My pc isn't DNS resolving but my pfSense box is
-
Hi All,
First off, let me say that I am a total Newbie to networking and pfSense.
Second, I did install the latest version of pfSense on a fanless pc that I recently purchased.
I followed this video tutorial by Networkchuck link text right up to the point where he started port forwarding (I don't think I need to do that).Anyway, I hit a snag and did some research and quite a bit of troubleshooting before coming here.
I didn't find a solution to my problem, so I thought I would post here and hopefully someone will be able to help.Before I dive into all the details here's the short version:
pfSense install as per tutorial cited above, essentially everything is default except the new IP address and password.
I have my cable modem (not in bridge mode) plugged into the WAN port, and my main pc is plugged into the LAN port.
When I access the pfSense fanless pc via browser, the WAN works, and I am able to DNS resolve websites and ping IP addresses and websites.
On my main pc, I can ping IP addresses but I cannot reach any website or any IP address entered directly into the browser. It does not seem to be resolving any web address.Here's where things get a little interesting, I dual-boot Windows 10 and Linux.
On my Linux distro, I have it set up to automatically start streaming a radio station when it boots up, the stream is entered as an IP address. When I boot into Linux this streaming worked but I could not access any website, I could ping IP addresses no problem.
Then I tried starting my VPN, and it worked and I am able to surf the net just fine, but only when my VPN is enabled.
Note that this workaround does not work in Windows 10, my VPN won't start in Windows.I looked up the troubleshooting steps on this site and noticed that my gateway show 100% packet loss and it's offline.
I suspect this bit of information is key to resolving (no pun intended) this issue, but I don't know what to do from here (did I mention that I'm a Newbie)?Some of the steps that I have tried:
"Allow DNS server list to be overridden by DHCP/PPP on WAN" both checked and unchecked - no difference.
DNS Server Override = both checked and unchecked - no difference.
Disable DNS Forwarder = both checked and unchecked - no difference.In the Firewall Rules section it warned that there weren't any rules for the WAN so I tried adding an "allow all" rule but that didn't help so I removed it (I'm not a fan of messing with firewall rules unless you know what you're doing).
If anyone can help me resolve this issue, I will be most grateful.
-
@Neoveo when your PC is connected to the LAN interface, how is it obtaining IP and DNS addressing?
-
@cyberconsultants I'm not sure what you mean by "how is it obtaining IP and DNS addressing"?
If you're asking how am I checking it, in Linux I open a terminal and type "ping 8.8.8.8" (for example).
For the DNS addressing I simply type an address into the browser or click on a bookmark.Since my first post I have noticed that the firewall is blocking access, however I did not set up any new rules, they are all default.
Here is one of the error messages "The rule that triggered this action is: @61 block drop in log quick on igc0 from bogonsv6:142014 to any label "block bogon IPv6 networks from WAN" ridentifier 11002".
I went to the LAN rules and disabled the two LAN subnets rules, it didn't help, so I re-enabled them... then my internet start working just fine, without the VPN being engaged!
So I rebooted to see if this "fix" stuck and no joy.Any ideas what this could be?
I am using Micron RAM and I have heard that many of these boxes don't like Micron RAM (it's all I had on hand, and I ran a MemTest - no errors). I don't think this is a RAM issue, but stranger things have happened.
And now as I write this, I tried it using the internet without the VPN again, and at first no joy, but then suddenly it just started working again???
The Firewall is still showing it is blocking access and the Gateway is still showing Offline with 100% packet loss.
I can't explain it but I sure would like to fix this issue once and for all.
Any ideas what this could be?
-
@Neoveo your screenshot shows blocks on WAN, inbound from Internet. That will happen 24x7. We turn off logging of the default block rules when not testing things, to reduce the log noise. In the logs page Settings.
Firewall rules apply when packers arrive on an interface.
You’re lucky disabling the two LAN rules didn’t lock you out! :)
If pfSense detects a gateway is offline it won’t use that interface. In system/routing try disabling gateway monitoring or change your monitoring IP to say 8.8.8.8 or another IP. Some ISP gateways don’t respond to pings.
-
@Neoveo said in My pc isn't DNS resolving but my pfSense box is:
I'm not sure what you mean by "how is it obtaining IP and DNS addressing"?
The question was : when you connect your 'pc', actually any device, to your LAN, how does it obtain a IP ? (and network mask, DNS IP, gateway IP).
If you use windows, type
ipconfig /alland this gives you the answer.
For other OSes : you'll know what to do.
It will probably show that your PC is using 'DHCP'
So the gateway IP will be "192.168.1.1", the LAN IP of pfSense (and that's great, as pfsense is your gateway router)
The DNS IP is set to the LAN IP of pfSense (great again, pfSense is doing the DNS resolving for all your LAN networks)So :
My pc isn't DNS resolving ...
that's a strange question. Only you will know if you installed a Resolver on your PC. It is possible, after all. So, did you ?
If not, and your PC is using the DNS IP it got from pfSense, using DHCP, then it will use pfSense for its resolving needs.If, for example, you've se up (so called : "hard coded" or static setup) "8.8.8.8" on your PC (phone, whatever) as a DNS to be used then its normal that pfSense isn't used. he device will use "8.8.8.8" for all it's DNS needs.
edit : linux ....
I can't find a command that can give you a straight forward answer.
The global rule will haply : It's always DHCP except if you have decides otherwise.
I would :cat /etc/network/interfaces?
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@Gertjan I solved the problem.
It turns out that I have to plug in the WAN and LAN cables before booting up the pfsense router.
