Can't resolve host names across vlans.

  • I have set up 2 vlans in pfsense and inter-vlan routing working with a cisco sg300 switch.
    The lan interface in pfsense and the default vlan1 are on the network.
    Vlan 10 is on the network, and vlan 20 is on the network.
    If I have a computer connected to a port that belongs to vlan 10 it can ping another computer that is on vlan 20 by its ip address and vice versa.
    The same 2 computers are not able to ping each other by hostname.
    If I plug both computers into ports belonging to the same vlan then they can ping each other by hostname.
    Regardless of which vlan the computers are connected to they are able to browse the internet and resolve external domain names and can always communicate with each other by ip address.
    Firewall rules are configured to allow traffic from any network to any network using any protocol.
    Dhcp is setting the pfsense router as the dns server address for all vlans.

    What am I missing here? Let me know if I need to post any more information about my setup.457

  • LAYER 8 Netgate

    DNS either works or it doesn't.  Has nothing to do with VLANs.

    Instead of posting what you think you've done, post screenshots of what you have actually done.  Chances are it's not what you think or it would be working.

  • LAYER 8 Global Moderator

    when you say hostname you mean like computer1

    So your trying to access the it like ping computer1 vs ping computer1.yourdomain.tld

    So your trying to broadcast for the name, which no does not work across vlans.

    So if you see on a sniff of what the computer does when you look for a host name.  See attach, I try and ping computer1 which does not exist on my network.  Since my computer is in the local.lan domain and by default it adds its domain name to the query.  See how it added local.lan to the dns query when all I did was ping computer1.

    When it got response that name does not exist from dns, or if would of just failed. It started broadcasting for it.  If that computer was on the same segment it would answer with its name.  But since you have them on a different segment then no that broadcast would never be sent on the other segment.

    See how I can ping just pfsense and it comes back fully qualified as pfsense.local.lan

    What do you have you computers domain set to (not AD) see picture 2, be it the primary or connection specific?  Correctly setting this stuff up allows you to then just host names that get the domain your in added so dns queries work.  You can also add multiple domains to your search list so that names will be queried for all those fully qualified names.

    What do you have pfsense setup as?  I don't suggest singlelabel like localdomain, use something unique for you and use a tld that is not a public tld like com or net, keep in mind they are adding lots of these.  even .xyz is now a valid public domain ;)  And even supports dnssec, picked one up for $5 for the first year ;)

    edit:  See 3rd pic, see how I can query for computers on other segments as well.  Brother is on my segment while my first example was from devices on my segment.  The resolver in pfsense and even forwarder will resolve a single name if you tell it that is what your looking for.  See the period on the end of my query that says hey that is the end just asking for brother

    The trick is understanding how your OSes do basic name resolution ;)  And the systems you have in place to resolve those names, be it dns, broadcasting, wins even..  Are your machines member of AD domain?  If so they should really be pointing to your AD dns and not pfsense for example.  Do you have pfsense setup to register dhcp leases in dns?  Static leases? etc.  Correctly setting up the domain names you want to use for your fqdn queries, and that your machines are all using them or the correct suffix search list, etc.

  • Thanks johnpoz, looks like changing the domain name fixed it. The domain was set to the default localdomain. I changed it to test.lan, and it just started working. Now when I ping the computer test2 it comes back as test2.test.lan.
    Although it seems like it should have worked with localdomain as well. The only other things that I have done is disable and re-enable dns forwarder, and rebooted pfsense again.

    We do have a domain controller but I had not incorporated that into this test set up yet. Now that it is working I set the domain in pfsense to the same as the dc domain name and added the dc as a dns server to pfsense. Name resolution is working for domain and non domain computers across vlans.

  • LAYER 8 Global Moderator

    You really need to point domain members to the domain.  And dhcp should also come from your AD.  How are you going to get clients to register their names in the AD domain.  How are you going to lookup all the SRV and other stuff that AD has.

    There is really no reason for PFsense to be involved in dns and dhcp if you have AD setup to be honest, trying to integrate it into the setup is just going to cause pain.

  • Domain members are pointed to the domain controller since its ip address is listed as a dns server in pfsense. They have always been able to register their names and we havn't had any other problems with domain credentials. I guess the only reason It was set up this way is because there were only a few computers connected to the domain. Most are not domain members. I'm not saying its right, its just the way things evolved over time. But perhaps to simplify things for the future it might be time to move dhcp to the dc instead of pfsense.