Unable to get DNS on VLAN working
-
-
-
Disable your first and second rule.
Save. Apply.
DNS goes through ?edit : Probably not related : What are your intentions with the "Custom Options" on the DNS General Settings page ?
-
Ok this did not work. I can ping 9.9.9.9 and 1.1.1.1 but cannot do name resolution (NSLOOKUP does not work). Directly connected avoiding VLAN, all works.
-
Nslookup doesn't work where? You have setup tls forwarding. Can pfsense resolve using that - test with dns lookup under diagnostics..
Can your client talk to pfsense even for dns... do a simple query for say pfsense own name.. Does that resolve?
-
@mikeelawson said in Unable to get DNS on VLAN working:
Ok this did not work. I can ping 9.9.9.9 and 1.1.1.1 but cannot do name resolution (NSLOOKUP does not work). Directly connected avoiding VLAN, all works.
Make your third rule a "pass-all". Change the source "VLAN30 net" for "any" or "*".
Now your firewall is transparent for everything as long as it is "IPv4".Rule 1 and 2 are disabled, right ??
It should work.
If not, the issue is : your VLAN settings (pfsense and/or your switch).
Btw : easy to check if unbound is listening on the "VLAN30" network.
sockstat -4 -l | grep "53"
I check my interface "192.168.2.1" (my OPT1 interface) :
dig @192.168.2.1 microsoft.com +short 40.112.72.205 40.113.200.201 104.215.148.63 13.77.161.179 40.76.4.15
dig will hit 192.168.2.1 using port 53.
-
John,
NSLOOKUP does not work under VLAN30 but does work under direct connection to LAN
I setup TLS forwarding so that I can secure my DNS comms with providers
DNS lookup under diagnostics works (see attached)
Did a simple query to Pfsense on Corporate LAN worked, under VLAN30 failed
-
I did this on VLAN30 and didn't work I am dirrectly connecting my Mac onto VLAN30 before I connect to USG switch to test everything works ![0_1544721303922_Ping 2.png](Uploading 0%)
-
Well as already asked did you dick with your ACLs for unbound.. Did you validate its actually listening on your vlan30 interface?
Do you have any rules floating rules that would be blocking or any port forwards to redirect dns?
If unbound is listening on the interface, and you all it on firewall rules.. If unbound doesn't allow you to query then you would get a REFUSED... But since you used the +short can not be sure what the actual details are.
BTW: 3.5ms is a pretty shitty local network ping response..
user@uc:~$ ping 192.168.2.253 PING 192.168.2.253 (192.168.2.253) 56(84) bytes of data. 64 bytes from 192.168.2.253: icmp_seq=1 ttl=64 time=0.836 ms 64 bytes from 192.168.2.253: icmp_seq=2 ttl=64 time=0.332 ms 64 bytes from 192.168.2.253: icmp_seq=3 ttl=64 time=0.304 ms 64 bytes from 192.168.2.253: icmp_seq=4 ttl=64 time=0.343 ms 64 bytes from 192.168.2.253: icmp_seq=5 ttl=64 time=0.328 ms 64 bytes from 192.168.2.253: icmp_seq=6 ttl=64 time=0.364 ms 64 bytes from 192.168.2.253: icmp_seq=7 ttl=64 time=0.330 ms ^C --- 192.168.2.253 ping statistics --- 7 packets transmitted, 7 received, 0% packet loss, time 6000ms rtt min/avg/max/mdev = 0.304/0.405/0.836/0.177 ms user@uc:~$
That is a VM on one of my vlans, ping pfsense..
And your 2nd upload didn't work!
![0_1544721303922_Ping 2.png](Uploading 0%)
-
John,
Found it, the original config was correct, had a firewall on the Mac that was preventing this. My apologies for taking up your time on this matter. As soon as this was disabled all worked.
Regards,
Mike