Pfsense proxy does not resolve DNS



  • Hey everyone,

    This issue has been over my head for a month now, and I would really love some help.

    I'm currently behind a proxy network and my LAN interfaces cannot resolve the dns. I have squid proxy server configured in pfsense. If I manually configure the proxy settings in the LAN Connections from my web explorer, I am able to browse the internet but if I disable that option and configure the pfsense proxy server with the same proxy settings, the browser does not resolve the DNS.

    Could anyone please shed some light on this issue?

    THanks


  • LAYER 8 Global Moderator

    Why would you expect clients to resolve dns from?  Are they pointing to proxy that pfsense is running?



  • Sorry for the cross-posts,

    Well currently the proxy that the pfsense is pointing to is the company network firewall and I have configured the same proxy settings for the pfsense squid proxy server. That being said, I did not configure any proxy setting for the clients…I thought the squid proxy server would allow the clients to connect to the correct proxy configuration as I set the proxy settings in the clients to be detected automatically.

    Thanks,


  • LAYER 8 Global Moderator

    where are they going to detect it from?  Are you running WPAD?  Did you setup WPAD options in dhcp options you hand out to the clients, via dns?

    if you setup squid on pfsense - did you set it up to be transparent proxy or explicit?  With transparent your just sending traffic this is say 80 to the proxy..  Problem with this type of setup is the client has to be able to do dns to know where to send the request, so that pfsense can be redirected to the proxy, and then any upstream proxies, etc.

    if the client can not look up IP for www.google.com it will never send the traffic to get redirected by the proxy.  You need to setup an explicit proxy so that the proxy will do the dns query.  This can be done with automatic - but the automatic discovery of the proxy has to be configured, etc.



  • Thanks for the reply, jonhnpoz

    No I am not currently running WPAD. Do I need to configure WPAD for my clients to discover the proxy?

    I have setup the squid on pfsense as transparent proxy. The squid proxy server is currently pointing to the office network firewall proxy so pfsense is able to talk to the Internet but the clients are unable to do so.

    From my understanding reading your suggestion, I have to setup WPAD for the clients to get redirected by the proxy settings that I have configured in pfsense squid proxy server. Is that correct?


  • LAYER 8 Global Moderator

    no in a transparent proxy you don't have to have the client discover or use the proxy settings.

    Here is your problem in transparent mode the CLIENT must be able to do dns..  Your only redirect the normal traffic they send to their gateway (pfsense) for say www.google.com (1.2..3.4)

    Problem is if they can not do dns they can look up www.google.com 1.2.3.4 IP, so they will never send a traffic to the gateway to be redirect to the proxy.

    You have to setup explicit proxy use – so the browser says hey proxy i want to go to www.google.com - proxy would then resolve www.google.com via.  So your client does not need to be able to dns to public sites.

    To setup explicit proxy then sure you could use WPAD for the client to automatic know what proxy to use.  Or you could setup the client directly with the proxy info.  Or you could use say group policy to setup the clients, etc..

    If you want to use transparent proxy mode on pfsense, the client needs to be able to dns.. Which I do think you can currently do?



  • Thank you again for your reply, johnpoz

    Currently, no…my clients cannot do dns lookup. It cannot also look up www.google.com as I have unable to resolve host error when I do so.

    I am trying to configure WPAD to automatically configure the proxy settings in all the clients connected to the pfsense box but I'm not certain about the domain that these clients have to be in order for the IP to resolve the proxy settings from the WPAD configuration file. The gateway currently configured in the LAN interfaces point to the WAN gateway of the pfsense box. While setting up WPAD in the DNS forwarder, it asks for the domain network name that the clients are and I believe the clients are not a part of a domain.

    If you don't mind, could you please guide me through the steps that I need to follow through to configure the WPAD for my clients proxy settings. You are right, I have to use explicit proxy settings but since I have a large number of clients, I wanted to avoid to have to setup the proxy settings in each of the clients and wanted the squid proxy to be able to resolve the hosts for these clients.

    THanks


  • LAYER 8 Global Moderator

    "The gateway currently configured in the LAN interfaces point to the WAN gateway of the pfsense box"

    huh???  You have clients on the wan side of pfsense??

    Or are you saying the lan interface has a gateway setup?

    Why would clients be on the wan side of pfsense??  Could you do a simple diagram of your setup?  And pfsense lan should not have gateway set!!!

    So the way I would picture your setup is this

    client –- lan (pfsense) wan --- proxy --- internet

    You can hand out wpad via dhcp settings or dns.  dns would just need to be in a domain that the client would search for.  This could be suffix search list, domain setup on the interface on the client, etc..

    this should get you started on using wpad
    http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol



  • I am really sorry for the confusion, I had no idea what I was typing -.-

    Yes you are right..the clients are connected to the LAN interfaces (without any gateway setup) and not the WAN.

    The issue currently that I am facing is that the for WPAD configuration, the clients need to be in a specific domain name which they are not. In that case, is there any other workaround? Or do I need to bring all the clients in the same domain name that the pfsense is registered in. At present, the clients are just configured as "WORKGROUPS" and not domains.

    Thanks


  • LAYER 8 Global Moderator

    does not have to be a AD domain..  It is a search suffix, what domain they are on in the interface..

    There is no way to do it from dns if they don't query an actual fqdn..  They are going to query for wpad..  wpad in what domain?  DNS can not resovle wpad without it being fully qualified, ie wpad.something

    if you do an ipconfig /all on the clients – does it show anything in the search suffix or on the connection?

