Connecting to the DNS of pfsense



  • Hello,
    I'm currently working with the version 1.2.2 of Pfsense.
    I have two Lan and 2 WAN . Each Lan goes through a single LAN.

    LAN1              WAN
          \            /
            Pfsense
          /           
    LAN2              WAN2

    LAN1 access the internet through WAN, and LAN2 through WAN2.

    The IP address of the different client both for LAN1 and LAN2 are given through a dhcp server on pfsense. The DNS server for LAN1 is the interface address of psense. Internet is accessible and i can connect to the interface of pfsense through the hostname: https://pfsense.
    However this doesn't work on LAN2. I'm sur I have a mistake in my configuration somewhere but I can't find it. I currently use the WAN2 router address as DNS which is why i cant access the interface using the hostname. However if I try using the interface as DNS I can't access the interface through the hostname anyway, and I lose access to the Internet.

    I tried the solution of Perry(http://forum.pfsense.org/index.php/topic,10793.0.html), but either i failed to do it correctly or there is something else lacking on my configuration, but it doesn't work.

    What should I do to make it work?



  • @Abarai:

    However this doesn't work on LAN2.

    How does it not work? What do you do to test it and what is reported?

    I'm sur I have a mistake in my configuration somewhere but I can't find it. I currently use the WAN2 router address as DNS which is why i cant access the interface using the hostname. However if I try using the interface as DNS I can't access the interface through the hostname anyway, and I lose access to the Internet.

    How do you "try to use the interface as DNS"?

    How do you try to "access the interface through the hostname"? (The hostname "pfsense" will probably translate to the IP address of the LAN interface not the IP address of the LAN2 interface. Do you have firewall rules that allow at least DNS access from LAN2 to at least the LAN interface?)



  • @wallabybob:

    How does it not work? What do you do to test it and what is reported?

    I'm saying I can't access the interface of pfsense through the hostname https://pfsense. I'm forced to use the interface's IP https://192.168.21.254. I would like to be able to use the address https://pfsense wherever I am on my network. I try to access from internet explorer, or from a nslookup query but neither work.

    @wallabybob:

    How do you "try to use the interface as DNS"?

    Basically, I wan't to have a network on LAN2 configured as such : IPs: 192.168.21.xxx/24, Gateway: 192.168.21.254, DNS: 192.168.21.254.
    Right now, I use a server DHCP on LAN2 configured as followed:
    subnet: 192.168.21.0
    subnet mask: 255.255.255.0
    range: 192.168.21.20 to 192.168.21.40
    wins server: none
    dns servers: 10.0.0.21 (the router accessing the Internet on WAN2)

    This is the only way I found to successfully access the Internet through WAN2 on LAN2.
    my point is it shouldn't be the WAN2 router used as DNS but pfsense, however it doesn't work whatever configuration I tried.

    @wallabybob:

    How do you try to "access the interface through the hostname"? (The hostname "pfsense" will probably translate to the IP address of the LAN interface not the IP address of the LAN2 interface. Do you have firewall rules that allow at least DNS access from LAN2 to at least the LAN interface?)

    the hostname isn't translated to the Ip address, which is hy i think of a dns problem. I tried creating the rule perry did in his post, but without success.

    Action    Proto  Source        Port  Destination  Port  Gateway
    PASS      UDP      LAN subnet      *              192.168.21.254      53        *

    why should I create a rule allowing DNS on LAN1? There shouldn't be any link between the two network, or am I missing something?



  • @Abarai:

    @wallabybob:

    How does it not work? What do you do to test it and what is reported?

    I'm saying I can't access the interface of pfsense through the hostname https://pfsense. I'm forced to use the interface's IP https://192.168.21.254. I would like to be able to use the address https://pfsense wherever I am on my network. I try to access from internet explorer, or from a nslookup query but neither work.

    Lets say you have your LAN2 client correctly configured to use pfSense as the DNS.  Then there are at least two possible explanations for what you have observed:

    1. the hostname pfsense is not correctly translated to an IP address and the connection attempt to the host pfsense consequently fails because pfsense can't be translated or the connection attempt goes to the wrong host.
    2. the hostname pfsense is correctly translated to an IP address but the connection attempt is blocked by the firewall.

    I have only a single WAN connection on my pfSense but have two LANs and I can access (by hostname) the internet and the pfSense WEB GUI from a system on LAN 2. So lets go through things step by step.

    You have the DNS forwarder enabled? (In web GUI, Services -> DNS, check box beside Enable DNS forwarder. If the box was unchecked and you checked it, also click the Save button.

