Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] No DNS response from WAN to OPT2 interface

    Firewalling
    dhcp static ip dns ping arp
    3
    6
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrSaladDressing2
      last edited by MrSaladDressing2

      Traffic from internal LAN and OPT1 flows out to the Internet and back without problems. Traffic to Internet from LAN and OPT1 works. Traffic between LAN and OPT1 works. Traffic between LAN and OPT2 works. It seems DNS responses received on WAN are not returned to OPT2. pfSense firewall logs show DNS responses going out of OPT2 but packet captures show responses are not coming into OPT2. No other traffic for Internet proceeds because DNS fails. I appreciate any help. I did not attach packet captures for the external WAN but they are consistent with the information above.

      WAN is public IP assigned by ISP
      LAN - 192.168.0.1/24
      OPT1 - 192.168.20.1/24
      OPT2 - 192.168.30.1/24
      NAT set to pfSense default
      Routing tables look normal
      no floating rules

      Screen Shot 2019-11-04 at 9.12.59 PM.png

      1 Reply Last reply Reply Quote 0
      • A
        akuma1x
        last edited by

        What interface is your screenshot from? You cut off the top part, so it’s not clear which one (LAN or an OPT port) we’re looking at.

        Jeff

        1 Reply Last reply Reply Quote 0
        • M
          MrSaladDressing2
          last edited by

          My screenshot is for the OPT2 interface titled OPT2IOT_GUEST. I did not want all interfaces listed in the screenshot so I did not include the list.

          1 Reply Last reply Reply Quote 0
          • chpalmerC
            chpalmer
            last edited by chpalmer

            If you turn on your test rule does it work?

            I would make your each "source" the opt interface. May not make a difference but its what I would do..

            Destination of the allowed DNS rule should be interface address. I.E. "OPT2IOT_GUEST address".

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • M
              MrSaladDressing2
              last edited by MrSaladDressing2

              No change with allow all test rule enabled and changing DNS rule destination from OPT2IOT_GUESTnet to OPT2IOT_GUESTaddress. Then reset all states and captured packets below. I am at a loss. It seems like routes or NAT are incorrect, but I cannot find anything wrong there either, but everything works on the other interfaces as expected. Thanks again for any suggestions.

              Rules on OPT2
              Screen Shot 2019-11-05 at 9.35.59 PM.png

              Packet Capture only DNS out (disregarding DHCP) - no responses allowed back to OPT2
              Screen Shot 2019-11-05 at 9.44.10 PM.png

              NAT
              Screen Shot 2019-11-05 at 9.47.38 PM.png

              Routes with public IPs removed
              Screen Shot 2019-11-05 at 9.48.21 PM.jpg

              1 Reply Last reply Reply Quote 0
              • M
                MrSaladDressing2
                last edited by MrSaladDressing2

                SOLVED - I figured out my problem. It was caused by this setting below (Static ARP under the DHCP Server configuration for the interface), which I had enabled on the interface because I interpreted it incorrectly. It essentially took precedence over any and all allow rules configured for the OPT2 interface, and prevented any host without a statically assigned DHCP address from communicating with the interface even though the host received the dynamic DHCP assignment from the OPT2 interface. I hope this saves other folks time and headache.

                Screen Shot 2019-11-06 at 9.46.34 PM.png

                As explained in docs.netgate[.]comScreen Shot 2019-11-06 at 10.40.04 PM.png

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.