Windows Clients cannot access the internet, very strange unexpected DNS problem.

IrixOS

@bmeeks It's working, the only thing i changed was from outbound to automatic, done a reboot of windows and then things started to pop up,...

Many thanks to you, and God bless America, from Belgium,..

Clever guys you Americans.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

I thinkt it was the NAT rule and changed it to automatic like you mentioned.

That NAT rule was definitely suspect! Not sure why a handbook for the DSL modem would suggest that UNLESS the instructions were simply how to access an internal web GUI on the modem itself. But those instructions would not apply to general Internet access.

johnpoz

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

tend to get them confused sometimes

We can both be members of that club as well.. The old farts club, and sometime confuse threads club.. Maybe getting old and confusing threads go hand in hand? ;)

IrixOS

@bmeeks I don't know where I got it from that MODEM config think, I think the handbook, not sure

bmeeks

@johnpoz said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

tend to get them confused sometimes

We can both be members of that club as well.. The old farts club, and sometime confuse threads club.. Maybe getting old and confusing threads go hand in hand? ;)

I resemble both of those remarks !

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks I don't know where I got it from that MODEM config think, I think the handbook, not sure

That particular NAT may have been to allow access from the LAN side of pfSense to a web GUI inside the modem that has a private RFC1918 address. That would possibly explain the 172.16.0.x destination address. But to get to the Internet, the destination has to be * (which means "any").

IrixOS

@bmeeks Of course, that was it, it was meant to access the modem.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks Of course, that was it, it was meant to access the modem.

I think you understand, but just to be sure and to help someone else who stumbles across this thread in the future --

That NAT rule was to allow you to open something directly on the modem itself. Typically this is some type of configuration program either via an internal web server or maybe Telnet. So, if the modem had the IP 172.16.0.1 as its LAN port address, then from a client on the LAN side of pfSense you could open a connection to that IP and the NAT rule from the handbook would have translated that traffic to the modem's address. But that rule only works for talking to the modem's OS. It is not sufficient to send traffic from the pfSense LAN side out to the Internet.

You don't need to access the modem in order to send traffic to the Internet. When in bridged mode everything that comes in on the modem's LAN port is sent straight out the modem's WAN port without any change -- and vice-versa for WAN to LAN traffic on the modem. That is the definition of "bridged".

As for NAT rules on pfSense, you need a NAT rule that accepts traffic from whatever networks are behind pfSense and translates them to the pfSense WAN address. The "destination" for this NAT rule should be "any" because that covers the range of possible Internet destinations.

IrixOS

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

Reply Quote 0

Yes, you are completely correct, I was confused, and yes classically the modem is accessed via webbrowser, now I get the concept of bridge modus better.
My sincere thank you!

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

Reply Quote 0

Yes, you are completely correct, I was confused, and yes classically the modem is accessed via webbrowser, now I get the concept of bridge modus better.
My sincere thank you!

Glad it's all working now. Must be quite late for you in Belgium! Go to bed now and celebrate success tomorrow.

IrixOS

@bmeeks HAHA, yesterday I couldn't wait for you guys to answer the thread, it's 00:05 here right know.

bmeeks

@IrixOS said in Windows Clients cannot access the internet, very strange unexpected DNS problem.:

@bmeeks HAHA, yesterday I couldn't wait for you guys to answer the thread, it's 00:05 here right know.

I'm six hours behind you. 6:07 PM here now (I'm on US Eastern Time).

IrixOS

@johnpoz Hey Jhonpoz, thank your for the time you put in my thread and the commitment (fast replies) Chapeau!

johnpoz

@IrixOS your more than welcome - glad you got it sorted.

IrixOS

@johnpoz Hmm JohnPoz, you are never gonna believe this. DNS lost its grip, yesterday and the day before. Rebooted twice.
The bottom right task square turned into the world icon. Couldn't connect to any webpage, DNS server unavailable, don't know what caused it. Didn't do troubleshoot either.

I don't mind rebooting the firewall once in a while, but if the website comes online with other future stuff, then I'm beginning to worry...

johnpoz

@IrixOS you should never have to reboot the firewalll, unless your updating it to be honest..

