Clients cannot reach DNS
Hello! I am testing pfsense 2.3.2 inside virtualbox, here's my setup:
HOST ip: 192.168.3.57 (windows). I have internet.
DNS: 192.168.100.5. This is a windows server dns, that redirects to public dns servers when needed.
First network card of pfsense (WAN): 192.168.3.31. This is setup as "bridge" on virtualbox
Second network card (LAN): 192.168.0.1. This is setup as "internal network" on virtualbox
I setup dhcp on pfsense to deliver 192.168.0.10-20 to clients.
I put 192.168.100.5 in System->General, with 192.168.3.1 as gateway.
From the pfsense console, i can ping 192.168.100.5 fine. Traceroute indeed shows it is being reached from the 192.168.3.1 gateway
Dns resolver is enabled, i didn't change anything in there.
I also enabled captive portal.
I boot up a windows xp sample client, and indeed it gets 192.168.0.10 as ip and 192.168.0.1 as gateway/dhcp/dns.
However, when visiting www.somepage.com from the client, i don't get redirected to the portal. After much testing, if i put http://ipaddress then i get the portal page.
I can't ping 192.168.100.5 from the client (i shouldn't), but if i type "nslookup" then it tries to use the 192.168.100.5 server, even if ipconfig shows 192.168.0.1!
Doing "nslookup - 192.168.0.1" to force the dns server to that one, then i get the error that www.somepage.com cannot be found.
Doing "nslookup" from the pfsense console results in:
SERVFAIL from 127.0.0.1, trying next server
192.168.100.5 responds with the correct ip.
What am i doing wrong?
are you using the forwarder? There seems to be some issue with dnsmasq using a local conf file that sets lookups to only the local network..
Do you have a dnsmasq.conf in usr/local/etc ?
This is a new install so i was using DNS Resolver as default. I searched the forums and saw some issue with DNS Forwarder, so i deleted that file you mentioned and tried to switch to DNS Forwarder, and still the same thing happens…
I tried to increase log verbosity from 1 to 5, but i don't see anything.
I don't know what to do.
Something weird is going on, and i think it isn't pfsense related.
The client machine has 192.168.0.1 as a dns server, however when i type nslookup then 192.168.100.5 (our company dns) answers.
I couldn't ping that ip yesterday, now i can, and that's why dns is now working.
If i type nslookup - 192.168.0.1, then i can query it as well and works.
Why i am getting redirected somehow to my company dns? I thought pfsense was going to consult the company dns itself and then reply the client, not delegate to it from start.
if your putting dns in general and using the resolver that is never going to be used, etc. What did you put in the dhcp scope?
If your clients are all members of AD, then they should use AD for dns. AD would then use roots to lookup stuff its not authoritative for, or forward somewhere that you setup in the AD dns.
Are you clients members of active directory? If so then you should really just leverage your AD for dhcp and dns.
I installed squid and squidguard and rebooted pfsense (because somehow the GUI won't start a blacklist download and saw in the forum that i have to reboot), and now the client can't ping the AD dns or pfsense's WAN, just like yesterday.
I haven't touch anything else. Perhaps i will reboot the client just to see if it works again.
Since i am working in a full virtualized environment (radius server-pfsense server-client) i used pfsense as dhcp and inside pfsense configured my AD dns, but as i said i am having trouble reaching the AD dns. Definitely a routing issue, but don't know what's causing it
Can you draw up your network. I use pfsense virtual, and have both virtual machines and real physical machines on different networks and different vlans running on top of 1 specific physical nic on the esxi host that goes to a vmnic in pfsense, etc. etc
Internal routing between networks connected to pfsense would just work there is nothing you need to do special. So all your different networks use pfsense as their gateway or do you have downstream routers?
"Second network card (LAN): 192.168.0.1. This is setup as "internal network" on virtualbox"
So where is this 192.168.100 network?
Each branch has a 192.168.x.0/24 network.
On our main branch, each floor has the same.
All of our servers are on the 192.168.100.0/24 subnet
In my case, my floor is on 192.168.3.0. Gateway is 192.168.3.1. If i connect a pc, it will get an ip on this network range.
If i ping 192.168.100.5, our layer 3 switch knows how to route from the 3.0/24 segment to the 100.0 one.
These ip get internet by logging to our main firewall, but in this case i setup the WAN ip of pfsense to get internet without login.
So, WAN ip is 192.168.3.22 on the first virtualbox network card. On the second, it is 192.168.0.1, and pfsense's dhcp has a pool of 10 ip addresses in this range. So the client PC gets ip 192.168.0.10 with 192.168.0.1 as its dhcp/dns/gateway.
So far so good. On pfsense i set up 192.168.100.5 as its DNS and i test it from the command line and it works.
So i assume that 192.168.0.1 (pfsense lan ip address) will return dns names to the client pc, but somehow doesn't and redirects the client pc to the 192.168.100.5 dns server that the client can't reach.
So there are two questions:
1.-If pfsense has 2 ip, one on the 3.0 segment and one in the 0.0 segment. It should be able to route without issues. This worked only this morning, but after installing squid/squidguard and rebooted it stopped working.
2.-Why is my client trying to use 192.168.100.5 as its direct dns, when ipconfig /all shows 192.168.0.1 as its dns? Yesterday i disabled dns resolver and turned on dns forwarder, and deleted the /usr/local/etc/dnsmasq.conf file since there is a reported bug on pfsense 2.3.2
Note that i created a gateway in pfsense, on the WAN interface. On the static ipv4 configuration in the WAN interface, i created a gateway with 192.168.3.1 as its ip address, but i don't truly understand if i should have done so, since that ip is already setup as the WAN interface's gateway when i setup pfsense from the command line. But the only reason i did it, it's because on the interface menu the GUI tells me to create one on the WAN interface and choose NONE in the LAN interface.
