I can't acesse some sites



  • Hello everybody,
    Well, I've a little problem. I can not access certain sites when I set machines to pfsense, even though he has no filter configured in pfsense.

    We're on a corporate network where a company gives us the gateway and dns. Then I set my dhcp to distribute it to the machines. it works nice.

    But, when I set this machine to access by pfsense. They do not access some websites.

    I tested setting  gateway of machines to ip lan of pfsense and dns from company. Then all the machines access these sites.

    How can I fix it?

    My intention is to put the cable coming from the company directly in pfsense to all machines access the internet by pfsense.


  • LAYER 8 Global Moderator

    And what is pfsense using for dns?  If you feel your having dns related problems with a specific site - troubleshoot the dns problem.  Who is the owning nameservers for the site, query them directly.  What is pfsense using for dns?

    What is an example site, and we can take a look to its nameservers and how the resolving works, etc.



  • @johnpoz:

    And what is pfsense using for dns?  If you feel your having dns related problems with a specific site - troubleshoot the dns problem.  Who is the owning nameservers for the site, query them directly.  What is pfsense using for dns?

    What is an example site, and we can take a look to its nameservers and how the resolving works, etc.

    The dns pfsense using the gateway and dns from a company give and is our dhcp that to give ips, dns, gatways to machines setting to pfsense. But work if i set my dhcp directly to the company.

    sorry for my english.


  • LAYER 8 Global Moderator

    So pfsense is using same dns as current clients, well there should be no issues then.  If some sites are working this way and others are not.  we need to troubleshoot specific site, possible pfsense has it cached bad?  You should be able to flush the pfsense cache by just restarting dnsmasq

    So for example I ask my pfsense for pfsense.org, which in turn asks my isp - each of these will cache the entry for say www.pfsense.org.. so if I ask pfsense it returns ttl – so example

    ;; QUESTION SECTION:
    ;www.pfsense.org.              IN      A

    ;; ANSWER SECTION:
    www.pfsense.org.        300    IN      A      69.64.6.21

    ;; Query time: 36 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)

    notice the 300 TTL, if I ask it again a few seconds later

    ;; QUESTION SECTION:
    ;www.pfsense.org.              IN      A

    ;; ANSWER SECTION:
    www.pfsense.org.        243    IN      A      69.64.6.21

    ;; Query time: 4 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)

    that TTL is now down to 243 seconds.  So it will not go ask my ISP (its dns) until that has expired.  So what is the TTL on this fqdn you are having issues with www.what.com ?  query it with nslookup or dig asking your dns your currently using and then the one from pfsense - what does it return?

    Now if I restart dnsmasq service before that expires - notice that its back to 300 TTL

    ;; QUESTION SECTION:
    ;www.pfsense.org.              IN      A

    ;; ANSWER SECTION:
    www.pfsense.org.        116    IN      A      69.64.6.21

    ;; Query time: 3 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Thu Oct  4 11:15:22 2012

    ;; QUESTION SECTION:
    ;www.pfsense.org.              IN      A

    ;; ANSWER SECTION:
    www.pfsense.org.        300    IN      A      69.64.6.21

    ;; Query time: 43 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Thu Oct  4 11:15:38 2012

    If you can give us some examples of what sites your having issues with, we can look to see what the IPs that should be returned, and we can see what your pfsense is returning vs the owning nameservers, etc.

    So for example if I look up pfsense.org I see that the owning nameservers for pfsense.org are

    Tech Email:cmb@pfsense.org
    Name Server:DNS1.REGISTRAR-SERVERS.COM
    Name Server:DNS2.REGISTRAR-SERVERS.COM
    Name Server:DNS3.REGISTRAR-SERVERS.COM
    Name Server:DNS4.REGISTRAR-SERVERS.COM
    Name Server:DNS5.REGISTRAR-SERVERS.COM

    I can query them directly if I want to see what they return

    ;; QUESTION SECTION:
    ;www.pfsense.org.              IN      A

    ;; ANSWER SECTION:
    www.pfsense.org.        300    IN      A      69.64.6.21

    ;; Query time: 18 msec
    ;; SERVER: 173.236.55.99#53(173.236.55.99)
    ;; WHEN: Thu Oct  4 11:18:01 2012

    Notice when you query them you will always get the FULL ttl that is set on that record, and notice that matches what I am seeing when I query my local and it queries my isp dns.

    I would assume if your having issue with pfsense looking up sites, that either that you have a bad cache, or maybe a timeout?  But without something to work with, and the results of queries to the nameservers in question its hard to say what the issue might be exactly.

    Can you give one of these sites that your having a hard time accessing using pfsense as your gateway and dns?



