[ Solved ] LAN 2 no internet



  • hi guys,
    on my PFSENSE i have two 3 NICS,
    WAN
    LAN1  192.168.4.0/24
    LAN2 192.168.6.0/24
    each of the NICS are physical, however LAN2 users are not able to browse to the internet.
    my NAT is selected to Automatically,
    firewall rules are set to Any ( exactly the same as LAN 1 ).
    on each LAN i have a domain controller which i dont want them to see each others on the network.

    any suggestions why ?

    Attached is a Diagram of the network




  • Need more info.

    What is the PFsense IP and DNS IP on both networks?  What DHCP scope options are you handing out on both networks?  Can Lan 2 ping PFsense?



  • @marvosa:

    Need more info.

    What is the PFsense IP and DNS IP on both networks?  What DHCP scope options are you handing out on both networks?  Can Lan 2 ping PFsense?

    hi Marvosa,
    Pfsense has 3 NICS, WAN, LAN1, LAN2
    WAN is ISP IP
    LAN 1 -192.168.4.1
    LAN 2 -192.168.6.1
    DHCP is activated on LAN 2 to handel 192.168.6.10 till 200
    i can ping pfsense from client even i can connect to it ssh or web Gui.
    i think is a DNS problem when i use PFSENSE as Gateway and DNS i canresolve the ping from 8.8.8.8 but not www.google.com

    do i have to specify DNS name in the Pfsense with Multi NICS ? is the WAN IP my PFSENSE DNS ? should i specify a gateway on the LAN 2 ? or i can using my ISP Router as Gateway?
    any help is appreciate it.
    i can ping everything from the internet with the IP, but no names
    i've added a diagram on the first post.
    my Domain controllers are forwarding the DNS reqeust, i've noticed on PFSENSE the DNS forwarder was on too.
    can i disable this feature ? point PFsense to the local DNS ?

    thank you


  • Rebel Alliance

    Please attach some screenshots of your current config (FW Rules, interfaces, DHCP Server,…...), otherwise is really difficult to help you



  • @ptt:

    Please attach some screenshots of your current config (FW Rules, interfaces, DHCP Server,…...), otherwise is really difficult to help you

    Dear PTT,
    have you seen the diagram on the first post ?
    Firewall rules on both NICS ( LAN ) is allow everything.


  • Rebel Alliance

    Yes, but that diagram doesn't "show" us "how" you have setup your pfSense ;)



  • @ptt:

    Yes, but that diagram doesn't "show" us "how" you have setup your pfSense ;)

    Dear PTT
    thank you mate,
    attached are the firewall rules, and the 3 interfaces










  • Your LAN2 rules only permit TCP and ICMP. You need to allow UDP to get any useful DNS.



  • @phil.davis:

    Your LAN2 rules only permit TCP and ICMP. You need to allow UDP to get any useful DNS.

    got catch phil,
    i didnt pay attention on that one hahaha
    thank you so much

    about DNS forwarder,
    my Domain controllers are the forwarders, can i disable this option ?



  • I usually point my DCs to the pfSense DNS forwarder. But you can point the DCs at whatever external DNS you like and disable pfSense DNS forwarder. If you have multi-WAN and failover, then in some ways it is easier to point the DCs at pfSense, and then let pfSense handle what DNS server is used on which WAN…



  • @phil.davis:

    I usually point my DCs to the pfSense DNS forwarder. But you can point the DCs at whatever external DNS you like and disable pfSense DNS forwarder. If you have multi-WAN and failover, then in some ways it is easier to point the DCs at pfSense, and then let pfSense handle what DNS server is used on which WAN…

    i am using my ISP DNS as forwarders on my Domain Controllers, after i disable the PFSENSE Forwader i notice some slawness ( 3 sec ) before loading the page.
    i've added a screenshot of my DNS settings on the Pfsense.
    PS 192.168.2.254 is my ISP Modem ( using it as Gateway ).




  • Maybe the clients are getting pfSense LAN IP in their DNS server list still?
    Check what the clients think is their DNS - "ipconfig /all"
    Check where they get DHCP from. If it is from pfSense, then make sure that the DHCP settings on pfSense are giving the DC as the DNS server (not pfSense LAN IP).
    It sounds like there is a timeout happening, then Windows tries the secondary DNS and gets an answer.



