PfSense needs DNS access
-
Hi Everyone,
I'm using pfSense with a very restrictive WAN network. Only outbound TCP ports 80 and 443 works and you must use the DNS servers as provided by the WAN network's DHCP server.
Initially, I tried to use my own DNS servers (By added them to the pfsense General Settings page), which the WAN network blocks as mentioned above. In 1.2.3, this was ok as once I started OpenVPN on the pfSense box (with the openvpn tunnel being used as the default gateway), I could access my DNS servers.
However, in 2.0.1, the fact that the DNS server is inaccessible (before OpenVPN comes up) causes the WebGUI to grind to a halt. Pages take a long time to load (about 2 or 3 minutes).
Can someone else please confirm that if an inaccessible DNS server is configured in the general settings, that pfsense 2.0.1 webGUI doesn't work properly?
The way I fixed this problem was to just use the WAN network's specified DNS server.
I may consider filing a bug for this, depending on feedback from the community.
Thanks
-
I'm using pfSense with a very restrictive WAN network. Only outbound TCP ports 80 and 443 works and you must use the DNS servers as provided by the WAN network's DHCP server.
With a simple 443 open port, a user can go everywhere via web ssl proxies or vpn.
Block it down and force internet access via proxy server.
The way I fixed this problem was to just use the WAN network's specified DNS server.
Did you created a rule allowing access to your dns server?
-
However, in 2.0.1, the fact that the DNS server is inaccessible (before OpenVPN comes up) causes the WebGUI to grind to a halt. Pages take a long time to load (about 2 or 3 minutes).
Can someone else please confirm that if an inaccessible DNS server is configured in the general settings, that pfsense 2.0.1 webGUI doesn't work properly?
I see the exact same thing happen when our Internet uplink goes down, the Web GUI becomes very unresponsive. This happens even on pfSense boxes that are located "deeper" in the network, have a local (to the network) DNS server configured, and do not have direct WAN connectivity. Perhaps the firmware version check causes it?
-
The firmware check is part of it, but that only affects the dashboard.
Some times when you save and it tries to restart ntpd that would really have ground things to a halt, but that should be fixed on recent builds.
When it's unreachable/slow, do a packet capture on WAN looking for port 53 on your configured DNS server and see what requests are going out as you're browsing the GUI. That should help narrow down the cause.
-
The firmware check is part of it, but that only affects the dashboard.
Some times when you save and it tries to restart ntpd that would really have ground things to a halt, but that should be fixed on recent builds.
When it's unreachable/slow, do a packet capture on WAN looking for port 53 on your configured DNS server and see what requests are going out as you're browsing the GUI. That should help narrow down the cause.
Hi Jimp,
Sorry about the late reply.
Yes, I will do this for you. It probably won't be until June when I have a bit more free time, but I will put this on my to-do list
Thanks
Jonny
