Blue (Wireless) Network woes



  • Something strange, for me at least, is happening.

    I have a nice pfsense setup with 5 NICs (2 wans, 1 Lan, 1 OPT1 for DMZ and OPT2 for Wireless).

    The primary motivation for splitting the wireless from the LAN is that the wireless is for guests only and I don't want them to even see resources that exist on the network.

    That said, I have 4 access points through out the building all connected to the designated interface.

    After setting up the proper NIC, (IP range: 168.10.10.1/24, default gateway (which is the WAN interface I'm assuming)).

    At first I had DNS issues where no domain name resolved, so I forwarded DNS queries to our inhouse DNS server, problem resolved.

    Now I can't access anything other than the default google page. If I type microsoft.com, it takes me to google (which was a laugh).

    Rules on the Blue interface:

    TCP  *  *    192.168.3.5  53(DNS)  *                  Blue -> LAN DNS
    *      *  *            *              *      *                Blue -> Wan

    I fail to see what the issue is.

    Suggestions?

    TIA.



  • Two things to notice:

    a) DNS is TCP & UDP, not TCP only.

    b) your WLAN subnet's IP range: 168.10.10.1/24

    This is a public address pool. Whichever servers use them on the internet aren't reachable from the inside anymore.
    Use one of the reserved privat subnet ranges allocated for exactly this purpose:

    Unless you have a very good reason for using another IP range than the ones above (e.g. you bought public IPs) this will lead to problems.
    Change your config accordingly and report back what you find.

    | 10.0.0.0/8  | RFC 1918  | |
    | 169.254.0.0/16  | RFC 3927  | used for automatic configuration (APIPA, Zeroconf)
    |
    | 172.16.0.0/12  | RFC 1918  | |
    | 192.168.0.0/16  | RFC 1918  | |



  • a) Check, changed that so that it allows for both TCP & UDP for port 53 (DNS)

    b) I changed the subnet to go with your suggested (and proper, to be sure) 169.254.10.0/24.  Wireless clients (this Blue-LAN is purely for wireless guests) are now getting DHCP addresses (PFSense is acting as the DHCP Server).

    However, the problem still remains. I can only access google and in fact, I cannot resolve addresses properly. Can you guess what's wrong?



  • Personally i wouldn't use 169 IP's in a proper set up network.
    These IP's are allowed, but are more of a fallback if there is no DHCP available.
    Since you have a DHCP you should use IP's out of the RFC1918 spec.

    Since you cannot resolve names correctly:
    What DNS server did you configure on the pfSense?
    What DNS server do the clients get assigned?
    How did you configure the DNS forwarder on the pfSense?
    Do you have any NAT rules?



  • I'm not an expert on DNS but believe I would do some basic diagnostic points to help break down the problem.

    First get out of the browser and back to some basics.  (Examples below are assuming Windows machine)

    #1) Figure out what DNS server your using on the machine you have the issue with.  type: IPCONFIG /ALL <enter>Lets assume the DNS Servers returns 192.168.1.30 as your DNS then this will be used in step #2
    If it doesn't return a valid DNS server then that is your first issue.

    #2) type:  NSLOOKUP www.google.com 192.168.1.30 <enter>This will force a DNS lookup to the server you define.  If it returns a lookup with IP's that a good sign.

    #3) Next do the same thing using an OUTSIDE DNS server.  If you don't have one then OPENDNS @ 208.67.222.222  is a good one.
    NSLOOKUP www.google.com 208.67.222.222  <enter>#4) If you have an issue with getting a valid response from #2 or #3 then you can start breaking down your problem and figuring it out.  It is most likely a rules issue but until your machine is talking to a DNS your waisting your time trying to figure out what the browser is or isn't doing.

    Hope this help, have a great day.</enter></enter></enter>



  • Hi Jerry,

    Yeah, I've previously tried all three you've mentioned :)

    I'm no expert either, but I do what I can.

    In all 3 cases, the response is negative.  My DNS queries are not being handed over to my local DNS servers AND on top of that, my Blue network has no (apparent) access to the outside world.


Log in to reply