  • @phil.davis:

    Maybe the clients are getting pfSense LAN IP in their DNS server list still?
    Check what the clients think is their DNS - "ipconfig /all"
    Check where they get DHCP from. If it is from pfSense, then make sure that the DHCP settings on pfSense are giving the DC as the DNS server (not pfSense LAN IP).
    It sounds like there is a timeout happening, then Windows tries the secondary DNS and gets an answer.

    Hi Phil,
    my client are static users, no DHCP is activated.
    all clients are getting the DC IP as their DNS.
    can i just disable the forwarder on the PFSENSE, or leaving it on doesnt do any harm ?



  • Jamerson, looking at the progression of the thread, your client options may not be the issue, but I was looking for your scope options for both networks, i.e. what default gateway and DNS are you pushing to your clients?

    Personally, I'd say lets get things working to start, then refine if needed.

    On PFsense:

    • Re-enable the DNS forwarder, verify that it's bound to all interfaces

    • Remove Google DNS IP's, enter your ISP's DNS and remove those gateway's.

    • Change Lan2 firewall rules to any/any and remove the ICMP rule

    On your DC's:

    • Remove Google IP's as your forwarder and enter the PFsense Lan IP serving each segment:

      • DC on Lan 1 should have 192.168.4.1

      • DC on Lan 2 should have 192.168.6.1

    After that, test both segments, I think you'll find them more responsive.  Assuming everything is working as expected, if you want your client's DNS queries filtered by OpenDNS or hitting Google, modify the forwarder on your DC not PFsense.

    IMO, unless you want OpenDNS filtering I would let your DNS queries hit your ISP and leave things configured as above which is the default.  e.g.  Your ISP's DNS are accessible by all internal routers that they control and should respond within 10 ms or less.  Google's DNS servers may be 18 hops away, may go through 8 different routers on the internet after it leaves your ISP's network and responding in 40 or 50 ms…. not to mention, if there's an problem, you're left trying to troubleshoot the internet vs. calling your ISP and letting them own the issue.



  • @marvosa:

    Jamerson, looking at the progression of the thread, your client options may not be the issue, but I was looking for your scope options for both networks, i.e. what default gateway and DNS are you pushing to your clients?

    Personally, I'd say lets get things working to start, then refine if needed.

    On PFsense:

    • Re-enable the DNS forwarder, verify that it's bound to all interfaces

    • Remove Google DNS IP's, enter your ISP's DNS and remove those gateway's.

    • Change Lan2 firewall rules to any/any and remove the ICMP rule

    On your DC's:

    • Remove Google IP's as your forwarder and enter the PFsense Lan IP serving each segment:

      • DC on Lan 1 should have 192.168.4.1

      • DC on Lan 2 should have 192.168.6.1

    After that, test both segments, I think you'll find them more responsive.  Assuming everything is working as expected, if you want your client's DNS queries filtered by OpenDNS or hitting Google, modify the forwarder on your DC not PFsense.

    IMO, unless you want OpenDNS filtering I would let your DNS queries hit your ISP and leave things configured as above which is the default.  e.g.  Your ISP's DNS are accessible by all internal routers that they control and should respond within 10 ms or less.  Google's DNS servers may be 18 hops away, may go through 8 different routers on the internet after it leaves your ISP's network and responding in 40 or 50 ms…. not to mention, if there's an problem, you're left trying to troubleshoot the internet vs. calling your ISP and letting them own the issue.

    a big Thank you for this really !
    Default Gateway i am pushing to the client on each segemante is
    LAN1 : 192.168.4.1
    LAN2 : 192.168.6.1

    i've configured it as you mentioned , and it works really great,
    notice some 2 sec speed on both segments.
    what about this option ?  Allow DNS server list to be overridden by DHCP/PPP on WAN 
    should i disable it or keep it on ?
    thank you so much for this !



  • Glad to hear everything is working!

    As far as the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option, I have it un-checked, although it's moot for me because I have a static IP.  You would only need this option if you're getting your WAN via DHCP and you want to be updated automatically if your ISP changes it's DNS servers.

    i.e. If you're static, un-check it.  If you're DHCP, check it.



  • @marvosa:

    Glad to hear everything is working!

    As far as the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option, I have it un-checked, although it's moot for me because I have a static IP.  You would only need this option if you're getting your WAN via DHCP and you want to be updated automatically if your ISP changes it's DNS servers.

    i.e. If you're static, un-check it.  If you're DHCP, check it.

    you make my Day,
    thank you so much, and everyone does helps !


Log in to reply