Windows Clients cannot access the internet, very strange unexpected DNS problem.

johnpoz

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

for some reason pfSense does not know about some of the downstream networks

Yeah auto will auto add the nat rules for any downstream networks you create a route to in pfsense via some gateway you create.. There rarely is any reason you would even need to do manual, unless you had something really odd setup.. Even if you were doing some odd stuff, hybrid should normally be able to cover what you need..

You really should never need to use manual nat..

This points to something else out of wack.

Pfsense running unbound should always be able to resolve its lan IP to its name you set in general..

So either that 10.216.64.18 is not pfsense lan IP? Or something else going on other than nat issues or acls, etc.. when you do a nslookup it does a PTR for the IP to get its name.. Your is coming back unknown, that should not happen.

192.168.9.253 is my pfsense lan IP..

IrixOS

@johnpoz said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

eah auto will auto add the nat rules for any downstream networks you create a route to in pfsense via some gateway you create.

I disabled the MODEM NAT rule and activated the auto add NAT rules, I can see the downstream networks in the rule, but the world icon on windows still doesn't change into a square.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

I disabled the MODEM NAT rule and activated the auto add NAT rules, I can see the downstream networks in the rule, but the world icon on windows still doesn't change into a square.

It can take Windows a few minutes to update the icon in my experience. And every now and then a reboot might be required.

A quick test is this:

ping 8.8.8.8

If that works, you have Internet access from the Windows client.

Next, you can try pinging google.com from both pfSense and that Windows client to see if DNS queries are working.

johnpoz

@bmeeks exactly - and if he is still having dns problems? That might not show globe, etc. I do not remember if it has any fallback to just checking if can get to an IP.. I believe it does a dns lookup, the exact fqdn eludes me at this moment, but then it tries to actually open that and wants to see an OK... Unless they have drastically changed how they do that in latest windows 11 or something?

IrixOS

@bmeeks No that flyer doesn't go up, it's useless.

Dit you remember the thread about the lagg0 port, you said something about choose an other free port, well I configured the lagg0 port with a vpn tunnel on the wan, that's plain stupid but it did work. So you fix something inside from the outside, that's pretty lame.

And now this problem, did I mention pfsense working before with a bunch of cisco ip routing behind it and it did work, did the version change in the mean while? What happened, it did work in the past with the same config you know
Poor lord, this pfsense thing is harder than cisco IOS, how can that ever be?

You know, I really really appreciate your time solving this problem but I am pulling my hair out at this moment ,reallly.

I have a great idea, let's combine pfsense and OPNsense together, pfsense for openVPN roadwarrior but I doesn't offer more than that obviously and use OPNsense for firewalling internal windows server machines. The servers have their protection with OPsense, and pfsense to access the network from outside, period. So everybody is happy.

Lets test OPNsense, see if it has the same anomaly under the same network conditions, if it doesn't, me and the CEO of Netgate gonna have some serious words!

I would like to hear more possible solutions, thank you so much for your time,

IrixOS

@johnpoz I think we are iiiiiiiiiiiiiiiiiiiiiiiiiiin yipppieeeeeeee

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

Dit you remember the thread about the lagg0 port, you said something about choose an other free port, well I configured the lagg0 port with a vpn tunnel on the wan,

No, I don't recall a thread about a lagg0 port, but I get involved in quite a few conversations on here and tend to get them confused sometimes .

I would do this on the Windows client --

1. Configure the DNS server to be 8.8.8.8 in the TCP/IP settings in Windows. That will take pfSense completely out of the picture for DNS.
2. Now try to ping something by name (www.bing.com or google.com, for instance). Does that work? If yes, then you know the client has Internet access and you can concentrate on why DNS on pfSense is failing or not working.
3. If steps #1 and #2 fail, then try a simple ping to 8.8.8.8 from the Windows client. That drops DNS out of the loop and directly tries to ping the Google DNS server. If that fails, then you still have a basic connectivity problem you need to work out.

IrixOS

@johnpoz Poor lord , it didn't expect it to work, yes indeed it became a square after the reboot of windows and pfsense.
I thinkt it was the NAT rule and changed it to automatic like you mentioned.

IrixOS

@bmeeks It's working, the only thing i changed was from outbound to automatic, done a reboot of windows and then things started to pop up,...

Many thanks to you, and God bless America, from Belgium,..

Clever guys you Americans.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

I thinkt it was the NAT rule and changed it to automatic like you mentioned.

That NAT rule was definitely suspect! Not sure why a handbook for the DSL modem would suggest that UNLESS the instructions were simply how to access an internal web GUI on the modem itself. But those instructions would not apply to general Internet access.

johnpoz

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

tend to get them confused sometimes

We can both be members of that club as well.. The old farts club, and sometime confuse threads club.. Maybe getting old and confusing threads go hand in hand? ;)

IrixOS

@bmeeks I don't know where I got it from that MODEM config think, I think the handbook, not sure

bmeeks

@johnpoz said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

tend to get them confused sometimes

We can both be members of that club as well.. The old farts club, and sometime confuse threads club.. Maybe getting old and confusing threads go hand in hand? ;)

I resemble both of those remarks !

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks I don't know where I got it from that MODEM config think, I think the handbook, not sure

That particular NAT may have been to allow access from the LAN side of pfSense to a web GUI inside the modem that has a private RFC1918 address. That would possibly explain the 172.16.0.x destination address. But to get to the Internet, the destination has to be * (which means "any").

IrixOS

@bmeeks Of course, that was it, it was meant to access the modem.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks Of course, that was it, it was meant to access the modem.

I think you understand, but just to be sure and to help someone else who stumbles across this thread in the future --

That NAT rule was to allow you to open something directly on the modem itself. Typically this is some type of configuration program either via an internal web server or maybe Telnet. So, if the modem had the IP 172.16.0.1 as its LAN port address, then from a client on the LAN side of pfSense you could open a connection to that IP and the NAT rule from the handbook would have translated that traffic to the modem's address. But that rule only works for talking to the modem's OS. It is not sufficient to send traffic from the pfSense LAN side out to the Internet.

You don't need to access the modem in order to send traffic to the Internet. When in bridged mode everything that comes in on the modem's LAN port is sent straight out the modem's WAN port without any change -- and vice-versa for WAN to LAN traffic on the modem. That is the definition of "bridged".

As for NAT rules on pfSense, you need a NAT rule that accepts traffic from whatever networks are behind pfSense and translates them to the pfSense WAN address. The "destination" for this NAT rule should be "any" because that covers the range of possible Internet destinations.

IrixOS

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

Reply Quote 0

Yes, you are completely correct, I was confused, and yes classically the modem is accessed via webbrowser, now I get the concept of bridge modus better.
My sincere thank you!

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

Reply Quote 0

Yes, you are completely correct, I was confused, and yes classically the modem is accessed via webbrowser, now I get the concept of bridge modus better.
My sincere thank you!

Glad it's all working now. Must be quite late for you in Belgium! Go to bed now and celebrate success tomorrow.

IrixOS

@bmeeks HAHA, yesterday I couldn't wait for you guys to answer the thread, it's 00:05 here right know.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks HAHA, yesterday I couldn't wait for you guys to answer the thread, it's 00:05 here right know.

I'm six hours behind you. 6:07 PM here now (I'm on US Eastern Time).