No pings from LAN to WAN unsless DNS forwarder restarted
-
Hallo,
i don't get a connection from LAN to WAN. I have to disable the DNS forwarder and re-enable it again to make DNS resolution working again. Changing some settings in the DHCP server section makes it work again, too.There is no special block rule in the firewall. But in the log you see, that there have packets been blocked, e.g. the ICMP packets.
I have no idea what's wrong.My configuration: WAN –-- pfSense ---- LAN
Here my settings:
https://www.dropbox.com/sh/lj5yau8okc7zbip/AABmLR4xgYe7nm0PUBvoLGDLa?dl=0#/ -
Some observations: Your DNS server entries in your General Setup do not have any entry in the 'Use Gateway' drop-down list. These should have the WAN interface entered for the system to know from which NIC the DNS servers are accessible through.
Also, your DHCP server config doesn't have any DNS servers defined for clients, so unless you're setting DNS statically across all your internal hosts you'd be hard-pressed to resolve any external addresses. If you're using the DNS forwarder, then you could start by putting the internal IP of your pfSense box as the first DNS entry in your DHCP settings, followed by an external DNS server - but this is really up to you.
-
None of those observations have to do with his problem. For starters if you don't put dns entry in your dhcp scope, it clearly states
NOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.
As to gateway for dns - you don't need that either unless you have to use some specific gateway to get to them.
In addition, optionally select the gateway for each DNS server. When using multiple WAN connections there should be at least one unique DNS server per gateway.One thing I notice is you have it set to over ride your dns settings if you get something from your wan via dhcp/ppoe settings, etc.
Allow DNS server list to be overridden by DHCP/PPP on WANdns has nothing to do with blocking traffic - do you have some rules in your floating tab? That would block?
-
Agreed, on the face of it DNS/DHCP doesn't neccessarily have anything to do directly with blocking rules. However, taken what has been said - that restarting the DNS forwarder service or amending/restarting DHCP resolves the issue (for a while?) it would seem that there is a connection, however tenuous.
Another couple of thoughts: Do your NAT rules allow the outbound traffic as defined in your firewall rules? If you check the 'Firewall/NAT' page, in most simple cases the outbound tab should show the 'Automatic outbound NAT rule generation' option ticked. Is this the case?
Also, have you checked the filesystem? Although I've not directly observed this, I do know that when a filesystem fills up on pfSense this can cause anomalies with DHCP services. Possibly this might also have an effect on parsing firewall rules. Might be worth checking to see that the root filesystem isn't filling up.
-
Thanks for the fast response.
I try to un-check the option: "Allow DNS server list to be overridden by DHCP/PPP on WAN"
But as I say, it takes about one day until the error reoccurs.Besides, the file system is nearly empty:
$ df -H Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 28G 210M 26G 1% / devfs 1.0k 1.0k 0B 100% /dev /dev/md0 3.8M 43k 3.4M 1% /var/run devfs 1.0k 1.0k 0B 100% /var/dhcpd/dev
To the Firewall/NAT related hint:
Firewall: NAT: everything there is on default
On outbound page the 'Automatic outbound NAT rule generation' option ist set [x] -
so the outbound is automatic or not.. "option ist set" can not tell which way that typo is suppose to go, isn't or just a extra t?
Curious why pfsense would have 32GB drive in the first place.. Kind of way overkill ;) I gave my VM 4GB and not even touching that ;)
And there are no rules under floating tab?
-
Another possible idea: Are you using any kind of traffic shaping/bandwidth management? Also, you don't explicitly mention it, but are you using the captive portal feature? And have you entered anything in the advanced features section of the LAN > WAN firewall rule? This looks more like something caused by a feature or aspect of the system config which you may have omitted in your original description of the problem.