Pfsense blocking all but pings to IP addresses



  • I am new to pfsense and am trying to set up a new firewall. I believe I have all my configurations over from my old firewall. I put pfsense in line replacing my old firewall and I cannot get any web traffic to come through.

    I can ping by IP all the way through and can ping 4.2.2.2 but can't ping by name. I made sure that my dns numbers are correct and that port 53 is allowed on both interfaces to and from any but I still can't get any names through. When I look at the firewall logs it shows everything being blocked. I still have the default allow rules on the LAN interface.

    I have pfsense taken out now and the old firewall back in so I can get on the net. Sorry for the brief post. Any help is appreciated.



  • Can you post a quick network schema + firewall rules ?



  • Yes, nobody can help you without seeing your LAN configuration and firewall rules.



  • Your DNS Forwarder is enabled ?




  • Resolver is the default in 2.3, not Forwarder.  Resolver can also work as a forwarder if you check its checkbox.



  • Here are some notes that I took while poking around trying to figure something out:

    Interface status on WAN
    In out error 0/39
    Collisions 2499

    Pinging by name from firewall diagnostic but not from laptop.

    What is the best way to get the lan and firewall rules configurations off the firewall and uploaded here?


  • LAYER 8 Global Moderator

    simple screenshot..

    example




  • Lol, easy enough. Should be attached below.






  • Those 5 rules you added are useless since all traffic is handled by the Default Allow LAN to Any rules at the bottom.  Nothing in your rules should be interfering with LAN traffic since they're all allow rules.  A default install of pfSense blocks all from WAN and blocks nothing from LAN, so your LAN clients should literally be able to do anything.  Can you post a screen of System - General Setup?



  • I want to lock it down so I will disable the default allow rule. I want to get it working first though before I mess around with that.




  • I want to lock it down so I will disable the default allow rule. I want to get it working first though before I mess around with that.

    That's actually the opposite of how you should work on this.  Keep the default Allow All on LAN rules.  Get rid of your custom rules.  Get everything working that you need to get working, then start locking down if that's what you need to do.  Unless you're living with criminals, locking down LAN can be a real exercise in pain.

    When I try those DNS servers you have listed, they both fail to resolve anything for me but this might be a security issue.  What happens if you replace them with 8.8.8.8, 8.8.4.4?  Are you using the pfSense DNS Resolver or Forwarder?



  • Yep, google dns (8.8.8.4 & 8.8.4.4) or opendns (208.67.222.123 & 208.67.220.123).
    Also, affect those DNS to a gateway.

    Connect to your pfSense box via ssh and try

    
    nslookup www.google.com
    
    

    What's the output ?



  • I have tried with DNS forwarder enabled and disabled. Results from nslookup using both sets of DNS numbers is below. I also used the ping utility on pfsense and that is below as well. It hits outside IP addresses fine but the only name it hit was google.com. Wouldn't get a reply from cnn.com. I have also attached a screenshot of some of my firewall log.

    Server: 207.28.65.6
    Address: 207.28.65.6#53

    Non-authoritative answer:
    Name: www.google.com
    Address: 209.56.124.176
    Name: www.google.com
    Address: 209.56.124.166
    Name: www.google.com
    Address: 209.56.124.154
    Name: www.google.com
    Address: 209.56.124.177
    Name: www.google.com
    Address: 209.56.124.163
    Name: www.google.com
    Address: 209.56.124.170
    Name: www.google.com
    Address: 209.56.124.165
    Name: www.google.com
    Address: 209.56.124.144
    Name: www.google.com
    Address: 209.56.124.181
    Name: www.google.com
    Address: 209.56.124.148
    Name: www.google.com
    Address: 209.56.124.185
    Name: www.google.com
    Address: 209.56.124.152
    Name: www.google.com
    Address: 209.56.124.174
    Name: www.google.com
    Address: 209.56.124.187
    Name: www.google.com
    Address: 209.56.124.159
    Name: www.google.com
    Address: 209.56.124.155

