New 2.3.3 VM - No Client DNS from Pfsense at all



  • Hi all,

    I've used pfsense 2.0/2.1 before sucessfully as virtual machines and have just come to set up a brand new 2.3.3 x64 VM on vmware but cannot get any DNS resolution from clients on it's LAN side. So wondering if either a bug in this version or more likely something I've missed.

    My networking seems okay. This VM will be for guest WIFI so is not exposed directly to the internet but is on an internal range. WAN IP is 192.168.181.180/24 with gateway as 192.168.181.1 and DNS servers set to Google's 8.8.8.8 and 8.8.4.4. The vm itself can ping out quite happily and resolve hostnames fine. The edge firewall (Cisco ASA5505) doesn't block outbound from this range currently.

    On the LAN side, DHCP is setup and handing out address and DNS/gateway info fine. Am using a 192.168.176.10-245/24 range with the LAN IP of the pfsense vm as 192.168.176.1 but no DNS resolution is happening at all. No ping <hostname>, no nslookup <hostname>using the 192.168.176.1 vm dns server. Resolution from the clients to 8.8.8.8 or 8.8.4.4 IS working fine though.

    Also worth mentioning is that the vm cannot use itself to resolve either. The clients consist of a Windows 7 vm directly on the same vmware box as the pfsense vm and another laptop on a wireless wap on the same network and both clients are behaving the same.

    I'm stumped, I'm not that familiar with BSD compared to linux but everything I can see looks okay to me. I thought I may have misconfigured something so flattened the VM and reloaded from the iso again and have exactly the same condition.

    Also tried playing with DNS resolver and disabling it and using the DNS Forwarder with reboots in between but nothing.

    Any ideas please?

    Thanks

    James</hostname></hostname>


  • LAYER 8 Global Moderator

    Resolver is going to actually resolve.. Forwarder would forward to where you tell it to forward too.

    Have you verified they are actually running when you pick which one.. Out of the box pfsense would use the resolver (unbound) and it should work out of the box..  Your saying you can not query pfsense IP for pfsense own name?



  • Hello John,

    Yes both services are running when checking from pfsense gui and I can see the ubound service running under bsd.

    Good test to try and resolve the pfsense hostname. Currently I have resolver running and the clients CAN resolve it's hostname both as fqdn and short name. nslookup works fine.

    So I guess my problem is it not passing on external lookups yet from itself it can use the google dns servers. I did a packet trace in pfsense and can definately see the clients passing dns requests to the pfsense box. I didn't see any dns requests leaving the pfsense wan interface during packet capture though.

    Most odd…..



  • I've done some more testing including changing the dns servers in pfsense to ones within the same /24 subnet as the wan interface and again the machine itself can resolve fine but clients get nothing other than the pfsense hostname itself.

    I aslso tried it with forwarding mode both on and off on the resolver options screen.



  • Aha! I suspect a bug.

    I just rebuilt the VM with PFSense 2.2.6 and switched to forwarder mode as I want the captive portal and it all works as expected!


  • LAYER 8 Global Moderator

    No there is not a bug… If your saying dns didn't work be it forwarder and or resolver then the board would be freaking lit up with people complaining..

    What we have is 1 guy that is having some problem..  which I am like 99.9999999% sure PEBKAC ;)

    Pfsense is out of the box going to resolve.. Nothing the user has to do.. If you can not then your doing something wrong or your isp is blocking dns, or your running some other package causing a problem.. You mention captive portal.. Where you testing this with captive portal on??

    Here is the very simple way to test the resolver..  So you say using the resolver your client on pfsense can query pfsense name..  But then can not resolve other stuff like www.google.com or www.pfsense.org www.cnn.com, etc.

    So then sniff on pfsense wan while you do such queries -- do you see the queries to roots and authoritative servers for the domain your looking for?  Example I will do a query for www.sometestdomain.com which pfsense will send out its wan...

    As you can see - clearly pfsense is asking for the domain out the wan and getting responses..  Do you see this traffic go out the wan to roots and walk down the tree if using resolver, or if forwarding actually forwarding??

    so your saying pfsense using dns lookup under diag works or doesn't work?  But you have some captive portal running???  And your client doesn't work??




  • Hi John,

    I understand what you are saying, but I don't think a bug can be 100% ruled out yet. It may be unique to this setup but do agree much more likely a pebkac situation.

    I did some sniffing with wireshark on 2.3.3 and I can see dns requests when the vm itself looks for a hostname but nothing coming out when a client on the lan side does. This is all without the captive portal running. Incidently I added an allow any to any for TCP/UDP on both the wan and lan just to test in case the firewall was interfering.

    I actually rebuilt my 2.3.3 again from scratch after the last batch of messing with it and simply disabled resolver and enabled forwarder exactly as I did with the 2.2.6 and exactly the same result, no client dns resolution.

    Whilst I would love to spend more time on this, I like a good puzzle to solve, I've been overruled from higher up the chain and told to just go with the 2.2.6 setup so alas cannot spend any more time on it now.

    Appreciate your help and suggestions though.

    James


  • LAYER 8 Global Moderator

    "I can see dns requests when the vm itself looks for a hostname but nothing coming out when a client on the lan side does"

    What does you client get back, does it get back nx or just a timeout?

    Are the queries actually getting to pfsense?  As to your higher up telling you to run an old version that will not even be supported soon - seems like a pretty stupid path.  Why not just call up pfsense for actual support?  Since clearly this is business related and not just a lab/home setup.

    Or I would of of been willing to remote in and take a look see even.



  • Hi,

    New pfsense user. When I moved from dhcp to fixed IP on the WAN interface my Windows 10 client get: DNS request timed out.


  • LAYER 8 Global Moderator

    well your saying it works when dhcp on wan - but nothing when static?  Points to problem with your static settings.


Log in to reply