Rookie question, how to get firewall to answer to it's name
-
In my case, I had to add the GUI port number to the end of the string: "http://firewall.home:445" (your's might be something else (like 80)).
-
It's more basic than that. The firewall.home is not being resolved. So, if I do a ping of firewall.home, I get: ping: cannot resolve firewall.home: Unknown host. So, the DNS is not resolving plain and simple. Obviously, external DNS addresses resolve just fine as I am able to browse the external site.
The router is doing its job since I can use router's DNS to reach it at http://gate. However, when the router does not know of the firewall.home, it supposed to send the request to DNS, just like for an external site. Here is where the pfSense DNS Resolver should figure it out and return 192.168.1.1.
But this is not happening, apparently.
-
Ok, it's getting a bit more interesting.
If I execute dig to the firewall:
dig @192.168.1.1 gate.home (it works!, the name resolves)
dig @192.168.1.1 firewall.home (it works! the name resolves)However, if I execute dig to the router:
dig @192.168.2.1 gate.home (does not work), but just gate, works fine
dig @192.168.2.1 firewall.home (does not work)So, while the pfSense has entries for it's self and the single client (router) connecting on a lan port, the router is not forwarding the request to pfSense when I try to resolve firewall.home? However, external host addresses seem to work just fine…
-
"My router is running on 192.168.2.1 and is connected to the LAN port of the firewall. "
Huh? So you have a wifi router behind pfsense doing NAT? Why??
Where is internet in this setup? Pfsense has a public IP on its wan?
-
Right, so
cable modem <–-> (wan) pfSense (lan) <---> (wan) wireless router <---> (my network is here)
(WAN) (DNSResolver/DHCP) (DNS Masq/DHCP) 192.168.2.*
(DHCP) 192.168.1.1 192.168.2.1
Public IPWhen network devices use DHCP to get their address the router allows them to be accessed by their short name. The internet browsing works fine and public DNS resolves correctly. However, for some reason, I cannot see the firewall.home (which is the name I gave to the pfSense machine).
-
Why in the world would you do it that way?? Just use your wifi router as AP.. What your doing there makes ZERO sense.. Why would you double nat?? No shit your going to have dns issue with that sort of setup..
-
Thanks for your answer.
Perhaps I am not familiar enough with pfSense or super paranoid that if an issue is indeed found with pfSense I would have another level of firewall available. Whatever the issue is, your answer does not quite explain why I would be having and issue with a single DNS resolution. And it's not multiple DNS issues, as external IP(s) and those registered to the router directly resolve just fine. It's a single DNS resolution of the firewall which does not quite work. I can get around it by just visiting http://192.168.1.1, but I was looking to find out what specifically makes it not work.
I understand that I can simply connect the router to the switch which is attached to the LAN port of the pfSense firewall, however, I wanted a slightly different configuration. It works fine, except for the minor DNS issue which I was trying to understand.
-
Where is your router behind pfsense forwarding too for dns? To pfsense for dns? And your looking up what fqdn?? firewall.home?
Does it actually forward that? Many a soho router dns is utter crap and intercepts specific stuff to send you to its own gui, etc.
However, if I execute dig to the router:
dig @192.168.2.1 gate.home (does not work), but just gate, works fine
dig @192.168.2.1 firewall.home (does not work)This tells you right here its the router not forwarding what you asked it to pfsense for resolution.. Maybe it thinks it .home, etc. Why not just have all your clients directly use pfsense for dns?? Your asking your router, who just forwards to pfsense anyway for zero reason!!
-
The router is behind the pfSense running a fairly recent version of DD-WRT with DNSMasq handling the DNS. It's also handing out DHCP addresses in the 192.168.2/32 network. The DHCP on the router gives out the address and registers the machine with DNSMasq so that I can reference machines by name.
cable modem <–-> (wan) pfSense (lan) <---> (wan) wireless router <---> (my network is here)
(WAN) (DNSResolver/DHCP) (DNSMasq/DHCP) 192.168.2./32
(DHCP) 192.168.1/32 192.168.2/32
Public IPThe router is configured to use 192.168.1.1 as it's DNS, pfSense get's its DNS from the DHCP connection via the cable modem. When I access a local device connected to the router, the router is able to resolve the name and return the IP address in the 192.168.2/32 network of the device connected to it.
When I request a public name, such as pfsense.org, for example, the router forwards the request to pfSense which then does whatever it does to resolve the address.
However, and only in one case, when I try to resolve the name.domain of the firewall (which is currently set to firewall.home), the name is not getting resolved.
Sure, I can put my router into an access point mode and just have the firewall do everything, but I am trying to get the configuration with double firewall working in my case. It's not urgent or anything, it just bugs me that I cannot resolve the firewall by name. I can continue using 192.168.1.1 to address the firewall for the rest of the time, it's just irking me that I don't understand why it does not work.
-
It doesn't work because its not being forwarded.. So look to why dd-wrt is not forwarding it.
Clearly ask pfsense when you do your dig.. So that works you showed that it did.. So whe nyou ask your dd-wrt router.. It would forward it - does it get the answer? Sniff on pfsense.. It quite possible dd-wrt is doing rebind protection.. Its asking its upstream dns, and it returns rfc1918.. Which is normally a rebind attack..
Pfsense will not return rfc1918 from upstream.. Neither the forwarder or resolver will do that unless you turn off rebind protection.
But what your doing is just completely utterly pointless!! What exactly do you think its protecting you against running a double nat setup??
-
The question: "What exactly do you think its protecting you against running a double nat setup??" is actually a good one. As I mentioned, I am not familiar with pfSense, so, I don't know if I have it setup correctly or not.
Perhaps this following part belongs in the FireWall section, however, I don't have any rules which allow any connections to come in from outside. When I look at the firewall logs, I do see a lot of requests are being dropped. That's good. However, when I look at the DD_WRT incoming log table, I also see some external IP(s) being dropped as well.
Here are the rules and the screenshot of the incoming log table from the router running DDWRT. What I don't understand, is that if the firewall is supposed to block any connection requests, why are things still getting to the router?
Perhaps, this should now be in the Firewall section of the forum, but this explains my paranoia of having a "double-firewall" setup. I guess I just don't quite understand this stuff fully yet.
 -
If it is just the one entry, I would just put this in dd-wrt
Services->Services Management->DNSMasq->Additional DNSMasq Options
address=/firewall.home/firewall/192.168.1.1
ptr-record=1.1.168.192.in-addr.arpa,"firewall.home" -
Those are prob out of state drops.. Ie something you created a connection too, and then did not correctly close the connection or whatever and or the state expired so dd-wrt droppped it.
Those ports 57839 and 57849 look to be source port for some connection you had created from a client behind dd-wrt..
Both of those Ips are owned by amazon, they resolve to a compute-1.amazonaws.com domain. Many software packages would connect to those networks, phone home - shoot could of been you watching amazon prime video or music, etc.
The only traffic that would get through to your dd-wrt wan would be something you forwarded, which clearly your not doing. So the only thing else it would be would be answer to traffic you created. So things would get dropped if you have issue with states expiring with connections not being closed correctly..
There is no point to running behind a double nat as any form of extra security.. And if anything can cause you problems with certain protocols, can cause issues with state tables getting out of state.. Especially if you rebooted say your dd-wrt, all the states would be gone on the dd-wrt but would still be open on pfsense and traffic what was answers to what you wanted would still be forwarded by pfsense and then dropped at dd-wrt.
dd-wrt log doesn't even show you that flags on those packets - where they SYN, where they ACK? I would assume they are just out of state.. And then yes they should be dropped.. But pfsense would do the same thing with out of state traffic..
See this doc
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
