Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Not Working With Phone As Peer

    Scheduled Pinned Locked Moved WireGuard
    10 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dma_pf
      last edited by

      I can't seem to get my Android phone configured correctly. I can verify that my setup successfully establishes a handshake with the router's tunnel but it will not resolve any address, whether in a local subnet or out in the internet. I am using unbound as a resolver for dns queries. Here is a picture of the Wireguard Status that clearly shows that the tunnel is up and the Peer is connected:

      Screenshot 2021-08-13 at 15-51-43 Gateway debtassociates com - Status WireGuard.png

      The phone is pointing to 192.168.163.1 for DNS which is the pfsense router. The 192.168.163.1/24 is the LAN network.

      Here are the rules on the DMA_Remote interface:

      602042aa-656b-4825-9da3-f833d3d7a667-image.png

      I can see from the firewall logs that the phone is making the DNS requests to 192.168.163.1 :

      21cd1f93-4943-4681-b914-5998e424a4d1-image.png

      but when I do a packet capture it shows that the router is refusing the request:

      PCAP.jpg

      I've been trying to figure this out for a few days and have run out of ideas and am stumped. Hopefully someone has some insight to share with me. It'll be greatly appreciated!

      G 1 Reply Last reply Reply Quote 0
      • G
        GenericStudent @dma_pf
        last edited by

        @dma_pf are you NATing the dns queries? Is unbound listening on the wireguard interface?

        I have unbound working by having it also sat on my wg interface for mobiles accessing in and dont need any routing between subnets etc

        D 1 Reply Last reply Reply Quote 0
        • D
          dma_pf @GenericStudent
          last edited by

          @genericstudent Thanks for chiming in here to help me. I do have have an outbound NAT rule to the LAN. It looks like this:

          379d6b68-aff5-4aad-873c-6dae709165f9-image.png

          And I do have "ALL" selected in Resolver's settings:

          328556fe-9200-44e1-8b1f-3910abcdf767-image.png

          I am sure the issue is a DNS issue as I have no trouble pinging addresses out out on the internet if I use an IP Address through the Wireguard tunnel. And I can navigate to those sites in a browser as well if I use the IP address.

          But everything fails when I use a FQDN to ping or surf through a browser. I have Termux installed on the phone and when I try, $dig AnyFQDN, I always get the result that says "Warning: Recursion requested but not available" and it indicates that the DNS Server is 8.8.8.8#53.

          I can confirm that my android phone the Settings/Network & Internet/Advanced/Private DNS is set to "Off". I can also confirm that in the Wireguard app all applications are routed through the Wireguard tunnel and none are Excluded.

          bingo600B 1 Reply Last reply Reply Quote 0
          • bingo600B
            bingo600 @dma_pf
            last edited by

            @dma_pf

            Unbound is rather picky , and won't answer requests from "Unknown ip addresses" ... Aka. Typically IP's not belonging to a "known interface range".

            So when creating a "dial-in/vpn pool" it is not known , and have to be specifically allowed in the Unbound ACL section.

            95724fa0-ba6e-4ea3-9d93-7dcae01f73e1-image.png

            Here i'm allowing my OpenVPN ranges , in the first ACL.

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            D 1 Reply Last reply Reply Quote 2
            • D
              dma_pf @bingo600
              last edited by dma_pf

              @bingo600 @GenericStudent

              Thanks to both of you for all of your help. I spent several hours this morning working on this issue and finally got it resolved. It was a combination of 3 different issues that resolved it.

              Before I get to the solution I want to clarify that the setup I have is using a dedicated assigned interface with a gateway assigned to it for the remote access tunnel. Like this:

              496c0552-b686-48e8-a473-ed95c64c0ead-image.png

              181b3442-cdf2-4a90-b875-77cbdcbb8e3a-image.png

              I found that first issue I had was the NAT Rule I posted above was not needed:
              a5d6906c-2253-4acc-9819-437e134e3175-image.png

              The second issue I had was the NAT Rule I posted above was also not needed:
              d47715d8-e06f-4300-bef7-254f91def188-image.png
              The reason it is not needed is because the 10.0.9.0 network is already know to pfsense through the assignment of that network to the wireguard interface and gateway. If there was no local pfsense interface assigned to that wireguard tunnel then the NAT rule would have been required.

              The third issue was exactly what @bingo600 pointed out. I did need to create a rule to allow the 10.0.9.0 network to assess the DNS resolver like this:

              62e2c01a-58db-42f3-b0a0-7414fceaa19d-image.png

              I am very perplexed as to why that allow rule had to be created. The setting I posted above, d707a8d1-46f5-481e-8b49-caf358dfdbb1-image.png
              should have allowed the DNS queries as the 10.0.9.0 network is a local pfsense network. The pfsense cleary indicates that by selecting "All" there should not need an allow rule. Per the pfsense documentation:

              ab33f227-2fc2-4c90-a98e-9f56e85c129e-image.png

              5ac51888-b59e-4150-8021-6bd37b34c152-image.png

              I'm obviously misunderstanding something about why that access rule is required. If you can help me understand that better I'd greatly appreciate it.

