Unable to get OPT1 to work
-
Sorry I forgot to reply. I restored the device, set up interfaces in the terminal, and changed the firewall rules. All interfaces are working.
-
@a-networking-noob said in Unable to get OPT1 to work:
connect to the WiFi (on OPT1)
There is another device between your phone and pfSense : the access point .....
Also : can you connect to 192.168.49.1 and see the login page of pfSense ?
DNS works on your phone ?
Does it use "192.168.49.1" = the resolver, or something else ?Can you wire up (using the cable) a device to OPT1, and then check ?
-
@gfvalvo said in Unable to get OPT1 to work:
Not sure if it's the same issue(s) folks in this thread are having, but I just resolved my own "OPT1 Problem". See: This Thread
Seems you lucked out! I tried the DNS trick you used but didn't solve my issue. :/
Thanks anyway...
-
@Gertjan said in Unable to get OPT1 to work:
@a-networking-noob said in Unable to get OPT1 to work:
connect to the WiFi (on OPT1)
There is another device between your phone and pfSense : the access point .....
Also : can you connect to 192.168.49.1 and see the login page of pfSense ?
No - I only have one extra firewall rule set up for OPT1 to block access to pfSense
But even after disabling that rule, I still can't connect to the WiFi on OPT1.
DNS works on your phone ?
Does it use "192.168.49.1" = the resolver, or something else ?Yes. The IP address my phone gets is in the pool range I set, and the DNS is 192.168.49.1 which matches what is shown on pfSense DNS resolver.
I've tried it with a 2nd phone and got the exact same result - can connect to the WiFi but no internet access.
Can you wire up (using the cable) a device to OPT1, and then check ?
Connecting my laptop to my OPT1, either by direct cable connection, or through WiFi, I can access the internet fine.
-
@a-networking-noob said in Unable to get OPT1 to work:
Connecting my laptop to my OPT1, either by direct cable connection, or through WiFi, I can access the internet fine.
Ok, good
This excludes cables, the access point, pfSense, the OPT1 interface.Ditch the phones, and done. (joking of course).
You didn't tell anything about these phones, but they are (most probably) the issue.
They do communicate just fine : the DHCP exchange was happening.
(still hoping that you still can confirm that it did received a correct IP, and gateway, and DNS - and that you could do a DNS lookup with them, just to know that it does communicate with pfSense)The solution might be available in the phones : delete the Wifi entry - and re-connect to that wifi SSID again.
-
@Gertjan said in Unable to get OPT1 to work:
@a-networking-noob said in Unable to get OPT1 to work:
Connecting my laptop to my OPT1, either by direct cable connection, or through WiFi, I can access the internet fine.
Ok, good
This excludes cables, the access point, pfSense, the OPT1 interface.Ditch the phones, and done. (joking of course).
You didn't tell anything about these phones, but they are (most probably) the issue.I'm using a couple of Android phones. One an older LG G6 stock, the other a Pixel 5a running CalyxOS. I can't believe the phones are the problem since I've never had issues with them connecting to the internet via WiFi at home, at work, etc...
They do communicate just fine : the DHCP exchange was happening.
(still hoping that you still can confirm that it did received a correct IP, and gateway, and DNS - and that you could do a DNS lookup with them, just to know that it does communicate with pfSense)Yes, I did confirm that the phones do get an IP address, gateway and DNS that match what is shown in pfSense and lines up with the OPT1 settings.
The solution might be available in the phones : delete the Wifi entry - and re-connect to that wifi SSID again.
Unfortunately, this did not solve it. After deleting the WiFi entry, and re-connecting to the WiFi on OPT1, I get the exact same result - connects to WiFi but no internet.
-
@a-networking-noob said in Unable to get OPT1 to work:
Unfortunately, this did not solve it.
Another test :
Goto Diagnostics> Packet Capture
Select the OPT interface, like :
and enter the IP of your phone :
Like this :
and then hit the green start buton.
From now on, at the bottom, you will see everything that pfSense receives at the OPT1 from your phone (device with IP 192.168.49.x).
You will see the DHCP negotiation traffic, a couple of packets.
And then : what did you see ? -
@a-networking-noob said in Unable to get OPT1 to work:
gateway and DNS that match what is shown in pfSense and lines up with the OPT1 settings.
I have seen users setup a nat router as their wifi.. Where the network wifi router is handing out is the same as what pfsense network is.. So yeah looks correct, but yeah never going to work..
Or they their wifi setup as guest, and can not talk to wire, and while dhcp might work - when they actually go to talk to pfsense IP for dns or to get out to the internet, doesn't work..
-
@johnpoz said in Unable to get OPT1 to work:
I have seen users setup a nat router as their wifi..
I'm presuming the Access Point is set up as an access point (! ) and doesn't have any firewall / router / dhcp capabilities activated. If so, all bets are off.
The packet capturing would show the MAC address of the phone (not the AP !!) and show the DHCP request from the phone etc.
