Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [Solved] Whats wrong here?

    Firewalling
    2
    11
    1892
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tobi last edited by

      Hi,

      I'm new to pfSense. I try to switch from Linux/ IPTables but the start is a little bit hurt

      My psSense machine hat 4 NIC's
      WAN - 192.168.3.0/24
      LAN1 -192.168.14.0/24
      LAN2 - 192.168.1.0/24
      LAN3 - 192.168.2.0/24

      In my Network 192.168.14.0 I have DNS and some other servers and clients.
      I will make it possible that my internal DNS server can query DNS Servers from my ISP or any other DNS server.

      I created a rule for this. FW log tell my all its OK but my internal Server can resolve external names (like www.google.com). If I shut down my pfSense box and start Linux DNS Query work without any problems.

      If I change the rule from protocol UDP to TCP/UDP I have the same problem. DNS Resolver on pfSense box is not activated. Any idea whats wrong here?

      ![Bildschirmfoto 2016-08-09 um 17.58.30.png](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.58.30.png)
      ![Bildschirmfoto 2016-08-09 um 17.58.30.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.58.30.png_thumb)
      ![Bildschirmfoto 2016-08-09 um 17.59.41.png](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.59.41.png)
      ![Bildschirmfoto 2016-08-09 um 17.59.41.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2016-08-09 um 17.59.41.png_thumb)

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        well looks like your wan is private.. So what is in front of pfsense? Maybe its blocking your dns traffic?

        1 Reply Last reply Reply Quote 0
        • T
          Tobi last edited by

          In front is my DSL Modem.
          If I shut down pfSense and start my old Linux/IPTables box (same hardware-, same IP Addresses) all works without any problems.

          If I activate resolver on pfSense - I can resolve names on the pfSense box.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            well why don't you sniff on pfsense wan and validate it sends the queries when your client sends them, if it does and you get no answer then problem is in front of pfsense.  And then see what is different about the query when you resolve from pfsense..

            Can your clients behind pfsense access internet.. Can they ping say pfsense gateway?

            Did you mess with the default outbound nats or something?  Did you put a gateway on any of your lan interfaces?

            1 Reply Last reply Reply Quote 0
            • T
              Tobi last edited by

              Now, I think its a bug in pfSense.
              I have some tests done and I can "all" do except ask external DNS Server from any Client in my network. DNS queries works only I use pfSense box as DNS Resolver or Forwarder

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                sure its a bug.. WTF anytime people have something they think is not working a freaking bug..

                Nonsense its a bug, if it was a bug with dns resolution working through pfsense then there would be lot more then you having issues.

                Here

                dig @8.8.8.8 www.google.com

                ; <<>> DiG 9.10.4-P2 <<>> @8.8.8.8 www.google.com
                ; (1 server found)
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5762
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 512
                ;; QUESTION SECTION:
                ;www.google.com.                        IN      A

                ;; ANSWER SECTION:
                www.google.com.        173    IN      A      216.58.192.228

                ;; Query time: 15 msec
                ;; SERVER: 8.8.8.8#53(8.8.8.8)
                ;; WHEN: Thu Aug 11 04:17:46 Central Daylight Time 2016
                ;; MSG SIZE  rcvd: 59

                I just queried to a server outside pfsense..  No Bug!!!

                Did you do the sniff that takes 2 seconds to do??  See attached me sniffing on wan, doing a query to external dns..  You see pfsense send it out its wan, you see an answer.  Do you see anything go out??

                Your query to  216.239.36.10, that is a authoritative name server for google.. It's not going to answer to anything its not authoritative for..

                dig @216.239.36.10 pfsense.org

                ; <<>> DiG 9.10.4-P2 <<>> @216.239.36.10 pfsense.org
                ; (1 server found)
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61865
                ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
                ;; WARNING: recursion requested but not available

                ;; QUESTION SECTION:
                ;pfsense.org.                  IN      A

                ;; Query time: 46 msec
                ;; SERVER: 216.239.36.10#53(216.239.36.10)
                ;; WHEN: Thu Aug 11 04:25:26 Central Daylight Time 2016
                ;; MSG SIZE  rcvd: 29

                dig @216.239.36.10 google.com ns

                ; <<>> DiG 9.10.4-P2 <<>> @216.239.36.10 google.com ns                   
                ; (1 server found)                                                       
                ;; global options: +cmd                                                 
                ;; Got answer:                                                           
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25980               
                ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4     
                ;; WARNING: recursion requested but not available

                ;; QUESTION SECTION:                                                     
                ;google.com.                    IN      NS

                ;; ANSWER SECTION:                                                       
                google.com.            345600  IN      NS      ns4.google.com.         
                google.com.            345600  IN      NS      ns1.google.com.         
                google.com.            345600  IN      NS      ns2.google.com.         
                google.com.            345600  IN      NS      ns3.google.com.