  • @johnpoz:

    So pfsense is using same dns as current clients, well there should be no issues then.  If some sites are working this way and others are not.  we need to troubleshoot specific site, possible pfsense has it cached bad?  You should be able to flush the pfsense cache by just restarting dnsmasq

    I don't have Local DNS server.

    my network is working like this:

    company                            dhcpserver                          pfsense
    –-------------                  ---------------------                  ------------------------
    dns 10.1.1.1                                                                  lan static  10.53.1.1
    gw  10.53.1.10                            |                                wan static 10.53.1.2                 
    ---------------                              |                                gw static  10.53.1.10
          |                                        |                                dns static  10.1.1.1
          |                                        |                                ------------------------
          |                                        |                                            |
          |                                        |                                            |
          |                                        |                                            |
          |                                        V                                            |
          |                                ----------------                                |
          --------------------------> |  switch      |<--------------------------                 
                                            ----------------
                                                    |
                                                    |
                                                    V
                                                cliente
                                            ----------------------------
                                            ip dhcp xxx.xxx.xxx.xxx     
                                            gw dhcp 10.53.1.1         
                  if this way          dns dhcp 10.53.1.1          ----> not work to see some websites
                                            ----------------------------

    |
                                                    |
                                                    V
                                                cliente
                                            ----------------------------
                                            ip dhcp xxx.xxx.xxx.xxx     
                                            gw dhcp 10.53.1.1         
                    but if this way    dns dhcp 10.1.1.1          ----> work to see all websites if disable dns fowarder of pfsense.
                                            ----------------------------



  • Your pfSense WAN interface and LAN interface need to have IP addresses in different subnets. 10.53.1.1 and 10.53.1.2 are almost certainly in the same subnet.

    I presume the pfSense WAN interface connects to the Internet somehow.


  • LAYER 8 Global Moderator

    I don't see how any sites would work in that setup.. You sure your not jut pulling from cache when you point to pfsense as gateway.

    As stated you can not have wan and lan on the same network like that.

    lan static  10.53.1.1
    wan static 10.53.1.2



  • @wallabybob:

    Your pfSense WAN interface and LAN interface need to have IP addresses in different subnets. 10.53.1.1 and 10.53.1.2 are almost certainly in the same subnet.

    I presume the pfSense WAN interface connects to the Internet somehow.

    I'm connected to another company by optical fiber, but she just gives me dns and gatway to I configure manually. So my pfsense wan don't get ip by dhcp, I need to configure it manually in wan.


  • LAYER 8 Global Moderator

    Set you wan ip in this network you use, say 10.53.1.1 /24 I assume, gateway 10.53.1.10 and dns 10.1.1.1 then use a different network on your lan - say 192.168.1.1/24 and then connect clients to the pfsense lan.  This is a double nat, but this is just to show you that what your doing will work.

    Your clients would get say a 192.168.1.100 address with gateway of 192.168.1.1 and dns of 192.168.1.1

    you can then decide to either double nat, route some other network or bridge.

    But you can not have a wan and lan IP in the same network and expect pfsense to do anything.



  • @johnpoz:

    Set you wan ip in this network you use, say 10.53.1.1 /24 I assume, gateway 10.53.1.10 and dns 10.1.1.1 then use a different network on your lan - say 192.168.1.1/24 and then connect clients to the pfsense lan.  This is a double nat, but this is just to show you that what your doing will work.

    Your clients would get say a 192.168.1.100 address with gateway of 192.168.1.1 and dns of 192.168.1.1

    you can then decide to either double nat, route some other network or bridge.

    But you can not have a wan and lan IP in the same network and expect pfsense to do anything.

    Yeah i'm knowing, but I wanted to put the company's direct link in the pfsense wan and configure wan ip and gateway to my clients stay with gw 10.53.1.1 and dns 10.53.1.1 to that no funny modify your gw and dns to pass out of pfsense.

    but before that, I need to resolve this problem of access to certain websites. and i don't know how!

    thanks to be helping.


  • LAYER 8 Global Moderator

    what??

    what is pfsense going to do if you put its wan and lan on the same segment?  Do you want it to be a bridge?  If your going to route with it, be with or without NAT.. It has to have its interfaces in 2 different segments.

    In your current setup pfsense is not going to do anything with IPs in the same network on its wan and lan interface.

    So why do you think you have issues with some websites?  If you put pfsense on your network on its wan interface - then from pfsense you would have to verify it can access the internet and resolve whatever fqdn you want to check.  But your not going to be able to do that from a client on that same network as the lan and wan interfaces of pfsense using pfsense as anything.


Log in to reply