DNS Forwarder on one of two Subnet in an multilan scenario is not working

  • Sorry my english. There is an strange behavior with DNS Forwarder in an scenario with two LAN and 2 WAN. I googled the problem with no answer.
    The subnetwork on LAN1 interface can surf internet and can resolve DNS queries without problems, but clients on second LAN2 can't. I believe  the problem is the DNS Forwarder.

    From LAN2 client i can ping to the google DNS host "" but if i try to do an nslookup to www.google.com the answer an ip address of my Access Point.

    My hardware are confgured just like that:

    PfSense 2.1.5 amd64.

    LAN Interfase:
    Realtek PCI 10/100 Ethernet NIC
    Conected to switch

    WIFI Interfase:
    Realtek PCI 10/100 Ethernet NIC
    Connected directly to an Access Point Tp-Link TL-WN901nd (ip: (doubt here, may be the cause the problem?)

    WAN1 and WAN2:
    PPOE clients
    Dynamic IP

    DHCP Server on WIFI Interface
    Range: -
    Domain Name: syscomputacion.com.ar

    No statics entries.

    DHCP Server on LAN interfase.
    Range: -
    Domain Name: None or syscomputacion.com.ar
    No statics entries.

    Firewall rules on WIFI interfase:

    | Action | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
    | block | * | Reserved/not assigned by IANA | * | * | * | * | * | * | Block bogon networks |
    | Pass | IPV4 UDP | WIFI net | 53(DNS) | | 53(DNS) | * | none | | WIFI -> DNS |
    | Pass | IPv4* | WIFI net | * | * | * | MultiWan | none | | WIFI -> Internet |

    The following tests was made on a Windows 7 client on WIFI subnet connected via wireless:

    IP Address on Client (Assigned by DHCP):
    Domain Sufix: syscomputacion.com.ar
    DHCP Server:
    DNS Server:

    Ping Test:

    Ping (pfsense) ok.
    Ping (google DNS), ok.
    Ping (Pfsense) ok.

    nslookup www.google.com

    • server:
    • Address:
      Non Authoritative Answer:
    • Name: www.google.com.syscomputacion.com.ar (???????) If i remove Domain Name from DHCP server in WIFI Interface syscomputacion.com.ar is not appended after google.com, i don't know why this happens.
    • Address: (the ip of Access Point). WHY why?

    I also tried modify the rule on port 53 to point with no result.
    Viewing the firewall log i don't found  queries on port 53 blocked.

    Can anybody help me?.

  • LAYER 8 Netgate

    That is your nslookup appending your configured domain name to its query.  nslookup is stupid.

    If you don't want that to happen, append a trailing period to your domain name:

    nslookup www.google.com.

  • LAYER 8 Netgate

    And do yourself a favor and make your pass rules for DNS UDP and TCP for port 53, not just UDP.

  • Thanks, i solved the problem.
    No DNS Forwarder problem o firewall rules mistake. It was an Access point TL-WA901ND V3 bug. I connected WIFI interfase and AP both to the same switch, then connect the client to the wired lan, all worked fine with the original configuration. So i discovered that the problem was an Access point bug.

    Googled some issues with this AP and DNS and found this

    "I got the DNS issue fixed only if I run the AP as DHCP Client. With a static IP (and yes still without default Gateway) any DNS request replies with the static IP address of the AP."

    So i changed  the fixed IP on the AP to a Dynamic IP and all worked fine on the wireless clients.

Log in to reply