DNS not working from server in LAN



  • Hey Guys,

    I was wondering if someone could help me out with the following:

    I have a Xen server set up, with a HVM Pfsense. Pfsense has two interfaces, WAN which has public ip (x.x.x.x) and LAN on 192.168.x.254/24

    Everything seems to work fine, if I go to diagnostics, then go to ping from LAN interface and type in google.com, this is the response I get:
    PING google.com (173.194.112.102) from 192.168.x.254: 56 data bytes
    64 bytes from 173.194.112.102: icmp_seq=0 ttl=56 time=5.782 ms
    64 bytes from 173.194.112.102: icmp_seq=1 ttl=56 time=6.451 ms
    64 bytes from 173.194.112.102: icmp_seq=2 ttl=56 time=5.728 ms

    However, on a server in the network, I can only ping the DNS servers, but when I do a ping to google.com, nothing happens. Adding a pass rule from the server 192.168.101.20 on port 53 outgoing, does show the traffic going through the logs, to the (external) DNS servers I have configured, but the the server gets no response, so it either seems the packet gets dropped or lost somewhere.

    I have disabled hardware checksum offloading and enabled Do not use the DNS Forwarder as a DNS server for the firewall.

    Does anyone have an idea of what's going on or what I can test to figure out what's happening?

    Thanks!

    Sera

    I


  • Banned

    Kindly post the screenshot of your LAN firewall rules.



  • Thanks for your quick response.



  • Banned

    Well, the first rule is completely redundant with all traffic allowed. Certainly not a packet filter problem.



  • First rule was just for the logging.

    I just found this in a capture when I opened it in wireshark: bad udp cksum 0xdcc7 -> 0x7cd5!, is there anything in Pfsense other then hardware checksum offloading, that could cause this?


  • Banned

    Sounds like virtualization-specific shit.

    https://forum.pfsense.org/index.php?topic=88467.0



  • Thanks, seems to be the same issue. Will post how I resolved this issue.



  • Solved using:

    $ sudo ethtool -K vifx.0 tx off
    $ sudo ethtool -K vifx.1 tx off

    If you experience this issue, please use the guide linked above by Doktornotor. (edit: Made by JohnKeates)

    Thank you very much!


  • Banned

    The guide is not mine, I junk linked it ;)


Log in to reply