              Thank you guys for all of your help. I've been trying to figure this issue out for several weeks and your input got me pointed in the right direction to get it resolved. šŸ˜€

              bingo600B P 2 Replies Last reply Reply Quote 0
              • bingo600B
                bingo600 @dma_pf
                last edited by bingo600

                @dma_pf

                My guess would be that it might only be "physical" IF's that Unbound automatically sees (includes). Not Tunnel or other Non-Physical's.

                And no worries ... I learned unbound ACL's "The hard way too" (Thanx @johnpoz ) 😊

                A typical giveaway for "Unbound is upset" , is that the query is actively rejected , not just ignored/missed.

                /Bingo

                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                johnpozJ D 2 Replies Last reply Reply Quote 1
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @bingo600
                  last edited by johnpoz

                  @bingo600 said in DNS Not Working With Phone As Peer:

                  Not Tunnel or other Non-Physical's.

                  Exactly.. That might be helpful if it did do tunnel networks, many users seem to run into this issue.

                  I am not really a fan of auto such rules, which doesn't allow me to see exactly what has access to what.. So I always have auto rules disabled when ever I can.. I just create my own acls - so I know exactly the details of what has access and to what exactly, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 2
                  • D
                    dma_pf @bingo600
                    last edited by

                    @bingo600 @johnpoz

                    Thanks for enlightening me on the tunnel/Non-physical. Seems to me that there are two issues which could be better addresses by the programmers of pfsense if in fact tunnels are not allowed by default in the acl..

                    The first, is they could clarify the distinction in the documentation and more clearly state that a tunnel is not automatically put on the acl as allowed.

                    And secondly they should not have those tunnels show up in the "Interfaces" check box in the resolver settings.

                    That would have saved me a whole lot of hours chasing my tail.

                    I'm still a little bit confused. Previously I was routing my remotes through OpenVpn. In that case I did not need to create an acl rule for them. The OpenVPN tunnels did work through the check box in the resolver settings. Is it possible that there just might be a bug in the programming to recognize the wireguard tunnel as opposed to being able to distinguish the OpenVPN tunnel?

                    bingo600B 1 Reply Last reply Reply Quote 1
                    • bingo600B
                      bingo600 @dma_pf
                      last edited by

                      @dma_pf said in DNS Not Working With Phone As Peer:

                      @bingo600 @johnpoz

                      And secondly they should not have those tunnels show up in the "Interfaces" check box in the resolver settings.

                      It's a bit of time since i fiddled w. interfaces in unbound , but the IF selection box , could also tell unbound what interfaces to listen for DNS queries on.

                      If that is the case you would like to be able to select the WG tunnel IF there, AKA. All IF's should be selectable there.

                      /Bingo

                      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      1 Reply Last reply Reply Quote 0
                      • D dma_pf referenced this topic on
                      • D dma_pf referenced this topic on
                      • P
                        pfguy2018 @dma_pf
                        last edited by

                        @dma_pf said in DNS Not Working With Phone As Peer:

                        @bingo600 @GenericStudent

                        Thanks to both of you for all of your help. I spent several hours this morning working on this issue and finally got it resolved. It was a combination of 3 different issues that resolved it.

                        Before I get to the solution I want to clarify that the setup I have is using a dedicated assigned interface with a gateway assigned to it for the remote access tunnel. Like this:

                        496c0552-b686-48e8-a473-ed95c64c0ead-image.png

                        181b3442-cdf2-4a90-b875-77cbdcbb8e3a-image.png

                        I found that first issue I had was the NAT Rule I posted above was not needed:
                        a5d6906c-2253-4acc-9819-437e134e3175-image.png

                        The second issue I had was the NAT Rule I posted above was also not needed:
                        d47715d8-e06f-4300-bef7-254f91def188-image.png
                        The reason it is not needed is because the 10.0.9.0 network is already know to pfsense through the assignment of that network to the wireguard interface and gateway. If there was no local pfsense interface assigned to that wireguard tunnel then the NAT rule would have been required.

                        The third issue was exactly what @bingo600 pointed out. I did need to create a rule to allow the 10.0.9.0 network to assess the DNS resolver like this:

                        62e2c01a-58db-42f3-b0a0-7414fceaa19d-image.png

                        I am very perplexed as to why that allow rule had to be created. The setting I posted above, d707a8d1-46f5-481e-8b49-caf358dfdbb1-image.png
                        should have allowed the DNS queries as the 10.0.9.0 network is a local pfsense network. The pfsense cleary indicates that by selecting "All" there should not need an allow rule. Per the pfsense documentation:

                        ab33f227-2fc2-4c90-a98e-9f56e85c129e-image.png

                        5ac51888-b59e-4150-8021-6bd37b34c152-image.png

                        I'm obviously misunderstanding something about why that access rule is required. If you can help me understand that better I'd greatly appreciate it.

                        Thank you guys for all of your help. I've been trying to figure this issue out for several weeks and your input got me pointed in the right direction to get it resolved. šŸ˜€

                        Thank you so much for this post. I was experiencing exactly the same issue and you helped to fix it!

                        1 Reply Last reply Reply Quote 0
                        • D dma_pf referenced this topic on
                        • D dma_pf referenced this topic on
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.