My pfsense has been up 82 Days 14 Hours 23 Minutes 31 Seconds, and I even had a power outage - but it wasn't long enough that my ups couldn't cover it.

Pfsense rebooted when I updated to 23.09.1, which came out 85 days ago, so I was a couple days behind when it dropped ;) when I got around to doing the update..

If you have an issue with anything - the last thing I would do is reboot pfsense, after you have gathered info and not able to recover by any other means.. If you just rebooted and it then works you have no clue to what was the actual cause.. A reboot of pfsense should be your last thing you do, or if you can not access it at all - not via gui, not via ssh, and also console.. You want info of what is going on before you just reboot something..

IrixOS

@johnpoz

Well I totally agree with that.

The firewall seems to be unresponsive. Didn't touch anything since the last time we have been troubleshooting.

I don't expect you to go through all the troubleshooting again . The dns server doesn't query.

Frankly I don't know what to think about it right now. It shouldn't behave like that.

johnpoz

@IrixOS your on the gui - sure seems like its responsive to me..

Did you try just restarting unbound? do you have internet access even? can you ping 8.8.8.8 from pfsense?

I would have to read over this whole thread to recall what was going on... I can not remember if you have pfsense set up to forward or not.. If its default resolving, then do a dig bing.com +trace so you could see where pfsense is failing in the resolve process.

[23.09.1-RELEASE][admin@sg4860.home.arpa]/root: dig www.bing.com +trace

; <<>> DiG 9.18.16 <<>> www.bing.com +trace
;; global options: +cmd
.                       85959   IN      NS      b.root-servers.net.
.                       85959   IN      NS      m.root-servers.net.
.                       85959   IN      NS      f.root-servers.net.
.                       85959   IN      NS      i.root-servers.net.
.                       85959   IN      NS      l.root-servers.net.
.                       85959   IN      NS      d.root-servers.net.
.                       85959   IN      NS      a.root-servers.net.
.                       85959   IN      NS      g.root-servers.net.
.                       85959   IN      NS      e.root-servers.net.
.                       85959   IN      NS      h.root-servers.net.
.                       85959   IN      NS      c.root-servers.net.
.                       85959   IN      NS      j.root-servers.net.
.                       85959   IN      NS      k.root-servers.net.
.                       85959   IN      RRSIG   NS 8 0 518400 20240317050000 20240304040000 30903 . p2Z7UhKDT1TGl4a8EAUU1BUrh2fO7VosuHjtHeZxUYmWu/m7iWM7CxG+ /4kfAXn7a3LdKbYTJwt8LdGHJ9F/QKAQ7GjWLlISNPnh3tfgPInoE/sE NpxeV8v0CUvd29gwjZc615XVrzoeyjrVw62Qgzt4+XYiKBFGYXrdC+5L NsZvzeFMGASw8A4QiBTuxYan3f3E++URjF0n7K7O7YhMXPJ5Yuj9rn+k 7WyFJS9Orqrlk8Mqk1tssnSIAMkFe11vTzK/6TvF+NMHIq8J1fv73ZbJ cO2lxdAZv005n+MNz0OMdfubCb8p9iWcCulFYG6sZUzUNmQ+Pcu6IgW3 csxrJw==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.                    86400   IN      RRSIG   DS 8 1 86400 20240317050000 20240304040000 30903 . McuSOdxedTIMS8425wT5wRvxIjy9ME426TNSH5qLj1O9pSBBp6OedWXO 1Ye4gn50Ur9FszAsBQ8prkEcqmJNu7mMv3/EzG6PEylJLujrCTxFn2r1 PwivXhfVQY9Aig2c/kS4zAKovDLI2F6hKqkZf17+7pa8wIYpbtVr3Y2Z lRTQSy/GJQ7kscBvnbLHGjHM+pbtp7gf0zhRA5wbCJRqQsWK0Nz866+v c/w0et44EAIRR9iQtljqSIJWmZIheXuC8RO9ZvXlCd8fQJlGen8Kb0Oa Fy8ufrmeNfixNbxR44ncxFqnOU27JZZqQyYnLEHNh8VPFWvdRrl5whdh AtmvaA==
;; Received 1172 bytes from 198.41.0.4#53(a.root-servers.net) in 10 ms