I have an answer for question #2. There was a group policy on my client that forced DNS to 192.168.100.5, even if dhcp set it up to 192.168.0.1. My bad, this solves my issue, since i don't need the answer for question #1 (although i am still curious)
Out of the box pfsense will not only route, it would NAT. Which if your using pfsense internally on a rfc1918 network you more than likely do not want to nat. But then again if pfsense net is not on a transit network you would have to nat or you going to run into asymmetrical routing problems. So is this 192.168.3 a transit network or are their hosts on it?
To routing, just like any router really if it has a interface in that network it already knows how to route. You only need to add routes to network that are downstream/upstream of your connected networks. For example pfsense knows about 192.168.3/24 and 192.168.0/24 network but how does it get to 192.168.100 - well it talks to its default gateway which is at 192.168.3.1 which is fine. But if you do not nat and you up sending traffic to 192.168.3.1 from 192.168.0.100 say how does the router 192.168.3 know how to get back to the 192.168.0 ?? If your natting it will never see 192.168.0 from pfsense because pfsense will nat all the IPs behind to its 192.168.3 address.
You for sure would not want to do this if the machines behind pfsense are members of your domain, etc.
The 192.168.0.0/24 network only exists in this virtual scenario because captive portal basically demanded me to create a network in the end.
As i said, the 192.168.3.0/24 network exists and all machines on this floor have ip in this range, and they get internet from our main firewall. So i am using that network as WAN for the virtual environment (remember this is a simulation, in real life that network is actually the LAN)
So if/when i deploy pfsense to one of our branches, the WAN interface would actually be the DHCP ip that our ISP ADSL modem provides, and the lan interface would be 192.168.110.0/24 or 192.168.108.0/24 (which are the LAN networks of two branches we plan to use this for at the beginning)
As i said, the 192.168.100.0/24 network is the segment where all servers on our main branch are. Every router at every branch has a route defined to reach from each branch's LAN to it. I am positively sure i was able to ping from the virtual client 192.168.0.10 to the AD dns server but haven't being able to do that anymore. What should happen is the following:
Client pc 192.168.0.10 wants to reach AD DNS 192.168.100.5
Client pc 192.168.0.10 has gateway 192.168.0.1
Pfsense has wan 192.168.3.22 and lan 192.168.0.1
WAN gateway is 192.168.3.1 and can reach 192.168.100.5
Since both networks 192.168.3.0/24 and 192.168.100.0/24 are foreign to the client PC, my guess is that since captive portal is on, i can't reach them. Maybe after i log in to the captive portal? Radius server is 192.168.3.31 and since pfsense has an ip in that segment maybe it should know it's an internal network and not some random internet network (besides being a private network address)
If i am going to use pfsense on one of our branches, it must be able to work in this scenario:
Pfsense will be installed in a server that runs windows 2012 r2 therefore it will be virtualized in virtualbox. We don't have spare computers sadly.
Server will have two network cards, one for the ISP's IP address and the other for the LAN like 192.168.110.0/24 network
PFsense LAN ip would be 192.168.110.2 (leaving 110.1 to the router's LAN interface gateway)
PFsense WAN maybe is setup as a NAT card so it will have by default 10.0.2.15
The cisco router in each branch is 192.168.x.10 and it acts as the default gateway and works as the DHCP server as well
All dns requests are sent by the router to the 192.168.100.5 AD DNS server
All unknown traffic is sent to the router as well.
PFsent WON'T be a DHCP server
To me, this scenario is quite similar to the one i am currently testing. If i disable dhcp on pfsense, and assign the ip manually to my client (to simulate it being delivered an ip by the router) it should be the same configuration.
captive portal - yeah your going to have to auth if you want to get out. Or setup a bypass.. Why do you have CP enabled? And again are you natting or not?? Out of the box you nat, but if your using pfsense internally as a downstream router your most likely not going to want to do nat.
Short answer: after logging in in captive portal, i could reach the AD dns and also the 3.0 network. I failed to realize that in the morning that it worked , it was because i was logged in :)
Since in my real life scenario, the gateway of the client machines is the router and not the firewall/pfsense i shouldn't have issues when deploying. This means we can consider this topic closed.
Now, to answer your questions, I am using CP because not every user has internet privileges, and some of them have different privileges than others. Also, we want to know how many users are actually browsing at a specific time, and want to know who is browsing where and consuming x bandwidth. Since i want to use our current Active Directory users, i configured CP to use RADIUS as authentication, and found some tutorial to allow all users in my virtualized domain.
Basically we want to use pfsense as a replacement for some watchguard firewall devices that are EOL'ed and won't receive updates anymore even if we pay for them.
I am not sure how to answer your nat question. Basically we want to firewall our users and restrict/control browsing. The firewall doesn't provide DNS or DHCP. We have 1 ip address for internet and 10-20 individual users in each branch. For what i understand, computers with just one network card and private addresses and want internet, that's NAT so my answer is yes.
My next question will be about firewall rules, user groups and categorization with squidguard, as i want to be able to create firewall rules that apply to user groups in Active Directory, but those fail outside of this subforum. I'm thankful for your time and answers.
Yes when going from rfc1918 space to public space you have to nat. This is a given!! But your pfsense wan is 192.168.3 this is some network inside your network.. And then its lan is 192.168.0 there would be only some special specific scenarios where you might want/need to this 192.168.3 network which is what pfsense is going to do out of the box.
If your going to use pfsense as a downstream router in your network there is rarely a point to natting inside your network. Yes at your internet connection your going to want to nat to what your public is. And this device will need to know how to talk to pfsense lan network, and nat its 192.168.0 network etc..