.582339 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302 12:34:38.610976 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:40.754626 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302 12:34:40.788885 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:44.735974 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:44.736288 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:48.966390 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 300 12:34:48.966685 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 12:34:53.530764 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:34:53.531083 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301 myhack01:~ robert$ tcpdump -r XN1.tdump reading from file XN1.tdump, link-type EN10MB (Ethernet) 12:31:26.037441 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:27.820821 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:30.155835 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:34.462180 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:35.472950 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:38.056275 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:42.180818 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:50.803080 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:31:58.925984 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300 12:32:07.710977 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
-
how about you just post that cap file up so can view it in wireshark.. Not sure what your trying to show here??
Looks like some kind of wifi network involved there? openwlan?
What does that have to do with this linux box you want to use as dns/dhcp talking to the internetor other segments?
Looks like you get some sort of answer, but looks like it going to the wrong place? how about you just show IP and not resolved names.. have no freaking idea what rjap.de is or openwlan.local - but guessing one of those is wireless? So did you sniff on pfsense what did it do with the answer.. Was that actually an offer? Maybe it was a NAK from you dhcp server because the client requested an invalid lease/ip ? Can not tell from the info given.. Actual pcap is much better, can see the mac's involved the actual data in the dhcp, ec.
Why are you moving on to dhcp.. sounds like you didn't fix your dns issue. You just have your dns ask pfsense vs doing query all the way through.
-