Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two "dumb" devices no internet access

    Firewalling
    roku dns resolver dumb host
    3
    5
    764
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JoesCat
      last edited by

      I finally replaced my OLD Cisco Pix 515e with pfSense (latest version, 2.4.5) running on a PC. Netgear R7000 WiFi router, latest F/W.

      Wired and wireless hosts work fine with internet - iPhones, laptops, tablet, cameras, printers, an old PlayStation.
      It took a couple of months before I tried my Orbit sprinkler controller on WiFi to discover no internet access. I've tried (I think) most everything. Finally Orbit has sent me a replacment (they stated it was a known bug and assured me the replacement would resolve the problem) - I haven't yet tried to connect it.

      I just got my new Roku TV (TCL 65R625). First power up, connected to ethernet to the WiFi router, it had internet, updated itself, restarted . . . and now no internet. Argggg. I AM STUCK! Clearly something in the TV update clobbered internet access through pfSense (and since I've just updated to 2.4.5_1). Change back to the Pix and TV has internet with no other changes.

      I saw a suggestion buried in the topic here "Roku TV Not Connecting Wifi with Outbound NAT Configured" (yes, I've searched prior to posting this) citing some hosts need to be provided DNS server addresses, not a local one (I had DNS Resolver enabled). I've since tried that, still no luck with the TV.

      So the problem seems to now be associated with pfSense somehow. I'm learning as I go, years of tech experience and I've used many brands of firewalls. I'm NOT adept at packet sniffing and such. It got late and bleary-eyed so I can't yet be definitive on the firewall logs as to what the TV is/is not doing. The Orbit would successfully perform a DNS query, then nothing. Even after disabling the DNS resolver, same thing. BTW, DNS Forwarder is NOT enabled.

      I'm just not sure how to proceed next.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        No problems with Roku devices here, though I don't have a Roku TV, just a couple different varieties of streaming sticks.

        Will need a lot more info about your setup to make any suggestions. Such as what packages you have installed/configured, firewall rules on the interface where the TV lives, DNS settings, etc.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          JoesCat
          last edited by

          It's a very minimal configuration. Two interfaces, WAN to my Xfinity cable (DHCP), and LAN to the Netgear R7000 router (running in AP mode).
          LAN address is static 192.168.30.1/24 . Netgear router is 192.168.30.30 .

          FW rules are default (untouched) except I forgot I had turned logging off for the default LAN "allow all" rule.

          In General setup, four ipv4 addresses are provided,
          1.0.0.1 cloudflare-dns.com
          8.8.4.4 dns.google
          1.1.1.1 cloudflare-dns.com
          8.8.8.8 dns.google.com
          and while I was setting up for DNS over TLS so thought I should have ipv6 filled in just in case:
          2001:4860:4860::8888 and 2001:4860:4860::8844 dns.google
          Do not allow DNS from WAN DHCP to override.
          Lately changed for testing "Do not use the DNS Forwarder/DNS Resolver for the firewall itself.
          My connected laptop right now has only the 4 ipv4 DNS addresses, I'm not really using ipv6.

          I tried creating DHCP reservations for the two devices that won't internet communicate:
          Roku TV: its MAC of course, tried enabled and disabled "Create a static ARP entry...", the four ipv4 DNS addresses. Lease time 86400.
          I watched the Roku TV promptly pick up the reserved address (on its network screen, in pfSense, and in the WiFi router (ethernet connected). The TV has no place to view its other network configuration.

          Services
          DNS Forwarder everything is unchecked.
          I WAS using the DNS Resolver, I've since disabled it for troubleshooting. For brevity, everything in DNS Resolver Advanced section is default except for logging, changed to level 3: Query level information while I was trying to solve. Access Lists is blank.

          Package Manager "there are no packages currently installed".

          System/Routing/Gateways is default - "WAN_DHCP", gateway and monitor ip are my isp assigned outside ip address. Default gateway ipv4 and ipv6 are "automatic". No static routes or gateway groups.

          Firewall/NAT/Outbound is only the two auto created rules (one for ipsec port 500), and of course the one for 192.168.30.0/24 * * * WAN address and * for the port.
          Mode is automatic outbound NAT.

          No VPN setup has been done (or attempted) at all.

          Nothing has been tinkered with in Dynamic DNS - I haven't even looked there before until now, so it must be default. Only Services/Dynamic DNS/Check IP Services has an entry "Default http://checkip.dyndns.org Default Check IP Service"
          Hmm, I know I've had to setup dynamic DNS quite a few times with other devices such as DVR's for customers, for that I've typically used no-ip.com and registered the device there. I don't think either of these two non-communicating devices would need dDNS, and if so it should be much more prevalent in the setup instructions.

          That's about all I can think of for now.

          The behavior right now after much trial and error with the TV is rather consistent. Power on, and check the networking in the menus it shows the latest ip address and default gateway it's been assigned (correct). However, internet connectivity "test" fails. It doesn't even appear as an attached device in the WiFi router.
          In the TV's menus, System I "reset the network..." the TV restarts. Once it's fully powered up, it only then appears connected to the router. Test internet fails. NO activity is logged in pfSense's FW log, filtered for the TV's ip address. Shortly afterwards, the TV no longer appears as connected to the router. Logging is working - change filtering to my laptop and it's full of allowed traffic (I'm using Dynamic view).

          That's why I'm stuck . . . it just isn't giving me much to go on. But the TV CAN access the internet if I swap back to the old Pix firewall (and restart the cable modem). Same WiFi router connection, same overall LAN schema, the Pix is providing DHCP. The only fundamental difference I know of between the two firewall configurations is the Pix I was using OpenDNS - so I changed that for the TV's DHCP DNS assignments (208.67.222.222 and 208.67.220.220), no joy. The Pix is using NAT as well.