    Server: 8.8.8.8
    Address: 8.8.8.8#53

    Non-authoritative answer:
    Name: www.google.com
    Address: 209.56.124.185
    Name: www.google.com
    Address: 209.56.124.155
    Name: www.google.com
    Address: 209.56.124.166
    Name: www.google.com
    Address: 209.56.124.165
    Name: www.google.com
    Address: 209.56.124.170
    Name: www.google.com
    Address: 209.56.124.177
    Name: www.google.com
    Address: 209.56.124.144
    Name: www.google.com
    Address: 209.56.124.148
    Name: www.google.com
    Address: 209.56.124.187
    Name: www.google.com
    Address: 209.56.124.174
    Name: www.google.com
    Address: 209.56.124.176
    Name: www.google.com
    Address: 209.56.124.159
    Name: www.google.com
    Address: 209.56.124.163
    Name: www.google.com
    Address: 209.56.124.154
    Name: www.google.com
    Address: 209.56.124.152
    Name: www.google.com
    Address: 209.56.124.181

    PING google.com (209.56.124.159): 56 data bytes
    64 bytes from 209.56.124.159: icmp_seq=0 ttl=61 time=8.028 ms
    64 bytes from 209.56.124.159: icmp_seq=1 ttl=61 time=7.957 ms
    64 bytes from 209.56.124.159: icmp_seq=2 ttl=61 time=8.001 ms

    –- google.com ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 7.957/7.995/8.028/0.029 ms

    PING cnn.com (157.166.226.26): 56 data bytes

    --- cnn.com ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss




  • I was asking if you could replace your DNS servers in System - General Setup with the Google ones.

    I have tried with DNS forwarder enabled and disabled.

    pfSense has two built-in DNS services.  I was asking which one you are using.  You shouldn't use both simultaneously.  If you are using DNS Forwarder only and you turn it off then you have no DNS at all.

    Here is what I would do:

    • Disable DNS Forwarder.

    • Enable DNS Resolver.

    • Check the DNS Query Forwarding checkbox under Services - DNS Resolver - General settings.

    • Replace your DNS servers under System - General Setup - DNS Server Settings with Google 8.8.8.8 and 8.8.4.4.

    • Save & test.


  • LAYER 8 Global Moderator

    is this pfsense virtual?

    Your blocks are OUT of state blocks.. not blocking of syn packets..  Do you have asymmetrical routing issue.  How are you clients connect to pfsense.. And they use pfsense as their only gateway right??



  • Here is what I would do:
    Disable DNS Forwarder.
    Enable DNS Resolver.
    Check the DNS Query Forwarding checkbox under Services - DNS Resolver - General settings.
    Replace your DNS servers under System - General Setup - DNS Server Settings with Google 8.8.8.8 and 8.8.4.4.
    Save & test.

    Tried the DNS resolver and it didn't work. I have changed the dns numbers in the general setup and that didn't work.

    is this pfsense virtual?

    Your blocks are OUT of state blocks.. not blocking of syn packets..  Do you have asymmetrical routing issue.  How are you clients connect to pfsense.. And they use pfsense as their only gateway right??

    It is the pfsense appliance. It is not virtual. The pfsense box is the only gateway. As soon as I unplug pfsense and hook up the old cipa firewall everything works. It has the dns numbers in it that I have given you.



  • For some reason when I plug my pfsense box in, it is doing something to my dns server. I have to manually put a dns address into client machine settings to get dns working and get them on the internet. Machines are getting ip settings properly from my dhcp server but the dns is not working. The dhcp and dns reside on the same server.

    I just noticed that pfsense works as a dns fine if I put that in my dhcp server to hand out.



  • I just noticed that pfsense works as a dns fine if I put that in my dhcp server to hand out

    Well then, pfSense is good.
    If you have an internal DNS server, and the gateway address of your pfSense LAN side is not the same as the LAN side gateway address of the previous router, then you will have to tell that internal DNS server what is the new way to get to the internet (and thus to resolve external DNS). Once that is working, then your internal DHCP server should be able to give out the internal DNS server IP, and the internal DNS server will successfully lookup all names.

    (I am guessing a bit about what exactly you have on your internal network and how it all talked before putting pfSense in place)



  • If you have an internal DNS server, and the gateway address of your pfSense LAN side is not the same as the LAN side gateway address of the previous router, then you will have to tell that internal DNS server what is the new way to get to the internet (and thus to resolve external DNS).

    I have it all set up with the same addresses as the last firewall so nothing should have changed. I had a rule for tcp/udp port 53 open for all and I figured that would allow my internal DNS to get DNS info from the net. I disabled all my rules to try and figure out what the issue was. I will start re-enabling them tomorrow and see if I can figure out what is causing the problem.