    You can add that to the clients if need to, or you other option is to hand out option 252 in dhcp.

    so here is my home box for example..  See how it's domain is local.lan - this is not a AD domain, this is just the domain you tell the machine all other devices he might just look for by name are in..  ie this the domain pfsense is in.. pfsense.local.lan, my machine i5-w7.local.lan

    So when the machine looks for wpad it will look for wpad.local.lan -- which can return an IP if you set that up in pfsense.

    You might want to use dhcp as easier option for you.  Google wpad dhcp option 252 and should find plenty of guides.

    here is my machine as example - see my domain local.lan -- you can hand this out via dhcp as well

    C:>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : i5-w7
      Primary Dns Suffix  . . . . . . . : local.lan
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : local.lan

    Ethernet adapter Local:

    Connection-specific DNS Suffix  . : local.lan
      Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
      Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Saturday, September 27, 2014 7:38:30 AM
      Lease Expires . . . . . . . . . . : Thursday, October 02, 2014 7:38:30 AM
      Default Gateway . . . . . . . . . : 192.168.1.253
      DHCP Server . . . . . . . . . . . : 192.168.1.253
      DNS Servers . . . . . . . . . . . : 192.168.1.253
      NetBIOS over Tcpip. . . . . . . . : Enabled

    C:>

    so what does the ipconfig /all of one of your clients look like?

    Here I did a quick sniff and enabled auto discovery in firefox, see how it did query for wpad.local.lan -- now my dns does not have this setup..  But that is what it asks for, so whatever domain your clients are set for per their ipconfig /all we can see they would do the query for




  • I can't thank you enough for all your help, johnpoz! :)

    I am currently investigating the way to setup wpad dhcp option 252. In the meantime, I wanted to show you my configuration…in case I am missing anything.

    Also here is the output from my lan client when i do ipconfig/all

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\Administrator>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : Aroosh1
            Primary Dns Suffix  . . . . . . . :
            Node Type . . . . . . . . . . . . : Unknown
            IP Routing Enabled. . . . . . . . : Yes
            WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Broken_Dont_USE:

    Media State . . . . . . . . . . . : Media disconnected
            Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #4
            Physical Address. . . . . . . . . : 20-CF-30-50-CE-39

    Ethernet adapter AP_Link_INT1:

    Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Intel(R) Gigabit CT Desktop Adapter
            Physical Address. . . . . . . . . : 68-05-CA-24-4F-67
            Dhcp Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 10.1.1.20
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 10.1.1.1
            DNS Servers . . . . . . . . . . . : 8.8.8.8
                                                8.8.4.4

    Ethernet adapter E-Corp:

    Connection-specific DNS Suffix  . :
            Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
            Physical Address. . . . . . . . . : 90-E2-BA-5A-38-26
            Dhcp Enabled. . . . . . . . . . . : No
            IP Address. . . . . . . . . . . . : 10.1.2.20
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . :
            DNS Servers . . . . . . . . . . . : 10.1.2.1
                                                8.8.8.8

    As you see, I do not have  a primary dns suffix configured. The domain name that I have configured my pfsense box is just a vague domain, but I guess that doesn't matter as you specified the issue with AD domains.

    If you could take a look at the configurations, I will be obliged :)

    Thanks,




  • LAYER 8 Global Moderator

    ok clearly some stuff wrong here..  Why are you multihomed.. the 10.1.2 doesn't have a gateway so how could you talk to 8.8.8.8?

    You really should only talk to dns that has the same settings.. Clearly 10.1.2.1 knows about local domains, while 8.8.8.8 or .4.4 would know know about local domains.

    whatever domain you used, be it local.lan like me or whatever.tld – you could leverage your devices to resolve hosts in this domain - why do you not leverage the dns forwarder in pfsense?  Why do you point to googledns if you can not get to google?

    edit: why are you pointing pfsense to googledns?  Thought you said you couldn't do dns?  Do you not have a dns server on the wan side of pfsense that you can get to resolve public stuff?

    If you setup wpad in the pfsense dns forwarder does no good if your clients to query pfsense for dns



  • I have one WAN interface and 2 LAN interfaces configured through pfsense. The reason for 2 LAN interfaces is one for local network communication and throughput SNR testing.

    For the LAN interfaces, I do not have any gateway configured. And the machine that i have taken the ipconfig from, has a static IP and hence I configured the gateway accordingly (10.1.2.1 - no idea why it did not show up). The issue is in pfsense, I have assigned the LAN interfaces static IPs of 10.1.1.1 and 10.1.2.1 and also assigned DHCP server to serve different subnets. But this machine had static IP configured (10.1.2.20) and I am not too sure whether I should be configuring the IP configuration and DNS myself, or just leave them to be set automatically by the DHCP server.

    So the domain that I have configured the pfsense box is called wifi-systems.com and I cannot configure the LAN interfaces with the same domain as it cannot be found..it's just a random domain…the network is actually not a part of the domain. That being said, I am not too sure how I could leverage my clients to point to that domain when it cannot be a part of the same.

    The reason I am pointing to googledns is because I do not have a dns server on the wan side of pfsense. With the correct proxy settings (IP and port) configured in the pfsense box, I am able to get the pfsense box through the internet as I see the message "You are currently running the updated version". But when I am trying to leverage my clients to be able to use the same proxy settings, my clients cannot connect to the internet. Hence I tried setting up WPAD but that failed too :(

    Could you please let me know is tehre any step that i need to take? Sorry for the trouble, I am actually really new to pfsense.


Log in to reply