[Solved] Whats wrong here?

Tobi

Hi,

I'm new to pfSense. I try to switch from Linux/ IPTables but the start is a little bit hurt

My psSense machine hat 4 NIC's
WAN - 192.168.3.0/24
LAN1 -192.168.14.0/24
LAN2 - 192.168.1.0/24
LAN3 - 192.168.2.0/24

In my Network 192.168.14.0 I have DNS and some other servers and clients.
I will make it possible that my internal DNS server can query DNS Servers from my ISP or any other DNS server.

I created a rule for this. FW log tell my all its OK but my internal Server can resolve external names (like www.google.com). If I shut down my pfSense box and start Linux DNS Query work without any problems.

If I change the rule from protocol UDP to TCP/UDP I have the same problem. DNS Resolver on pfSense box is not activated. Any idea whats wrong here?


johnpoz

well looks like your wan is private.. So what is in front of pfsense? Maybe its blocking your dns traffic?

Tobi

In front is my DSL Modem.
If I shut down pfSense and start my old Linux/IPTables box (same hardware-, same IP Addresses) all works without any problems.

If I activate resolver on pfSense - I can resolve names on the pfSense box.

johnpoz

well why don't you sniff on pfsense wan and validate it sends the queries when your client sends them, if it does and you get no answer then problem is in front of pfsense.  And then see what is different about the query when you resolve from pfsense..

Can your clients behind pfsense access internet.. Can they ping say pfsense gateway?

Did you mess with the default outbound nats or something?  Did you put a gateway on any of your lan interfaces?

Tobi

Now, I think its a bug in pfSense.
I have some tests done and I can "all" do except ask external DNS Server from any Client in my network. DNS queries works only I use pfSense box as DNS Resolver or Forwarder

johnpoz

sure its a bug.. WTF anytime people have something they think is not working a freaking bug..

Nonsense its a bug, if it was a bug with dns resolution working through pfsense then there would be lot more then you having issues.

Here

dig @8.8.8.8 www.google.com

; <<>> DiG 9.10.4-P2 <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5762
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.        173    IN      A      216.58.192.228

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 11 04:17:46 Central Daylight Time 2016
;; MSG SIZE  rcvd: 59

I just queried to a server outside pfsense..  No Bug!!!

Did you do the sniff that takes 2 seconds to do??  See attached me sniffing on wan, doing a query to external dns..  You see pfsense send it out its wan, you see an answer.  Do you see anything go out??

Your query to  216.239.36.10, that is a authoritative name server for google.. It's not going to answer to anything its not authoritative for..

dig @216.239.36.10 pfsense.org

; <<>> DiG 9.10.4-P2 <<>> @216.239.36.10 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61865
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;pfsense.org.                  IN      A

;; Query time: 46 msec
;; SERVER: 216.239.36.10#53(216.239.36.10)
;; WHEN: Thu Aug 11 04:25:26 Central Daylight Time 2016
;; MSG SIZE  rcvd: 29

dig @216.239.36.10 google.com ns

; <<>> DiG 9.10.4-P2 <<>> @216.239.36.10 google.com ns                   
; (1 server found)                                                       
;; global options: +cmd                                                 
;; Got answer:                                                           
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25980               
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4     
;; WARNING: recursion requested but not available

;; QUESTION SECTION:                                                     
;google.com.                    IN      NS

;; ANSWER SECTION:                                                       
google.com.            345600  IN      NS      ns4.google.com.         
google.com.            345600  IN      NS      ns1.google.com.         
google.com.            345600  IN      NS      ns2.google.com.         
google.com.            345600  IN      NS      ns3.google.com.

;; ADDITIONAL SECTION:                                                   
ns4.google.com.        345600  IN      A      216.239.38.10           
ns1.google.com.        345600  IN      A      216.239.32.10           
ns2.google.com.        345600  IN      A      216.239.34.10           
ns3.google.com.        345600  IN      A      216.239.36.10

;; Query time: 39 msec                                                   
;; SERVER: 216.239.36.10#53(216.239.36.10)                               
;; WHEN: Thu Aug 11 04:27:06 Central Daylight Time 2016                 
;; MSG SIZE  rcvd: 164

Tobi

Nonsense its a bug,

Jupp you are right.

I can resolve names with "dig" like you from my clients in Network (192.168.14.0). Also "dig @8.8.8.8 www.google.com" work, but its not work from my DNS/DHCP Server. But my Server is in the same Network (192.168.14.0). And If I change pfsense with Linux Debian box its work.

Yesterday I changed my DNS config. I registered pfSense as DNS-Forwarder. On pfSense is now DNS-Forwarder running and this point work.

But the next no :(. Again my DNS/DHCP Server - On my pfSense box I started DHCP-Relay but the queries are coming to my DHCP Server and he will response, but the answer newer comes to client.

johnpoz

Sure sounds like you have issues with this box more than anything.. Can it even ping the outside?  Do you have a gateway setup on it it? etc..

Tobi

Hi,

here is a tcpdump with DHCP
XN0 is the interface with my DHCP Server, XN1 interface who is the client
DHCP-relay is activated on pfSense box.

myhack01:~ robert$ tcpdump -r XN0.tdump 
reading from file XN0.tdump, link-type EN10MB (Ethernet)
12:34:10.223060 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:10.253801 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:11.944303 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:11.976186 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:14.531593 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:14.564944 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:19.066438 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:19.066732 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:20.698683 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:20.699012 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:23.158499 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:23.158782 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:27.562553 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:27.562797 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:35.772013 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:35.772310 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:36.636509 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302
12:34:36.721868 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:38.582339 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302
12:34:38.610976 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:40.754626 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 302
12:34:40.788885 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:44.735974 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:44.736288 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:48.966390 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from 90:b9:31:2a:44:a9 (oui Unknown), length 300
12:34:48.966685 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
12:34:53.530764 IP xencom002.rjap.de.bootps > xenserver01.rjap.de.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:34:53.531083 IP xenserver01.rjap.de.bootps > xencom002-1.openwlan.local.bootps: BOOTP/DHCP, Reply, length 301
myhack01:~ robert$ tcpdump -r XN1.tdump 
reading from file XN1.tdump, link-type EN10MB (Ethernet)
12:31:26.037441 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:27.820821 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:30.155835 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:34.462180 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:35.472950 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:38.056275 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:42.180818 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:50.803080 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:31:58.925984 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300
12:32:07.710977 IP 0.0.0.0.bootpc > broadcasthost.bootps: BOOTP/DHCP, Request from f0:db:f8:ab:8b:28 (oui Unknown), length 300

johnpoz

how about you just post that cap file up so can view it in wireshark.. Not sure what your trying to show here??

Looks like some kind of wifi network involved there? openwlan?

What does that have to do with this linux box you want to use as dns/dhcp talking to the internetor other segments?

Looks like you get some sort of answer, but looks like it going to the wrong place?  how about you just show IP and not resolved names.. have no freaking idea what rjap.de is or openwlan.local - but guessing one of those is wireless?  So did you sniff on pfsense what did it do with the answer.. Was that actually an offer? Maybe it was a NAK from you dhcp server because the client requested an invalid lease/ip ?  Can not tell from the info given.. Actual pcap is much better, can see the mac's involved the actual data in the dhcp, ec.

Why are you moving on to dhcp.. sounds like you didn't fix your dns issue.  You just have your dns ask pfsense vs doing query all the way through.

Tobi

Hi,

here 2 *.pcap files

192.168.14.1 is my DNS/DHCP Server
192.168.14.10 is xn0 from pfSense

192.168.1.10 is xn1 from pfsense

xn0.pcap
xn1.pcap