DNS not working from server in LAN
-
Hey Guys,
I was wondering if someone could help me out with the following:
I have a Xen server set up, with a HVM Pfsense. Pfsense has two interfaces, WAN which has public ip (x.x.x.x) and LAN on 192.168.x.254/24
Everything seems to work fine, if I go to diagnostics, then go to ping from LAN interface and type in google.com, this is the response I get:
PING google.com (173.194.112.102) from 192.168.x.254: 56 data bytes
64 bytes from 173.194.112.102: icmp_seq=0 ttl=56 time=5.782 ms
64 bytes from 173.194.112.102: icmp_seq=1 ttl=56 time=6.451 ms
64 bytes from 173.194.112.102: icmp_seq=2 ttl=56 time=5.728 msHowever, on a server in the network, I can only ping the DNS servers, but when I do a ping to google.com, nothing happens. Adding a pass rule from the server 192.168.101.20 on port 53 outgoing, does show the traffic going through the logs, to the (external) DNS servers I have configured, but the the server gets no response, so it either seems the packet gets dropped or lost somewhere.
I have disabled hardware checksum offloading and enabled Do not use the DNS Forwarder as a DNS server for the firewall.
Does anyone have an idea of what's going on or what I can test to figure out what's happening?
Thanks!
Sera
I
-
Kindly post the screenshot of your LAN firewall rules.
-
Thanks for your quick response.
-
Well, the first rule is completely redundant with all traffic allowed. Certainly not a packet filter problem.
-
First rule was just for the logging.
I just found this in a capture when I opened it in wireshark: bad udp cksum 0xdcc7 -> 0x7cd5!, is there anything in Pfsense other then hardware checksum offloading, that could cause this?
-
Sounds like virtualization-specific shit.
https://forum.pfsense.org/index.php?topic=88467.0
-
Thanks, seems to be the same issue. Will post how I resolved this issue.
-
Solved using:
$ sudo ethtool -K vifx.0 tx off
$ sudo ethtool -K vifx.1 tx offIf you experience this issue, please use the guide linked above by Doktornotor. (edit: Made by JohnKeates)
Thank you very much!
-
The guide is not mine, I junk linked it ;)