          I would really like to solve this with pfSense, and it sure appears to be associated there. Although again the strange thing is, when the TV was first powered, it DID connect to the internet with the same router configuration and connection, and the same pfSense firewall configuration (that the Orbit sprinkler controller wouldn't get internet connectivity either). Only after the TV downloaded and installed an update did internet connectivity begin to fail and has ever since with pfSense.

          Weird! It's got to be . . . something!

          Thanks for your reply, and for any additional help from anyone!

          Things I'm going to try:
          Bypassing the router and going straight through pfSense.
          Try changing the router to bridge mode. Maybe in AP mode double NAT is being performed? That doesn't explain why the TV could connect initially.
          Try connecting the TV straight to the cable modem (NOT a solution I want to live with!).
          I have a tech support request with the TV maker, that will be days before I can expect a response. My real hope there is there's a known bug in the new update the TV obtained.
          Try a different router - although I like this one!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            I assume your TV is attempting a wireless connection to your network through the Netgear Router. You state the Netgear is in AP mode, but not bridge mode. That means, not being in bridge mode (or more likely AP-only mode), your router is providing a DHCP address and perhaps DNS servers to your TV. For routing to work, that DHCP address needs to be something different from your pfSense LAN.

            If your router is in AP-only mode with bridging, then your TV should be asking pfSense for an IP address via DHCP, and pfSense needs to be handing your TV a DNS server IP to use. Have you correctly configured DHCP and DNS in your pfSense firewall?

            It sounds to me that the basic issue is your TV is not able to perform DNS lookups.

            pfSense comes configured out of the box to use its own internal DNS Resolver called unbound for DNS. You really don't need to change anything for DNS to work properly. I highly suggest you remove all the changes you made on the General Settings tab in regards to DNS. Leave those boxes blank or enter 127.0.0.1 so pfSense will use its internal resolver. You should configure the DHCP Server on pfSense to send LAN clients the firewall's LAN IP as the DNS server to use.

            It's been said on here multiple times, DO NOT monkey with the default DNS settings of pfSense unless you are skilled in DNS administration and fully understand the difference between a forwarder and resolver and know how to configure each.

            J 1 Reply Last reply Reply Quote 0
            • J
              JoesCat @bmeeks
              last edited by

              @bmeeks Thanks for your feedback, I'll try your suggestions! And I can narrow those down to just a couple:
              DHCP is set to almost default - it hands out it's own ip address as the default gateway. I didn't want to use the ISP's DNS servers, preferring to specify my own (used to be OpenDNS now Cisco Umbrella, 208.67.222.222 and 208.67.220.220). I've since changed to Google's and CloudFlare's as they support DNS over TSL - I HAD that running fine for ALL hosts on the network - except when the Roku TV came along. It's again important to note out of the box, the TV (wired to the WiFi router, NOT WiFi), promptly connected to the internet, downloaded and applied an "update" all on its own, restarted, only then could not access the internet ever since as long as pfSense is the firewall. NO other changes! All other hosts still have internet just fine also with no changes.

              Since that time, pfSense DNS Resolver and Forwarder are disabled. I've tried letting the TV grab an ip address via DHCP from the lease pool - it does, shows the proper default gateway (no ability to show much else), cannot access the internet. Phone hotspot via WiFi: internet works. Swapping pfSense to an old Cisco Pix - internet works - with the same WiFi router connection (wired to one of its LAN ports).
              I've since plugged the TV directly into the LAN port of pfSense, eliminating all other devices. It obtained a pfSense DHCP address and proper gateway . . . no internet. That entirely eliminates the WiFi router as the culprit.

              I hear you about tinkering with DNS settings - although I'm rather new to pfSense, I do know DNS rather well (running many DNS servers myself in my day job, mostly Windows) plus configuring many corporate outside DNS configurations for outside-facing DNS for their domains).
              Something has to be set correctly - again every other device has internet access no problem - ONLY the TV does not, only when connected through pfSense.

              I just tried using my phone hotspot, connected the TV via WiFi - internet works. We also know it can connect using the old PIX firewall (also a DHCP server and NAT device).

              I'm running pfSense 2.4.5-RELEASE-p1
              Taking your suggestion, DNS is at "default" - IIRC. General tab is blank for all DNS items, all boxes unchecked. Services/DNS Resolver is enabled, all top checkboxes unchecked. Interfaces set to ALL ALL. Only "Register DHCP leases in DNS resolver" is enabled, and "DHCP static mappings in DNS resolver" is checked. The TV does not have a DHCP reservation, it (IS) obtaining a LAN ip address from the DHCP lease pool. Currently ethernet connected.
              As always, other hosts access the internet just fine. My own laptop I'm posting this message with. I renewed my pfSense DHCP address, and changed from specified DNS addresses to only the pfSense ip address (DHCP server, default gateway, and the only DNS server are all the LAN address of pfSense (192.168.30.1).

              System Logs/Firewall/Dynamic: Filter, enter my LAN address and I see lots of activity of course. Enter the TV's leased address and NOTHING appears in the firewall logs. ????? On the TV screen it verifies the same ip address and default gateway (and MAC address).

              I just don't understand why this TV is unlike every other device on the LAN, wired or wireless, that it just won't seemingly attempt internet access but will show up as reaching the firewall.

              The same TV, connected either through the exact same connection can promptly access the internet with a different firewall (still wired the same), or wireless through a phone hotspot. The problem points squarely at pfSense then.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post