No DNS resolving on Transparent Bridge with different LAN IP



  • The IP that you set on the LAN interface of a transparent bridge, should be ignored because it's not used in this setup.

    When I set an IP that is totally out of range, like 123.123.123.123, machines behind that transparent bridge are not able anymore to resolve domainnames.

    When I set it back to an IP like the WAN side if the transparent bridge has, but than one digit higher, so I don't run in trouble, it works all well again.

    Why can this happen on a transparent bridge ?

    For now I have a WAN and a LAN IP on both interfaces that are in my subnet, because without them… it will not work that well.

    I have followed the Transparent Bridge Manual already many times.



  • Is this an unknown issue ? Or a misconfiguration ?



  • What's the DNS entry the clients recieve?



  • @GruensFroeschli:

    What's the DNS entry the clients recieve?

    What do you mean exactly ?

    I use DNS that is also on the LAN side of the bridge.

    As I understood, the transparent bridge still needs a WAN IP and the default gateway that is in front ?

    This is a little bit confusing because I see a lot of different statements about this on this forum.



  • The Bridge should not be visible to the clients –> transparent bridge.

    You should only need an IP on the WAN side.
    The Gateway of the Clients has to be the next Hop past pfSense. So not the pfSense routes (it's only a bridge).
    The same goes for the DNS server entries of the clients.
    Their DNS entries have to be the ones your ISP provides directly.
    From what you wrote you have set it to the LAN-side IP of the pfSense which is wrong, since the clients shouldnt know about pfSense.

    See it like this: The pfSense is invisible. The IP it has is only to manage it.
    The clients have as Gateway and as DNS entries something as if the pfSense where not there.



  • @GruensFroeschli:

    The Bridge should not be visible to the clients –> transparent bridge.

    Yes it is not visible by the clients.

    You should only need an IP on the WAN side.

    Yes, but is it really needed when you also have a seperate nic for that in the machine, I thought not, but with no IP.. I can't do any traffic through it.

    The Gateway of the Clients has to be the next Hop past pfSense. So not the pfSense routes (it's only a bridge).
    The same goes for the DNS server entries of the clients.
    Their DNS entries have to be the ones your ISP provides directly.
    From what you wrote you have set it to the LAN-side IP of the pfSense which is wrong, since the clients shouldnt know about pfSense.

    No, I have the following setup:

    INTERNET (carrier) <–-> Corerouter (does routing) <---> Pfense Box (Transparent bridge) <----> switch < ---> lan clients + DNS

    See it like this: The pfSense is invisible. The IP it has is only to manage it.
    The clients have as Gateway and as DNS entries something as if the pfSense where not there.

    Yes indeed, this is how it should be.

    I have a corerouter where i have set it up like this:

    http://www.moundalexis.com/archives/000120.php

    and replaced the PIX with a pfsense box.

    And this actually works quite good.

    I only doubt if the problem might be the VRRP on the Foundry.



  • @Matts:

    Yes, but is it really needed when you also have a seperate nic for that in the machine, I thought not, but with no IP.. I can't do any traffic through it.

    Which did you follow?
    You should do it this way:

    Set the WAN-IP to an IP inside your subnet.
    Bridge the LAN to WAN.
    The LAN-Interface has no IP.

    When I set an IP that is totally out of range, like 123.123.123.123, machines behind that transparent bridge are not able anymore to resolve domainnames.

    INTERNET (carrier) <–-> Corerouter (does routing) <---> Pfense Box (Transparent bridge) <----> switch < ---> lan clients + DNS

    Isn't that a bit contradicting?
    Since your DNS Server is on your LAN-Side the clients will never ever go over the transparent bridge.
    Are you sure that your DNS-server is setup correctly and that the clients really have it set as DNS?



  • @GruensFroeschli:

    Which did you follow?
    You should do it this way:

    The one that is everyone using, the PDF that is also on the frontpage of Pfsense. (trendchiller)

    Set the WAN-IP to an IP inside your subnet.
    Bridge the LAN to WAN.
    The LAN-Interface has no IP.

    True, that is how it's setup, but when I set the lan IP (because the interface needs one) to one that is totally out of range, I can't resolve names from inside to outside anymore… traffic from outside to inside works OK.

    There are people that say you don't need an IP on WAN and LAN, which I doubt actually. I have 4 nics, WAN, LAN, CONF and CARP (yep can be done on a transparent bridge).

    Isn't that a bit contradicting?
    Since your DNS Server is on your LAN-Side the clients will never ever go over the transparent bridge.
    Are you sure that your DNS-server is setup correctly and that the clients really have it set as DNS?

    Why should the clients go over the bridge to reach my DNS server ? Should I place them at the WAN side of my Pfsense box ? Normally I would place DNS servers behind a firewall too.

    When I have an IP (Subnet IP) also on the LAN side of my PFsense box and I do a NSlookup, it's done on the boxes that are behind the Pfsense box. When I remove this ip, or set it to an 176. address what I use nowhere in my network.. I can't traceroute or lookup names to the outside world anymore.

    So this is quite confusing.



  • @Matts:

    There are people that say you don't need an IP on WAN and LAN, which I doubt actually. I have 4 nics, WAN, LAN, CONF and CARP (yep can be done on a transparent bridge).

    Theoretically you dont need an IP for a filtering bridge except for administration.
    Your switches dont have an IP too, do they? They are basically nothing else than a multi-port-bridge. (just without filtering function)

    Isn't that a bit contradicting?
    Since your DNS Server is on your LAN-Side the clients will never ever go over the transparent bridge.
    Are you sure that your DNS-server is setup correctly and that the clients really have it set as DNS?

    Why should the clients go over the bridge to reach my DNS server ? Should I place them at the WAN side of my Pfsense box ? Normally I would place DNS servers behind a firewall too.

    I think you missunderstood me.
    The Client dont go over the bridge to reach the DNS-server.
    Since they dont go over the bridge to resolve a name i suspect the problem lies with your DNS.



  • @GruensFroeschli:

    I think you missunderstood me.
    The Client dont go over the bridge to reach the DNS-server.
    Since they dont go over the bridge to resolve a name i suspect the problem lies with your DNS.

    No indeed, I misunderstood you… forums are nice to solve that :)

    Before I had the bridge in there DNS resolving was no issue at all, my servers can resolve on my DNS servers, but when I remove that IP on the LAN side... they can't anymore.

    Strange is also that when I remove the WAN and LAN IP both, there is not traffic possible at all anymore, so this is confusting too.

    Before I put the transparent bridge between the vlans on the switch, I tested this whole enviroment with a crosscable instead of the Pfense box, what actually worked well.

    So I'm looking at the Pfsense part that might not be the best solution because there can be something in between.


Locked