No Internet access to LAN2

parneetbatra

Hi,
I'm facing the issue of accessing the internet.
Here's the network structure.
There's a WAN and two LANs.
LAN1: 192.168.1.1
LAN2: 192.168.100.1

LAN1 has access to the internet and can ping anyone in the network.
LAN2 has no internet access. LAN2 can ping to LAN1, and LAN2 can ping to 1.1.1.1 and 8.8.8.8.

Any help?

Thanks,
Parneet

viragomann

@parneetbatra
So possibly you have a DNS issue on LAN2?

Try to ping a host name, e.g. google.com.

parneetbatra

@viragomann

I'm ping from 192.168.100.10
I can't ping google.com, screenshot below.

parneetbatra

@viragomann
LAN1 and LAN2 DNS is 192.168.1.5 that's PiHole.

Gertjan

@parneetbatra

Firewall rules on LAN2 ?

And show

ipconfig /all

on the PC connected on LAN2.

@parneetbatra said in No Internet access to LAN2:

LAN2: 192.168.100.1

You've set more in then that ^^
It's not just the IP. The 'mask' is set to /24, right ?
DHCP LAN2 server ?

parneetbatra

@Gertjan

Here are the screenshots, hope that will help to troubleshoot the problem, please let me know if you will need more information. Thanks

pfSense Dashboard

LAN2 Interface

LAN1 Firewall Rules

LAN2 Firewall Rules

LAN1 DHCP

LAN2 DNCP

IP config

Ping

parneetbatra

@Gertjan

Here are the steps I followed:

Interfaces -> Assignments -> Add a new LAN (example LAN2)
Click on LAN2 ->
- Enable: Enable interface
- Description: LAN2
- IPv4 Configuration Type: Static IPv4
Static IPv4 Configuration
- 192.168.100.1/25
Save

Services -> DHCP Server -> LAN2
General DHCP Options
- Enable: Enable the DHCP server on the LAN2 interface
Primary Address Pool
- Address Pool Range: 192.168.100.10 - 192.168.100.200

Firewall -> Rules -> LAN2
Copy LAN1 default rules IPv4* and IPv6* change source to LAN2, and click on Save.

Gertjan

@parneetbatra

Let's start with :

No Internet access to LAN2

You've proven that wrong with :

I saw :

When you did a :

it showed that ICMP packets reach the LAN1, and the reply gets back. Good sign.
Make it one step further : a ping from LAN2 to a device present on LAN1: the DNS pi-hole.
I saw your PC was using this IP as a DNS.
Another step : can your PC ping some other device on LAN1 ?

Even more info : Goto Diagnostics > Packet Capture :

Select for Capture Options your LAN2 interface :

and hit the start button.
Now, do a ping to google.com (this implies a initial host name lookup == DNS == 192.168.1.5 is/should (!) be used) or use the official Microsoft nslookup tool called nslookup ^^

nslookup google.com

What did that show ?

and then look at the packet trace result.

This might explain the issue : DNS packets coming from LAN2 do arrive at the LAN1 interface, but the pi-hole has a setting that allows it to answer only to requests coming from its own LAN == LAN1 == 192.168.1.0/24 - and it (pi-hole) refuses to answer to requests coming from elsewhere, notability 192.168.100.0/24 == LAN2.
So pi-hole behaves like a black-hole ^^
This pi-hole behavior is a security : it should only answer to request from the local "LAN" (LAN1) and from no one else. Up to you to add also "LAN2" (192.168.100.0/24) to the allowed network list.

Btw : I never used or saw a pi-hole.

viragomann

@parneetbatra
What do you get if you do an

nslookup google.com

?

I suspect, that your DNS is not responding due to missing ACL the LAN2.

parneetbatra

This post is deleted!

parneetbatra

@viragomann

Diagnosis Result

parneetbatra

@viragomann

parneetbatra

@Gertjan said in No Internet access to LAN2:

Another step : can your PC ping some other device on LAN1 ?

parneetbatra

@Gertjan

PiHole Diagnosis

parneetbatra

@Gertjan
@viragomann

Good news, if I change DNS to 8.8.8.8 in LAN2, I can ping to google.com
I can access the internet.

It's a Pi-hole issue. is there any idea for Pi-hole, why not let us connect to Google in LAN2?

bmeeks

@parneetbatra said in No Internet access to LAN2:

It's a Pi-hole issue. is there any idea for Pi-hole, why not let us connect to Google in LAN2?

You've identified your problem by drawing those two red rectangles around two Pi-hole log entries. Here is one of them:

ignoring query from non-local network 192.168.100.10

As someone pointed out earlier in this thread, DNS servers such as unbound and Pi-hole have ACLs (access control lists) that limit what IP addresses can query for DNS names. By default those queries are limited to clients residing on the same local network (LAN) as the DNS server.

Scroll down this list of dnsmasque warnings in Pi-hole to find your specific error and its causes: https://docs.pi-hole.net/ftldns/dnsmasq_warn/.

The TLDR answer is you seem to have incorrect access permissions and thus DNS queries from your LAN2 are being ignored by Pi-hole.

vitko-core.ru

@parneetbatra said in No Internet access to LAN2:

Any help?

Gertjan

@parneetbatra

As said earlier,
As said by @bmeeks
As said by the guy who made the red box here :

and as said by your pi-hole :

"Ignoring query from non local network 192.168.100.1".

The local network is 192.168.1.0/24 - your pfSense LAN network.
So : request from 192.168.100.0/24 are ignored.
So, set up pi-hole that it should consider both 192.168.1.0/24 and 192.168.100.0/24 as 'local'

and from then on, DNS works on your LAN2 interface.

vitko-core.ru

@Gertjan said in No Internet access to LAN2:

So, set up pi-hole that it should consider both 192.168.1.0/24 and 192.168.100.0/24 as 'local'

+++need set local CIDR!

192.168.0.0/16