upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access'
-
@johnpoz
"secondary DNS"
Under LAN DHCP Server I would have the LAN IP as primary DNS (default) and WiFi IP as secondary DNS.
Under WiFi DHCP Server I would have the WiFi IP as primary DNS (default) and LAN IP as secondary DNS. -
Yeah, there's really no point in doing that. You are just accessing the same server via two addresses it's listening on.
-
How the time flies.
To be able to use computer names, versus IPs, when trying to connect to network shares I have to solve the problem of LLMNR/NBNS packets being contained within the interface they originated from.
I have LAN and WIFI interfaces. When LAN client tries to browse shares on a WIFI client that can be achieved only via IPs at the moment.
I'll be reading about multicast to understand how it works in detail.
-
@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
when trying to connect to network shares I have to solve the problem of LLMNR/NBNS
Why?? There is zero reason for those if you just setup dns to resolve your resources.
Here I resolve my nas, doesn't matter what network I am - be it my trusted wifi, my psk wifi, my lan, etc..
Dns resolves nas.home.arpa
$ ping nas Pinging nas.home.arpa [192.168.9.10] with 32 bytes of data: Reply from 192.168.9.10: bytes=32 time<1ms TTL=64 Reply from 192.168.9.10: bytes=32 time<1ms TTL=64My machine uses a search suffix of home.arpa - so I can just use nas if I want.. But even if application or os or whatever I am using doesn't or can't use a search suffix just use the fqdn nas.home.arpa
Those discovery protocols are fine for grandma's network where she has the wifi router supplied by her isp, and its just 1 flat network.. But they don't work across networks - never meant to, nor does anyone need them that is going to go to the trouble of segmenting their network. Just use dns.
-
You are saying that I should go into my OS config and disable LLMNR/NBNS?
I have observed, via packet capture, that Win7 only utilizes LLMNR/NBNS it does not even attempt DNS.
On Win11 it does try DNS first, then mDNS and finally LLMNR/NBNS. The problem on Win11, I'm guessing, is that it appends .localdomain to the hostname I'm typing which gets a DNS response as not found. In a LLMNR/NBNS query Win11 does not append .local or .localdomain.
Can I prevent Win11 from appending .localdomain, if it matters? -
@skubany2 yeah disable the shit of that.. Its noise on the network! ;)
Why and the hell would you be using windows 7??
As to .localdomain - Yeah set your domain. home.arpa is the approved for local use. Or use .internal - single label not a good idea imho.. use something.internal or home.arpa.
As to not even trying dns - did you set one? how do you think you could get to something on the internet without dns? Can you ping www.google.com - if so then its using dns.
also you should get out of the habit of just using a host name - use the fqdn..
-
@johnpoz said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
Why and the hell would you be using windows 7??
You're very helpful and I appreciate that. But this comment is not helpful :) I only mention Win7 in case that helps in troubleshooting because OS type can make a difference. Why I use Win7 it's up to me, my preference.
As to .localdomain - Yeah set your domain. home.arpa is the approved for local use. Or use .internal - single label not a good idea imho.. use something.internal or home.arpa.
I would like to prevent Win11 from even appending ".localcomain". I'll search the net to see if I can do that. Even if I disable LLMNR/NBNS, Win11 will still try to resolve <hostname>.localdomain instead of just <hostname>. Based on my testing <hostname>.localdomain even over DNS will not resolve.
Here is the response to <hostname>.localdomain DNS request:
"Standard query response 0x69f9 No such name A <hostname>.localdomain SOA a.root-servers.net"
This may be an indication that I have something incorrectly configured in my pfSense. Again, <hostname> is on LAN interface, the request originates on WIFI interface. 'a.root-servers.net' is the request going out to internet? pfSense should be able to resolve it locally.As to not even trying dns - did you set one? how do you think you could get to something on the internet without dns? Can you ping www.google.com - if so then its using dns.
"not even trying dns". This is not me, it is Win7. Why it does that, I don't know, I did not code it. Win11 tries DNS as I stated.
-
@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
. This is not me, it is Win7.
I have not used windows 7 in what a decade or something - but it for sure uses dns, you couldn't get on the internet if it didn't. And it for sure supports search suffixes
Here is the response to <hostname>.localdomain DNS request:
Well yeah - not sure why you would expect the public internet to resolve a non valid public tld.