                ;; ADDITIONAL SECTION:                                                   
                ns4.google.com.        345600  IN      A      216.239.38.10           
                ns1.google.com.        345600  IN      A      216.239.32.10           
                ns2.google.com.        345600  IN      A      216.239.34.10           
                ns3.google.com.        345600  IN      A      216.239.36.10

                ;; Query time: 39 msec                                                   
                ;; SERVER: 216.239.36.10#53(216.239.36.10)                               
                ;; WHEN: Thu Aug 11 04:27:06 Central Daylight Time 2016                 
                ;; MSG SIZE  rcvd: 164


                1 Reply Last reply Reply Quote 0
                • T
                  Tobi last edited by

                  Nonsense its a bug,

                  Jupp you are right.

                  I can resolve names with "dig" like you from my clients in Network (192.168.14.0). Also "dig @8.8.8.8 www.google.com" work, but its not work from my DNS/DHCP Server. But my Server is in the same Network (192.168.14.0). And If I change pfsense with Linux Debian box its work.

                  Yesterday I changed my DNS config. I registered pfSense as DNS-Forwarder. On pfSense is now DNS-Forwarder running and this point work.

                  But the next no :(. Again my DNS/DHCP Server - On my pfSense box I started DHCP-Relay but the queries are coming to my DHCP Server and he will response, but the answer newer comes to client.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    Sure sounds like you have issues with this box more than anything.. Can it even ping the outside?  Do you have a gateway setup on it it? etc..

                    1 Reply Last reply Reply Quote 0
                    • T
                      Tobi last edited by

                      Hi,

                      here is a tcpdump with DHCP
                      XN0 is the interface with my DHCP Server, XN1 interface who is the client
                      DHCP-relay is activated on pfSense box.

                      myhack01:~ robert$ tcpdump -r XN0.tdump 
                      reading from file XN0.tdump, link-type EN10MB (Ethernet)
                      12:34:10.223060 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:10.253801 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:11.944303 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:11.976186 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:14.531593 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:14.564944 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:19.066438 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:19.066732 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:20.698683 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:20.699012 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:23.158499 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:23.158782 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:27.562553 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:27.562797 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:35.772013 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:35.772310 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:36.636509 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302
                      12:34:36.721868 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:38.582339 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302
                      12:34:38.610976 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:40.754626 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302
                      12:34:40.788885 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:44.735974 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:44.736288 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:48.966390 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 300
                      12:34:48.966685 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      12:34:53.530764 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:34:53.531083 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
                      myhack01:~ robert$ tcpdump -r XN1.tdump 
                      reading from file XN1.tdump, link-type EN10MB (Ethernet)
                      12:31:26.037441 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:27.820821 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:30.155835 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:34.462180 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:35.472950 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:38.056275 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:42.180818 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:50.803080 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:31:58.925984 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      12:32:07.710977 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
                      
                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        how about you just post that cap file up so can view it in wireshark.. Not sure what your trying to show here??

                        Looks like some kind of wifi network involved there? openwlan?

                        What does that have to do with this linux box you want to use as dns/dhcp talking to the internetor other segments?

                        Looks like you get some sort of answer, but looks like it going to the wrong place?  how about you just show IP and not resolved names.. have no freaking idea what rjap.de is or openwlan.local - but guessing one of those is wireless?  So did you sniff on pfsense what did it do with the answer.. Was that actually an offer? Maybe it was a NAK from you dhcp server because the client requested an invalid lease/ip ?  Can not tell from the info given.. Actual pcap is much better, can see the mac's involved the actual data in the dhcp, ec.

                        Why are you moving on to dhcp.. sounds like you didn't fix your dns issue.  You just have your dns ask pfsense vs doing query all the way through.

                        1 Reply Last reply Reply Quote 0
                        • T
                          Tobi last edited by

                          Hi,

                          here 2 *.pcap files

                          192.168.14.1 is my DNS/DHCP Server
                          192.168.14.10 is xn0 from pfSense

                          192.168.1.10 is xn1 from pfsense

                          xn0.pcap
                          xn1.pcap

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense Plus
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy