Loss of internet on LANs after update 2.4.5_1 to 2.5.1
-
Hi All,
Just performed an update from 2.4.5_1 to 2.5.1 and after the update completed all my LANs were no longer able to reach the internet. The LANs were working internally from what I could see, ie. they were talking to pfSense but not the internet. pfSense could ping and reach the internet fine.
I was able to ping 8.8.8.8 from my main workstation which worked 100% but couldn't visit any websites.
After a Google search I found various posts with similar issues but none seemed to point directly to the issue, or at least all the suggestions were already enabled/disabled for me.
I found a suggestion about turning off Traffic Shaping on the WAN but was unable to find that exact option anywhere. However, I disabled 'Block bogon networks' within the WAN interface and now my LANs to internet traffic is being passed as it was before the update.
This can't be the issue surely, I would think that I want to block bogon traffic on the WAN address? So could this point to some other configuration issue after the upgrade?
Not sure what information is required but if screenshots or logs are required to help me diagnose issues please let me know. I've been using pfSense for about 10 years but I'm by no means an expert on pfSense.
Thanks in advance,
Alan -
@alanhjames It sounds like a DNS problem. How is your DNS configured? Forwarder or resolver?
-
What hardware are you running on?
-
The hardware is a generic box; AMD Athlon II X2 250 with 8GB RAM. Onboard NIC for WAN and a quad port Intel NIC for the LANs, 4 LANs in 192.168.xx.0/24
I'm using DNS Resolver, as far as I can remember it's the default settings with some Host and Domain Overrides.
My General DNS Resolver settings:
-
@alanhjames You have it configured in forwarding mode which means it will forward to whatever DNS server you've specified in General Settings - DNS. That's not the default since Resolver can resolve all by itself without needing a specific upstream DNS. You also have it set to register DHCP which will cause a reload of the filter and access will be temporarily affected until the reload is complete. It is usually advised to not set those two registration options.
What do you get if you run nslookup www.google.com from your workstation?
Edit: I notice you have DNSSEC enabled. Do you know for sure that the upstream DNS you're using supports it?
-
@kom Thanks!
I was using opendns.com servers in General Settings - DNS. I've unset both the settings you suggest and I've re-enabled Block bogon networks. My LANs appear to be working again with the bogon settings enabled so it looks as though you were spot on!
I believe opendns.com has DNSSEC, I'll confirm this and disable it if necessary or is it safer to turn it off anyway?
Quick question: what you've explained makes sense but wondering why the upgrade to 2.5.1 would have suddenly made these settings an issue? Have I just been lucky until now that these settings haven't caused me an issue? Just curious :-)
Thanks again,
Alan -
@alanhjames Block rfc1918 & bogons should almost always be on for WAN, always off for LAN. I have no idea why it stopped working for you after the upgrade.
-
@alanhjames check and see if your gateway is in the 169.254.x.x range. if it is, go back to 2.5.0 to fix. I hear there is a patch for 2.5.1 to fix as well, but do not know where that is.