    Your LAN2 client has the correct DNS IP address? You could check this by # nslookup pfsense. The reported server should be the IP address of the LAN2 interface on the pfSense box and the IP address of the pfsense system should be the IP address of the pfSense LAN interface. If this is not so, what does nslookup report?

    If everything checks out so far, you might still a firewall problem because the default pfSense configuration is to block access between the subnets, so LAN2 address to LAN1 will be blocked by the firewall and LAN1 access to LAN2 will be blocked by the firewall. So you will need a firewall rules to allow http access from LAN2 to at least the pfsense LAN1 interface.

    I was mistaken in my earlier reply suggesting you needed a firewall rule to allow DNS access from LAN2 to LAN1.



  • Hello, thanks for taking the time to answer.

    @wallabybob:

    You have the DNS forwarder enabled? (In web GUI, Services -> DNS, check box beside Enable DNS forwarder. If the box was unchecked and you checked it, also click the Save button.

    It is enabled.

    @wallabybob:

    Your LAN2 client has the correct DNS IP address? You could check this by # nslookup pfsense. The reported server should be the IP address of the LAN2 interface on the pfSense box and the IP address of the pfsense system should be the IP address of the pfSense LAN interface. If this is not so, what does nslookup report?

    If I do this nslookup report the following:
    C:\Program Files\Visual Studio 9.0\VC>nslookup pfsense
    DNS request timed out.
        timeout was 2 seconds.
    *** can't find server name for 192.168.21.254 : Timed out
    *** the default servers aren't available
    Serveur :  UnKnown
    Address:  192.168.21.254

    @wallabybob:

    If everything checks out so far, you might still a firewall problem because the default pfSense configuration is to block access between the subnets, so LAN2 address to LAN1 will be blocked by the firewall and LAN1 access to LAN2 will be blocked by the firewall. So you will need a firewall rules to allow http access from LAN2 to at least the pfsense LAN1 interface.

    I was mistaken in my earlier reply suggesting you needed a firewall rule to allow DNS access from LAN2 to LAN1.

    Why would I want to use the LAN1 interface??? If the DNS were correctly configured, all of my LAN interface should respond to the hostname pfsense, so there should e no need to do that?
    Or am I missing something?



  • @Abarai:

    @wallabybob:

    Your LAN2 client has the correct DNS IP address? You could check this by # nslookup pfsense. The reported server should be the IP address of the LAN2 interface on the pfSense box and the IP address of the pfsense system should be the IP address of the pfSense LAN interface. If this is not so, what does nslookup report?

    If I do this nslookup report the following:
    C:\Program Files\Visual Studio 9.0\VC>nslookup pfsense
    DNS request timed out.
        timeout was 2 seconds.
    *** can't find server name for 192.168.21.254 : Timed out
    *** the default servers aren't available
    Serveur :  UnKnown
    Address:  192.168.21.254

    It looks as if your nslookup requires the name server to have a name for its address, considering it a fatal error if there is no name for the name server's IP address. Perhaps there is a command line option to proceed despite this condition. You may get further in this problem by adding a name to pfSense for the LAN2 interface (e.g. pfsense-lan2)

    Here's how it works on my Linux system on my "LAN2":

    
    root@kogan:~$ nslookup pfsense
    Server:		192.168.17.73
    Address:	192.168.17.73#53
    
    Name:	pfsense.example.org
    Address: 192.168.211.173
    
    root@kogan:~$ 
    
    

    192.168.17.73 is the IP address of the pfSense LAN2 interface. There is no name registered for this IP address. 192.168.211.173 is the IP address of the pfSense LAN interface.

    @wallabybob:

    If everything checks out so far, you might still a firewall problem because the default pfSense configuration is to block access between the subnets, so LAN2 address to LAN1 will be blocked by the firewall and LAN1 access to LAN2 will be blocked by the firewall. So you will need a firewall rules to allow http access from LAN2 to at least the pfsense LAN1 interface.

    Why would I want to use the LAN1 interface??? If the DNS were correctly configured, all of my LAN interface should respond to the hostname pfsense, so there should e no need to do that?
    Or am I missing something?

    You are missing something. This is the way the pfSense DNS works: if you ask for the IP address of the configured host name you will get the IP address of the pfSense LAN interface regardless of the interface on which the request arrived. The hostname used in DNS would probably be more accurately named "interface name". On systems with only one interface there is no need to make a distinction.



  • I see. But giving a name to the LAN2 interface doesn't do the trick. I think that this comes from the interface of pfsense not being recognized as a DNS, or maybe the DNS configured in the general setup aren't being forwarded on LAN2… Otherwise, whether or not i am able to access the interface through a hostname, I should be able to access the Internet from LAN2 when using the interface IP as DNS.


Log in to reply