DNS issue?

josey

it is not DNS problem  >:(
it is NAT problem …
FIREWALL -> NAT -> OUTBOUND -> MANUAL...

deleted all rules ...
As stated before it works only on LAN interface ...

opt 1 and 2 have problem as i described....

If in
system -> advanced -> (set enable ) Disable all packet filtering
same thing, OPT1 and OPT2 interface cant open https web pages, emails etc...

can someone please move topic to NAT...
thank you

josey

Ok this is system -> advanced screen

and on firewall -> nat -> outbound tab, rule is set like this (following this http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F)

and it is not working on OPT interfaces until i set this rule which is nothing else but turning nat on for x interface (it works on lan, clients can ping google.com)

both machines running latest updates PFS 1.2.3.

what else can i try ?

thank you

josey

update
PFS2 machine reinstalled from scratch (vr 1.2.3 downloaded today), an now running  on better configuration…

thing is that this things that are happening it is just not possible ...

pfs2 machine interfaces
wan 10.10.10.2/24
lan 10.20.0.0/24
opt1 10.30.0.0/24
opt2 10.40.0.0/24
opt3 10.0.40.0/24

when NAT is off, from:

WAN can ping google.com
LAN can ping google.com
OPT1 cant
OPT2 cant
opt3 can ping google.com :)

all firewall rules are set to pass all on both pfs machines, and also try and test to block interfaces wan lan and op3 and firewall is working fine.

Static routes are fine in both machines

Thing that i didnt try so far is to reinstall PFS1 machine from scratch, and of course, dont load backup configuration, configure all again from scratch.

Before that any ideas? suggestions?
thanks

josey

both machines wiped and installed from scratch
no help

BUT PROBLEM SOLVED!

PFS have bug on static routes with some networks…

when network changed and static routes to point to changed network, everything works!

tried like 50 times for 50 different networks, and im not crazy... it is bug in pfs.
1.2.2 FINAL and 1.2.3 FINAL
didnt try 2.0 beta

lock....

wallabybob

Which static route and network combinations work and which don't work?

josey

192.0.0.0/8 works - ALL
10.0.0.0/8 works - ALL
100.0.0.0/8 NON ()
20.0.0.0/24 works
30.0.0.0/24 works
40.0.0.0/24 works

didnt take more tests

but, it is really funny  :)

GruensFroeschli

This is not a bug.
This the correct behavious how every router on the internet should behave !
–>The 100/8 subnet is not assigned and thus should never appear as source/destination. (So called bogon subnets).
If your router forwards bogon subnet and you even want that, you're either doing something very very strange, or you have serious problems.

The official bogon list should be here: http://www.iana.org/assignments/ipv4-address-space
(while i'm writing this, the page is currently down with a notice that the server is probably(?) just under maintenance)

Afaik this is the current bogon-list:
http://www.cymru.com/Documents/bogon-bn-nonagg.txt

josey

@GruensFroeschli:

This is not a bug.
This the correct behavious how every router on the internet should behave !
–>The 100/8 subnet is not assigned and thus should never appear as source/destination. (So called bogon subnets).
If your router forwards bogon subnet and you even want that, you're either doing something very very strange, or you have serious problems.

The official bogon list should be here: http://www.iana.org/assignments/ipv4-address-space
(while i'm writing this, the page is currently down with a notice that the server is probably(?) just under maintenance)

Afaik this is the current bogon-list:
http://www.cymru.com/Documents/bogon-bn-nonagg.txt

i think you got me wrong …
100.x.x.x/24 is not working, also /16 or /8

and if you said so, that is not using for local networks ok...
(several years ago robotics routers come with LAN on 100.x.x./24 by default )

solved, you can lock

GruensFroeschli

@josey:

i think you got me wrong …
100.x.x.x/24 is not working, also /16 or /8

and if you said so, that is not using for local networks ok...
(several years ago robotics routers come with LAN on 100.x.x./24 by default )

100/8 includes 100/16 and 100/24.
Its not only that they should not be used for local traffic.
These IPs are not allowed to be used anywhere.
Not in private subnets and certainly not on the internet.
If these devices came with 100.x.x.x IPs per default, then someone fucked up pretty hard.

josey

well what to say they where for eastern Europe  ;D

So that means that i fucked up using 100.0.0.0/8 ???
then please accept my apologize

point was to use address pool that no one uses ….

But, im playing little bit now with no name/some cheap routers with 4port lan switch and one wan interface (pppoe routers), and with NAT turned off they can route 100.0.0.0/8 :bag:

I dont have to say that im on PFS from 1.0 version, and so far i can only say that PFS can get only 5+ from me !

btw, it is off topic, but what is minimum hardware req for 6x PCI NIC 1GBPS ?
i found this
http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

3ghz+?
i think i didnt get it right...

And, Gruens, Sir, thanks!