If I plug them in after it is booted up, then I cannot access the internet. -
@Neoveo said in My pc isn't DNS resolving but my pfSense box is:
It turns out that I have to plug in the WAN and LAN cables before booting up the pfsense router.
Wow ...
Over 18 years of using pfSense, and I have never thought of doing that.
Booting a router that can't route ... like driving a car with the wheels taken of.
I'm curious now. I'll put that on my to-do list : I'll be watching the console what happens when I do this, and after the boot I'll hook up the WAN & LANs and see what happens. -
Probably no default route present or the wrong one.
Make sure WAN_DHCP is set as the default IPv4 gateway in System > Routing > Gateways rather than automatic.
-
@stephenw10 Thanks, I will try that, they are both set to automatic.
Here is a screenshot of my gateway, they both show 100% packet loss and offline.
This is with either automatic or their respective WAN_DHCP selected.
file:///home/neo/Pictures/Gateway2.jpg -
Ok, well that's not good! If you are able to connect out still it's probably just that your gateway doesn't respond to ping. Try setting some alternative external monitoring IP:
https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.htmlSteve
-
@stephenw10 Many thanks Steve, I really appreciate your help.
I took a look at the link you kindly provided and my head is swimming!
I am not sure what to do with all that information.As I mentioned earlier, I am very new to pfSense; I think I need a little more detailed instructions.
Since my internet appears to be working, is this Gateway offline a non-issue?
-
For your WAN_DHCP :
Go here : System > Routing > Gateways and edit the 'WAN_DHCP'
Add / edit the "Monitoring IP" :
Add an IPv4 that you know taht it will answer on ping request. 8.8.8.8 is a usable example.
Save - and then Apply changes.
If your issues was : "the default gateway didn't answer to ping (hence the 100 % Packet loss)" then now you should see :
If you have now a green "Online", you'll know that your on the right track.
Your WAN_DHCP6 : same treatment. Just keep in mind that this interface is for IPv6. So you have to enter a IPv6 as a ping-able IPv6.
Ask the oracle : what is the IPv6 equivalent of 8.8.8.8 ? and you have one.If all goes well, your WAN_DHCP6 will be marked as Online now.
-
@Gertjan MAGIC!!! Many thanks for your wonderful help @Gertjan, I really appreciate it!
I used cloudfare 1.1.1.1 for IPv4 and 2606:4700:4700::1111 for IPv6 (thank you Google for that).
Now my Gateway shows IPv4 online and IPv6 as "pending" and "unknown".That's better than what I had before!
Now my question is, since I had working internet, was able to ping and otherwise surf the net all while my gateway was showing offline with 100% packet loss, what purpose does the gateway serve?
-
The gateway itself is what pfSense routes all your external traffic to at your ISP.
By default pfSense sends pings to it to check the status but the ISP is under no obligation to respond to ping. Setting the monitoring pings to something external gives better data anyway.
Besides logging the latency and packet loss pfSense uses the gateway status if you have more than one gateway in a failover or load-balancing.
Steve
-
@stephenw10 gotcha, thank you so much for the education, I so much appreciate it.
My IPv6 still shows as pending and unknown.
Is this something that will resolve on it's own or do I have some more troubleshooting to do?
-
Unlikely it would just start working, unless it's something broken at your ISP that they then fix.
Does your ISP support IPv6?
-
@Neoveo said in My pc isn't DNS resolving but my pfSense box is:
while my gateway was showing offline with 100% packet loss
Get back to System >Routing > Gateways and edit the WAN_DHCP, just to look.
At the bottom of the page, click also on "Advanced settings".
The gateway monitoring is used for two things : in measures the round trip of a constant ping so nice graphs can be produced.
Also : the action part : it will cycle the interface : taking it down for a short period to rebuild the connection. This in the hope that it will be better (== more stable ping.
Knowing that the WAN interface(s) are use by other processes like unbound, the resolver, they will also restart at that moment. This could very well explain what you've been experiencing all along.IPv6 : First : make things visible. Go to System > Advanced > Networking and check
Start DHCP6 client in debug mode.
From now on, the DHCP6 client (close friend, but not related the DHCP servers on your LAN will log more details.
The logs : Status > System Logs > DHCP
Look for "dhcp6c", that's the one.
During initial WAN (IPv6) construction, there will be more lines.Keep in mind :these days, after severals decades of experimenting, most of the time, you set your WAN IPv4 to 'DHCP' and you'll be good.
For IPv6 it isn't that easy. DHCPv6 is sued, but most probably more settings have to be selected, as every ISP can offer you IPv6 with it's own sauce. It will probably standardize in a decade or two ;)This is the idea :
Your WANv6 interface gets an IPv6, might be a GUA and/or the other thing, starting with a fe80......, the link local.
You will also have a IPV6 DNS, IPv6 gateway and a IPv6 subnet mask.
But there is more, we'll get to that.
-
Okay, I've set up the monitor as you have suggested and here is a screen shot of the logs (for all of the dhcp6c entries it simply says "sending solicit"
file:///home/neo/Pictures/DHCP logs.jpg -
Seems like your ISP doesn't support IPv6 then. Or at least isn't responding to DHCPv6.
Unless they have some special requirement. What does the ISP docs show?
-
@stephenw10 said in My pc isn't DNS resolving but my pfSense box is:
Seems like your ISP doesn't support IPv6 then. Or at least isn't responding to DHCPv6.
Unless they have some special requirement. What does the ISP docs show?
I have sent my ISP a message asking them if they support IPv6, I think they do but we'll see what their answer is.
