Pfsense blocking all but pings to IP addresses

tim.mcmanus

@d4t4str34m:

So now the issue is my internal DNS server is not getting out. I can ping the IP of the firewall, LAN IP and WAN IP. I cannot ping the WAN gateway IP. I can from the other machines on the network. I cannot figure out why the Mac OD servers are having so many issues.

Are you running MacOS X Server and using that as a DNS server?

d4t4str34m

Are you running MacOS X Server and using that as a DNS server?

Yes. I ended up adding those machines into the host over ride in the DNS Resolver of pfsense. Now my machines can find the OD server for their accounts while on the network. I am still trying to figure out why it can't get out on the internet.

tim.mcmanus

@d4t4str34m:

Are you running MacOS X Server and using that as a DNS server?

Yes. I ended up adding those machines into the host over ride in the DNS Resolver of pfsense. Now my machines can find the OD server for their accounts while on the network. I am still trying to figure out why it can't get out on the internet.

I have a lot of experience with Mac OS X Server.  What's probably happening is that it's making IPv6 DNS queries.  I've complained to Apple engineers that it should do both IPv4 and IPv6, preferably using IPv4 as a default.  But they told me that's the way it's supposed to work.

Check your DNS logs on Mac OS X Server and you should see a lot of these:

24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/A/IN': 2001:500:40::1#53
24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/AAAA/IN': 2001:500:40::1#53
24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/A/IN': 2001:500:f::1#53
24-Jun-2016 00:12:32.030 error (host unreachable) resolving 'ns-1272.awsdns-31.org/AAAA/IN': 2001:500:f::1#53

That's OS X Server trying to do IPv6 lookups and failing.  My ISP doesn't use IPv6, so I had to force OS X Server to do IPv4 lookups, which resolved the issue.

d4t4str34m

I don't think that is it. For some reason I can ping all the way through pfsense (LAN and WAN) by ip address from those apple servers but I can't ping the gateway for my WAN. If I plug in the old firewall everything works fine. If I run a traceroute from the apple server to the WAN gateway IP of pfsense, I get a hop from my LAN gateway number and then it stops. It seems to get hung up in the firewall.

d4t4str34m

I am going to change my DHCP service from the problematic apple server to pfsense. The only issue is that I have a lot of static assignments so I wanted to do an export from the apple server and then import into pfsense. I have exported settings to a plist file and then used the plutil command to convert to xml. I have also tried running sudo serveradmin settings dhcp >/path/to/file.txt. I then opened the text file created in excel and save it as an xml.

I keep getting an error when importing the xml file in pfsense. The error says "An area to restore was selected but the correct xml tag could not be located." Is there something that needs to be in the xml file to make this work?

divsys

It's not likely that any of your described attempts would create an xml file that the pfSense Restore system would understand.

If you're trying to do a batch setup of DHCP static addresses, try:

1. Manually create two or three static assignments in DHCP.
2. Export the xml data using the pfSense Backup system, selecting only DHCP for Backup.
3. Examine the xml file using a text editor and note the key data lines
4. Cut and paste a few lines of data from your previous attempts to modify the file exported in 2)
5. Import the modified file using the pfSense Restore facility and verify the DHCP changes occur as you expect.
6. Repeat the modification with rest of your data.

It's not that hard once you get an idea of what the file should look like internally.

d4t4str34m

@divsys:

It's not likely that any of your described attempts would create an xml file that the pfSense Restore system would understand.

If you're trying to do a batch setup of DHCP static addresses, try:

1. Manually create two or three static assignments in DHCP.
2. Export the xml data using the pfSense Backup system, selecting only DHCP for Backup.
3. Examine the xml file using a text editor and note the key data lines
4. Cut and paste a few lines of data from your previous attempts to modify the file exported in 2)
5. Import the modified file using the pfSense Restore facility and verify the DHCP changes occur as you expect.
6. Repeat the modification with rest of your data.

It's not that hard once you get an idea of what the file should look like internally.

I tried this and the xml files were completely different. I ended up just manually entering them in. It took a fair amount of work but it will be worth it.