DNS issue?



  • Hi guys..
    can you help please…

    i have
    PFS1  machine which is connected to isp router and it is firewall/proxy,
    with LAN 10.10.10.1/24

    pfs2 machine with nat turned off and wan address 10.10.10.2/24
    lan 10.20.0.0/24
    opt1 10.30.0.0/24
    opt2 10.40.0.0/24

    thing is that all static routes are added  and i can ping from pfs1 machine all machines on all interfaces on pfs2 machine,
    all machines can go to internet, port forward works, everything is fine except, that i can ping www.google.com from web gui pfs2 wan and lan, but not from opt1 and opt2... i just got ip address and no reply ...
    and machines on lan can open gmail, and emails in outlook etc, and machines connected to opt1 and opt2 cant. even https doesent work.
    any ideas? i assume that something is wrong with dns, and thats why machines behind opt1 and opt2 cant open web mail etc.

    Firewall rules are set to pass all! * * * * *
    what can be wrong :(

    thanks guys



  • @josey:

    Firewall rules are set to pass all! * * * * *
    what can be wrong :(

    Firewall rules on which interface? Normally OPTx interfaces will default to block internet access so I would expect you have to add firewall rules to OPT1 and OPT2 on pfs2 to allow internet access from those interfaces.



  • it is not DNS problem  >:(
    it is NAT problem …
    FIREWALL -> NAT -> OUTBOUND -> MANUAL...

    deleted all rules ...
    As stated before it works only on LAN interface ...

    opt 1 and 2 have problem as i described....

    If in
    system -> advanced -> (set enable ) Disable all packet filtering
    same thing, OPT1 and OPT2 interface cant open https web pages, emails etc...

    can someone please move topic to NAT...
    thank you



  • Ok this is system -> advanced screen

    and on firewall -> nat -> outbound tab, rule is set like this (following this http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F)

    and it is not working on OPT interfaces until i set this rule which is nothing else but turning nat on for x interface (it works on lan, clients can ping google.com)

    both machines running latest updates PFS 1.2.3.

    what else can i try ?

    thank you



  • update
    PFS2 machine reinstalled from scratch (vr 1.2.3 downloaded today), an now running  on better configuration…

    thing is that this things that are happening it is just not possible ...

    pfs2 machine interfaces
    wan 10.10.10.2/24
    lan 10.20.0.0/24
    opt1 10.30.0.0/24
    opt2 10.40.0.0/24
    opt3 10.0.40.0/24

    when NAT is off, from:

    WAN can ping google.com
    LAN can ping google.com
    OPT1 cant
    OPT2 cant
    opt3 can ping google.com :)

    all firewall rules are set to pass all on both pfs machines, and also try and test to block interfaces wan lan and op3 and firewall is working fine.

    Static routes are fine in both machines

    Thing that i didnt try so far is to reinstall PFS1 machine from scratch, and of course, dont load backup configuration, configure all again from scratch.

    Before that any ideas? suggestions?
    thanks



  • both machines wiped and installed from scratch
    no help

    BUT PROBLEM SOLVED!

    PFS have bug on static routes with some networks…

    when network changed and static routes to point to changed network, everything works!

    tried like 50 times for 50 different networks, and im not crazy... it is bug in pfs.
    1.2.2 FINAL and 1.2.3 FINAL
    didnt try 2.0 beta

    lock....



  • Which static route and network combinations work and which don't work?



  • 192.0.0.0/8 works - ALL
    10.0.0.0/8 works - ALL
    100.0.0.0/8 NON ()
    20.0.0.0/24 works
    30.0.0.0/24 works
    40.0.0.0/24 works

    didnt take more tests

    but, it is really funny  :)



  • This is not a bug.
    This the correct behavious how every router on the internet should behave !
    –>The 100/8 subnet is not assigned and thus should never appear as source/destination. (So called bogon subnets).
    If your router forwards bogon subnet and you even want that, you're either doing something very very strange, or you have serious problems.

    The official bogon list should be here: http://www.iana.org/assignments/ipv4-address-space
    (while i'm writing this, the page is currently down with a notice that the server is probably(?) just under maintenance)

    Afaik this is the current bogon-list:
    http://www.cymru.com/Documents/bogon-bn-nonagg.txt



  • @GruensFroeschli:

    This is not a bug.
    This the correct behavious how every router on the internet should behave !
    –>The 100/8 subnet is not assigned and thus should never appear as source/destination. (So called bogon subnets).
    If your router forwards bogon subnet and you even want that, you're either doing something very very strange, or you have serious problems.

    The official bogon list should be here: http://www.iana.org/assignments/ipv4-address-space
    (while i'm writing this, the page is currently down with a notice that the server is probably(?) just under maintenance)

    Afaik this is the current bogon-list:
    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    i think you got me wrong …
    100.x.x.x/24 is not working, also /16 or /8

    and if you said so, that is not using for local networks ok...
    (several years ago robotics routers come with LAN on 100.x.x./24 by default )

    solved, you can lock



  • @josey:

    i think you got me wrong …
    100.x.x.x/24 is not working, also /16 or /8

    and if you said so, that is not using for local networks ok...
    (several years ago robotics routers come with LAN on 100.x.x./24 by default )

    100/8 includes 100/16 and 100/24.
    Its not only that they should not be used for local traffic.
    These IPs are not allowed to be used anywhere.
    Not in private subnets and certainly not on the internet.
    If these devices came with 100.x.x.x IPs per default, then someone fucked up pretty hard.



  • well what to say they where for eastern Europe  ;D

    So that means that i fucked up using 100.0.0.0/8 ???
    then please accept my apologize

    point was to use address pool that no one uses ….

    But, im playing little bit now with no name/some cheap routers with 4port lan switch and one wan interface (pppoe routers), and with NAT turned off they can route 100.0.0.0/8 :bag:

    I dont have to say that im on PFS from 1.0 version, and so far i can only say that PFS can get only 5+ from me !

    btw, it is off topic, but what is minimum hardware req for 6x PCI NIC 1GBPS ?
    i found this
    http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

    3ghz+?
    i think i didnt get it right...

    And, Gruens, Sir, thanks!


Locked