• I have a virtualised Pfsense 2.3.1 on a xenserver
    I've disabled the xen pv drivers
    Setup is 1 Wan and 5 lans
    The main lan and wifi networks have sporadic problems with DNS and connectivity.


    Sometimes systems on either lan or wifi will not be able to access a device ( printer, network share …) on the other lan interface.
    After a few minutes they can access it without any apparent reason.

    I have setup a DNS Fw for the different servers within our network to make sure that users's systems don't try to go outside to come back in.
    We have a couple of webapps accessible to outside clients that currently come from an external static ip through a proxy that fw the link to the right server. Sometimes, people from within our network either gets to the pfsense page instead of the actual app and when they try to ping the app site (app.mydomain.com) it shows the external ip instead of the internal one like it's configured in the DNS fw module,

  • LAYER 8 Global Moderator

    "when they try to ping the app site (app.mydomain.com) it shows the external ip instead of the internal one like it's configured in the DNS fw module,"

    Well your clients are pointing to more than 1 name it would seem.  Which always a BAD idea, you do not point clients to multiple name servers unless resolve the same stuff the same way.  If you have some local dns that resolves some specific fqdn to a rfc address.  And this client points to multiple dns and one of them is say public googledns.  Google dns isn't going to have clue one about your local stuff.

    If you want to use multiple public dns sure that is fine, they all should resolve any fqdn the same way, other than maybe caches and ttl issues.  But pointing to an internal dns and external dns is bad idea since you really never know which one the client might use to resolve something.  So doing so is going to end up causing you odd issues.

    Have no idea what you mean by blocking going out and back in?  You mean you don't have any nat reflection setup?  What are you wan rules are you allowing access to your wan IP for the the port your listening on if your getting the gui

  • I see that i wasn't very clear in my explanation.

    I have external clients that connect to a web app at app.mydomain.com which is set on amazon's DNS. It forwards the FQDN request to a specific ip at our offices. It's then forwarded by NAT to our haproxy machine that shoots it to the actual server.

    Since i don't want my internal collegues to go through the internet (outside) to access something that is local, i've setup the DNS Forwarder to send the fqdn request app.mydomain.com to the haproxy machine.
    Sometimes they get a webpage with a 401 error or get the pfsense main login window. If they wait a couple of minutes, it starts working again.

    As for the resources, it seems that if a user is connected to the wifi interface, whatever is on the lan interface is not accessible and vice-versa.

    That is a random issue and i can't figure out why it's happening.

  • LAYER 8 Global Moderator

    Very what IP they are getting back for that query when this happens.  So your clients only have pfsense as their only dns?

  • The only DNS they have is PFsense
    When it happens "for the web app" They get the external ip that the fqdn points to.