-
@Gertjan said in Unable to get OPT1 to work:
presuming the Access Point is set up as an access point
@a-networking-noob Did you give your wireless router model (I didn't see it just now)? In many cases a "consumer" router can function as an AP by simply not connecting the WAN port, and disabling DHCP on it. So only a cable from LAN to your switch (or OPT1 if no switch). Then as mentioned above the router/AP's WAN cannot be the same IP subnet as your LAN...just make up some other private range.
-
@Gertjan said in Unable to get OPT1 to work:
@a-networking-noob said in Unable to get OPT1 to work:
Unfortunately, this did not solve it.
Another test :
Goto Diagnostics> Packet Capture
Select the OPT interface, like :
and enter the IP of your phone :
Like this :
and then hit the green start buton.
From now on, at the bottom, you will see everything that pfSense receives at the OPT1 from your phone (device with IP 192.168.49.x).
You will see the DHCP negotiation traffic, a couple of packets.
And then : what did you see ?This is all I captured - no clue what it means :)
21:54:26.899362 IP 192.168.49.1.67 > 192.168.49.101.68: UDP, length 300
21:54:26.960728 ARP, Request who-has 192.168.49.1 tell 192.168.49.101, length 46
21:54:26.960748 ARP, Reply 192.168.49.1 is-at 64:62:66:21:cb:d5, length 28
21:54:26.961700 IP 192.168.49.101.49484 > 192.168.49.1.853: tcp 0
21:54:27.983001 IP 192.168.49.101.49484 > 192.168.49.1.853: tcp 0
21:54:30.082548 IP 192.168.49.101.49484 > 192.168.49.1.853: tcp 0
21:54:34.102204 IP 192.168.49.101.49484 > 192.168.49.1.853: tcp 0
21:54:42.192314 IP 192.168.49.101.49484 > 192.168.49.1.853: tcp 0
21:54:57.128329 ARP, Request who-has 192.168.49.1 tell 192.168.49.101, length 46
21:54:57.128353 ARP, Reply 192.168.49.1 is-at 64:62:66:21:cb:d5, length 28
21:54:58.420025 IP 192.168.49.101.49484 > 192.168.49.1.853: tcp 0 -
@a-networking-noob said in Unable to get OPT1 to work:
............ 853..................
You nailed it.
Your phones are doing DNS over 853 (DNS over TLS) and ask 192.168.49.1 to do the DNS for them.
Or : you probably do not have "DNS over TLS" activated - just like me.
That a device defaults to, out of the box, with "DNS over TLS port 853" ..... well ... that will create a lot of issues.
edit : some one clicked somewhere in the phone "use secure DNS" without thinking about the consequences ^^ ??So : no need to throw away the phones.
Just set this phone dns setting back to default : use "DNS to port 53" (non TLS) (and DNS over TLS when aviable) and you're good.
Or activate in unbound your local port 853 so it can handle DNS over TLS for your phones - see image.And of course : if host names can not get resolved to IPs, then yeah, you have the impression that the devices doesn't work, or, they can communicate just fine. Example : a ping to 8.8.8.8 will work (try it).
This was a typical "It's always the DNS" problem.If you were brining your phones to the local Mc Donalds free Wifi, they wouldn't work neither.
Your laptop doesn't use "DNS over TLS" (windows 11 can support it now, I guess, dono how to activate it) but when you activate this option on a device, you have to make sure that the other side, your ISP router, or pfSense, etc also supports it.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
G Gertjan referenced this topic on
-
@Gertjan said in Unable to get OPT1 to work:
@a-networking-noob said in Unable to get OPT1 to work:
............ 853..................
You nailed it.
Your phones are doing DNS over 853 (DNS over TLS) and ask 192.168.49.1 to do the DNS for them.
Or : you probably do not have "DNS over TLS" activated - just like me.That a device defaults to, out of the box, with "DNS over TLS port 853" ..... well ... that will create a lot of issues.
edit : some one clicked somewhere in the phone "use secure DNS" without thinking about the consequences ^^ ??So : no need to throw away the phones.
Just set this phone dns setting back to default : use "DNS to port 53" (non TLS) (and DNS over TLS when aviable) and you're good.
Or activate in unbound your local port 853 so it can handle DNS over TLS for your phones - see image.Thanks for sticking with me on this. I got one of my phones working now, but not the other one. I checked and in fact I did have "use private DNS" active on the phone that won't connect, but even after disabling that, it still won't connect. So maybe I'll just have to give up on that one.
Anyway, thanks for all the help!
-
@Gertjan said in Unable to get OPT1 to work:
unbound your local port 853 so it can handle DNS over TLS for your phones
It will also do Doh, you just need to use some custom options.. Do phones really do DoT or wouldn't they being trying to do DoH..
Here is thread that came up about that.
https://forum.netgate.com/post/1131273
It was pretty straight forward getting unbound to also do DoH.
edit: btw I tried to see if could do DoQ to unbound.. And while its coming per this
https://blog.nlnetlabs.nl/newsletter-dns-over-quic/
It doesn't seem to be available yet in the version of unbound we have on pfsense. Yet another way for devices to circumvent your local dns - atleast with DoQ its a different port at play vs DoH that uses your standard 443 port that everything else on the planet also uses..