You can for sure use that locally if you want.. Here 5 seconds to create a record, and there you go it resolves
$ dig testlocaldns.localdomain ; <<>> DiG 9.16.50 <<>> testlocaldns.localdomain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18636 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;testlocaldns.localdomain. IN A ;; ANSWER SECTION: testlocaldns.localdomain. 3589 IN A 10.11.12.13 ;; Query time: 3 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Fri Oct 31 07:25:44 Central Daylight Time 2025 ;; MSG SIZE rcvd: 69Lets see the output of ipconfig /all on your machines - this will show where you point for dns, what its using for a seach suffix, etc.,.
example, my pc
C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : i9-win Primary Dns Suffix . . . . . . . : home.arpa Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : home.arpa Ethernet adapter Local: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Killer E2600 Gigabit Ethernet Controller Physical Address. . . . . . . . . : B0-4F-13-0B-FD-16 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, October 30, 2025 7:36:16 AM Lease Expires . . . . . . . . . . : Friday, November 7, 2025 7:36:10 AM Default Gateway . . . . . . . . . : 192.168.9.253 DHCP Server . . . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : EnabledAnother way to see where you are pointing for dns is just nslookup
C:\>nslookup Default Server: pi.hole Address: 192.168.3.10 >See how that matches up with my ipconfig output 192.168.3.10 is the name server my machine points too - in my case running a pi hole, which forwards to my pfsense for dns, and then my pfsense resolves external records.
My guess is you have your clients pointing to some external dns like google or something - and then no you would never be able to resolve your local resources.
Your clients should point to pfsense for dns, or another local name server you want to run.. This would resolve all your local resources either through dhcp registration of their names, or you manually creating the records, or reservation in dhcp that register the name in dns.
-
@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
I have observed, via packet capture, that Win7 only utilizes LLMNR/NBNS it does not even attempt DNS.
Windows 7 uses the classic DNS : UDP (and TCP !) traffic with destination port 53.
Not the newer "DoH/DoT/DoQ " methods.
The IP used will be "the DNS IP the DHCP client obtained" and is normally the pfSense LAN IP.So, I'm curious. If you can't capture any DNS from that W7 device, that's problematic.
Talk the owner and ask what he did to break DNS ^^@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
problem of LLMNR/NBNS
I have to look that one up. I don't know what "LLMNR/NBNS" is. I doubt - but who am I - that that is a standard W7 thing.
-
@Gertjan said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
I have to look that one up. I don't know what "LLMNR/NBNS".
LLMNR - link local multicast name resolution. = NOISE ;)
NBNS - netbios.. Maybe you are too young to remember that, hehehe ;) Back in the days before dns.. You use to have to run wins to be able to resolve name that did not exist on your local network. Or to not fill your network with everything broadcasting for everything.. But wins went away when MS came out with active directory and switch to dns.. I mean it hung around for a long time.. But your talking what 25 some years ago when AD came out.
edit: netbios will still happen, if you have it enabled when you query something without being fqdn, or no answer.. So I just tried to ping something, you will notice it auto added my domain home.arpa to the query even though I just did a ping something. And it tried netbios when there was no response returned address. See how destination is 192.168.9.255 (directed broadcast)
then did a ping for my switch, with just its host name sg300-28, and again it did a fqdn query auto adding the domain home.arpa - notice since it got a response, no netbios broadcast went out. It just arp for the mac and then started the ping.
edit2:
Here just to be complete - this is where you would disable llmnr and netbios - notice now when I do a query for otherthing, it did just the dnsquery, but no netbios broadcast for the the name.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
This should work fine if hosts are using pfSense for DHCP and the dhcp leases are set to register in the resolver.
-
@johnpoz said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
NBNS - netbios.. Maybe you are too young to ...
Helas, that's not the case. I was there when Clippy was shot in the ally, when Byte Magazine featured the new '80836' ... - and I dare not to continue now
Netbios : yeah, that was a thing ... no : Microsoft wanted to be a thing.
Port 137 (138, 139 ?) ... thanks, now I recall. What a sh*t show. -
Let's clean up some confusion.
I'm only talking about reaching network shares. DNS works fine for websites. I can reach network shares via host IPs but not host names.