  • So now the issue is my internal DNS server is not getting out. I can ping the IP of the firewall, LAN IP and WAN IP. I cannot ping the WAN gateway IP. I can from the other machines on the network. I cannot figure out why the Mac OD servers are having so many issues.



  • @d4t4str34m:

    So now the issue is my internal DNS server is not getting out. I can ping the IP of the firewall, LAN IP and WAN IP. I cannot ping the WAN gateway IP. I can from the other machines on the network. I cannot figure out why the Mac OD servers are having so many issues.

    Are you running MacOS X Server and using that as a DNS server?



  • Are you running MacOS X Server and using that as a DNS server?

    Yes. I ended up adding those machines into the host over ride in the DNS Resolver of pfsense. Now my machines can find the OD server for their accounts while on the network. I am still trying to figure out why it can't get out on the internet.



  • @d4t4str34m:

    Are you running MacOS X Server and using that as a DNS server?

    Yes. I ended up adding those machines into the host over ride in the DNS Resolver of pfsense. Now my machines can find the OD server for their accounts while on the network. I am still trying to figure out why it can't get out on the internet.

    I have a lot of experience with Mac OS X Server.  What's probably happening is that it's making IPv6 DNS queries.  I've complained to Apple engineers that it should do both IPv4 and IPv6, preferably using IPv4 as a default.  But they told me that's the way it's supposed to work.

    Check your DNS logs on Mac OS X Server and you should see a lot of these:

    24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/A/IN': 2001:500:40::1#53
    24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/AAAA/IN': 2001:500:40::1#53
    24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/A/IN': 2001:500:f::1#53
    24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/AAAA/IN': 2001:500:f::1#53
    

    That's OS X Server trying to do IPv6 lookups and failing.  My ISP doesn't use IPv6, so I had to force OS X Server to do IPv4 lookups, which resolved the issue.



  • I don't think that is it. For some reason I can ping all the way through pfsense (LAN and WAN) by ip address from those apple servers but I can't ping the gateway for my WAN. If I plug in the old firewall everything works fine. If I run a traceroute from the apple server to the WAN gateway IP of pfsense, I get a hop from my LAN gateway number and then it stops. It seems to get hung up in the firewall.



  • I am going to change my DHCP service from the problematic apple server to pfsense. The only issue is that I have a lot of static assignments so I wanted to do an export from the apple server and then import into pfsense. I have exported settings to a plist file and then used the plutil command to convert to xml. I have also tried running sudo serveradmin settings dhcp >/path/to/file.txt. I then opened the text file created in excel and save it as an xml.

    I keep getting an error when importing the xml file in pfsense. The error says "An area to restore was selected but the correct xml tag could not be located." Is there something that needs to be in the xml file to make this work?



  • It's not likely that any of your described attempts would create an xml file that the pfSense Restore system would understand.

    If you're trying to do a batch setup of DHCP static addresses, try:

    1. Manually create two or three static assignments in DHCP.
    2. Export the xml data using the pfSense Backup system, selecting only DHCP for Backup.
    3. Examine the xml file using a text editor and note the key data lines
    4. Cut and paste a few lines of data from your previous attempts to modify the file exported in 2)
    5. Import the modified file using the pfSense Restore facility and verify the DHCP changes occur as you expect.
    6. Repeat the modification with rest of your data.

    It's not that hard once you get an idea of what the file should look like internally.



  • @divsys:

    It's not likely that any of your described attempts would create an xml file that the pfSense Restore system would understand.

    If you're trying to do a batch setup of DHCP static addresses, try:

    1. Manually create two or three static assignments in DHCP.
    2. Export the xml data using the pfSense Backup system, selecting only DHCP for Backup.
    3. Examine the xml file using a text editor and note the key data lines
    4. Cut and paste a few lines of data from your previous attempts to modify the file exported in 2)
    5. Import the modified file using the pfSense Restore facility and verify the DHCP changes occur as you expect.
    6. Repeat the modification with rest of your data.

    It's not that hard once you get an idea of what the file should look like internally.

    I tried this and the xml files were completely different. I ended up just manually entering them in. It took a fair amount of work but it will be worth it.


Log in to reply