bing.com.               172800  IN      NS      dns1.p09.nsone.net.
bing.com.               172800  IN      NS      dns2.p09.nsone.net.
bing.com.               172800  IN      NS      dns3.p09.nsone.net.
bing.com.               172800  IN      NS      dns4.p09.nsone.net.
bing.com.               172800  IN      NS      ns1-204.azure-dns.com.
bing.com.               172800  IN      NS      ns2-204.azure-dns.net.
bing.com.               172800  IN      NS      ns4-204.azure-dns.info.
bing.com.               172800  IN      NS      ns3-204.azure-dns.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400 20240309052607 20240302041607 4534 com. Yno27N6Iyp51X80Wzajfgd8RC57n9zrUGUSfsm1e27HJE+nIFfAHaCBA ea8iXE50HL5TG3xyoq80Y9ixPgwSbg==
5UI7CV5HJHQLPAI73U56DMAO7830VJGD.com. 86400 IN NSEC3 1 1 0 - 5UI7FG7S6MDP7SO5PCHDU0CMCN3K4VOA NS DS RRSIG
5UI7CV5HJHQLPAI73U56DMAO7830VJGD.com. 86400 IN RRSIG NSEC3 13 2 86400 20240308071931 20240301060931 4534 com. bxaYe+AsATtZu+pk+DYfRGcrIFgv5xSRIUAY0qMC+cqL0EYn0PFyASk4 K1DhyvwOUBNP+ithuzt2AE3q/ZYdwg==
;; Received 666 bytes from 192.55.83.30#53(m.gtld-servers.net) in 10 ms

www.bing.com.           21600   IN      CNAME   www-www.bing.com.trafficmanager.net.
;; Received 90 bytes from 208.84.5.204#53(ns4-204.azure-dns.info) in 13 ms

[23.09.1-RELEASE][admin@sg4860.home.arpa]/root: 

Then you would have to follow that cname it points too www-www.bing.com.trafficmanager.net., if your forwarding do you have dnssec enabled - that can cause problems... If your doing dnssec and your ime is off you could have problems, etc..

IrixOS

@johnpoz Did you mention time like time settings?

I got this mini firewall with pfsense+ already installed from china.

When inspecting the device, I noticed the BIOS time was wrong. Doesn't matter which save option you choose from the menu, it still does not retain the time setting.
I contacted their support and there was some woman pulling tricks to me and said that the time has to be changed to the Chinese time schedule.

Excuse me ?

What I did was change the date with the BSD CLI in pfsense, but that was yesterday.

johnpoz

@IrixOS when you do dnssec there is a validation, if the the box doing the validation, ie pfsense time is off - then yeah validation can fail.. But really shouldn't matter with the bios.. But if time drifts on pfsense, yeah you could maybe be running into where it works until it drifts out too far..

If unbound fails to resolve you need to figure out why, vs just rebooting and hoping it fixes itself. Can your clients resolve pfsense name? This should matter about external anyway. If unbound is running it should always resolve..

I am showing this currently with nslookup and www.bing.com.. I look to be getting an answer but having some sort of issue with the cnames..

[23.09.1-RELEASE][admin@sg4860.home.arpa]/root: nslookup www.bing.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.bing.com    canonical name = www-www.bing.com.trafficmanager.net.
www-www.bing.com.trafficmanager.net     canonical name = www-bing-com.dual-a-0001.a-msedge.net.
www-bing-com.dual-a-0001.a-msedge.net   canonical name = dual-a-0001.a-msedge.net.
Name:   dual-a-0001.a-msedge.net
Address: 13.107.21.200
Name:   dual-a-0001.a-msedge.net
Address: 204.79.197.200
** server can't find dual-a-0001.a-msedge.net: SERVFAIL

60 second ttl - wtf people..

dual-a-0001.a-msedge.net. 60    IN      A       204.79.197.200
dual-a-0001.a-msedge.net. 60    IN      A       13.107.21.200

stuff like this can cause problems - how hard is it people to run dns ;)

    net to a-msedge.net: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the net zone): ns3.a-msedge.net
    net to a-msedge.net: The glue address(es) for ns2.a-msedge.net (131.253.21.1) differed from its authoritative address(es) (204.79.197.2).