For network shares the OS decides what protocols, how and in what order it will attempt.
On Win7, no DNS queries are observed, only LLMNR and once those fail NBNS.
On Win11, the order is: DNS, MDNS, LLMNR, MDNS, NBNS. When one fails it moves to the next protocol on the list.On Win11 the DNS query for a local hostname on another interface ultimately ends up on the internet ("Standard query response 0x69f9 No such name A <hostname>.localdomain SOA a.root-servers.net") when it shouldn't so there is an issue with the config I guess. This also shows that LAN hostnames were not checked (or perhaps they were but no hostname has .localdoman appended to it on LAN), the request came from WIFI interface. Part of the solution, I expect, will be to ensure that all configured interfaces are checked when a DNS lookup is issued by any one interface. What do I need to configure in pfSense to ensure that happens?
My 'ipconfig /all' looks very similar to yours. And my 'DNS Server' entry does match what 'nslookup' shows.
The differences are that:
Node Type is 'Hybrid', yours is 'Broadcast'.
Additionally, on Win11 the 'Connection-specific DNS Suffix' and 'DNS Suffix Search List' has value 'localdomain' whereas Win7 has the first property/key empty and the second property/key missing altogether. I believe part of the solution will be to clear those entries in Win11.Online I found a way to disable LLMNR for both OSes but when I do that on Win7, I'm not convinced it will start using DNS when it does not do so with LLMNR enabled. I will check that out at some point in the future.
@stephenw10 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
This should work fine if hosts are using pfSense for DHCP and the dhcp leases are set to register in the resolver.
Are you saying that I should turn this on?
I would kind of prefer to find a solution within pfSense and not have to modify the OS default settings to be honest because then I would have to remember to do that to a new OS (host) on the network.
-
@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
Node Type is 'Hybrid', yours is 'Broadcast'.
I specifically set my to broadcast because hybrid is pointless without wins.. Which people have not run in years and years.
The only possible one that makes sense if not running wins (which who would be) is broadcast. Simple enough to set with a dhcp option. (option 46, 1)
Here is what I would suggest - turn off that noise machine llmnr, it never going to work across networks. Pick a better domain name, home.arpa would be my suggestion. And once you know everything is resolving you can turn off netbios if the device/os allows for it.
And either turn on dhcp registration, or setup up reservations. I use reservations for everything on my network - one because why would things that I want to resolve need/want to change IPs.. Most everything on my network is on 24/7 anyway. I do run dhcp with small scopes for when I add a new device, etc. But once I know its going to be on the network - say I add a new or different wifi lightbulb or something. I just move it to a reservation. If my dns is down for some reason - I can easy access something by its IP, no worry about having to look up what IP it might be on.
I also normally have a long lease time for most of my scopes as well - no need for dhcp traffic every hour when they are not going to change anything - if I do change something in the options. They will either pick it up in a few days or can just power cycle devices, etc.
If your not going to go with reservations - you more than likely want to look into using kea vs isc - because issue for many years is unbound restarts on any dhcp event if you register dhcp. Not a big issue if you only have a few devices and you use long lease - but when you have lots of devices and short lease - unbound will be restarting all the time on a dhcp event. And if you run stuff like pfblocker with loads of stuff being blocked, dnsbl and etc a restart can take a while vs just a second or 2.. These can lead to dns problems. In the latest version of pfsense kea has supposed have corrected this. Where dhcp events do not force a restart of unbound.
-
@skubany2 said in upgraded to pfsense 2.8.0, WiFi devices report intermittent 'no internet access':
Are you saying that I should turn this on?
Yes.
-
"Enable DNS registration" did the trick.
I can now access WIFI (Win11) and LAN (Win7) hosts in both directions via host name. On Win7 I had to modify OS firewall rule to add the WIFI subnet address to allow file sharing. I did not have to change Win11 OS firewall at all, from the default.
Also found out where the "localdomain" comes from; it is set in pfSense :)
There are still quirks to work out, such as LAN host not showing up automatically in WIFI host's list of discovered network devices and vice versa. I have to explicitly enter the LAN host. I understand, or guess, it's an issue with blocking protocols that are responsible for the discovery part. At some point I'll look at that but it is not a pressing issue.
I have to now apply this change to my parent's network, which have the same issue.
Thank you to everyone that helped.
