New to pfSense: DNS seems not to be working



  • Hi everybody,

    i am very new to PfSense. I used IPFire before, but now i need some additional features and therefore i decided to try out pfSense.

    I have a nearly "plain" installation with one WAN (USB) and one LAN (on-board) device. I already read, that USB devices are "not welcome" in pfSense, but i hope that this is not the problem. I have no space to add an internal controller card.

    My problem: the "internet" is not working. So i started to check the Diagnostics: DNS Lookup and the DNS Server is not responding. I tried my local (router of the ISP which is "before" the PfSense) and the google (8.8.8.8) dns.

    I can ping external IP-Adresses but i cannot access PfSense from my WAN network, even with adjusted interface settings.

    What additional information do you need? How can i check if pfSense is working with my USB Ethernet Controller?

    Thx and KR
    Itchy


  • Banned

    Kindly post your WAN/LAN rules screenshot.



  • attached.




  • Remove that DNS rule that was created.

    Also, are you running DNS Resolver or or DNS Forwarder?


  • LAYER 8 Global Moderator

    I fail to understand this logic..

    You have a rule that is ANY ANY, any protocol to ANY dest and you think you needed to create a special rule for port 53??

    "I can ping external IP-Adresses but i cannot access PfSense from my WAN network"

    What would that have to do with you not being able to use dns?  If you can ping external IP address – why would you think your usb interface is not working?

    Just at a complete lost to try and help you..  And for a screenshot you use your phone?  Really clearly that is browser interface to the webgui - why could you not took a screen grab?

    Does pfsense have a public or private ip on its wan?  If private what is in front of it?  If your wanting to reach pfsense from the public?  Did you create firewall rules to allow this - did you forward the traffic on the nat in front of pfsense?

    Lets see your interface status for wan and then exactly what is not working..



  • @johnpoz:

    You have a rule that is ANY ANY, any protocol to ANY dest and you think you needed to create a special rule for port 53??

    I read this in the internet, so I tried it. I know that it makes no sense, but it was worth a try.

    @johnpoz:

    "I can ping external IP-Adresses but i cannot access PfSense from my WAN network"

    What would that have to do with you not being able to use dns?  If you can ping external IP address – why would you think your usb interface is not working?

    It has nothing to do with the initial problem, but i thought it is important to let you know. Maybe the problem is not a "not working dns" but a not working usb interface. Maybe the usb interface is only able to do some operations, but not all - never have heared such a case before but that does not mean it is not existing ;)

    @johnpoz:

    Just at a complete lost to try and help you..  And for a screenshot you use your phone?  Really clearly that is browser interface to the webgui - why could you not took a screen grab?

    I can only access the WEB GUI from a system in the lan of PfSense, but from WAN. I cannot access the web from the PfSense lan, so it was the easiest way to take a screenshot with my mobile. Otherwise i had to take a screenshot and transfer it via usb stick to my other system which is in the "Wan" area of PfSense

    @johnpoz:

    Does pfsense have a public or private ip on its wan?  If private what is in front of it?  If your wanting to reach pfsense from the public?  Did you create firewall rules to allow this - did you forward the traffic on the nat in front of pfsense?

    PfSense is running in the privat network of the router of my internet provider. Internet –> ISP Router --> PfSense
    I disabled the "block private networks" option on the WAN interface. Do I have to create an additional rule in the firewall?

    @johnpoz:

    Lets see your interface status for wan and then exactly what is not working..

    
    WAN; UP; 100baseTX <full-duplex>192.168.2.20
    
    LAN; UP; 1000baseT <full-duplex>192.168.5.1</full-duplex></full-duplex> 
    


  • @tim.mcmanus:

    Also, are you running DNS Resolver or or DNS Forwarder?

    DNS Forwarder is disabled.

    DNS Resolver is enabled, as per default settings.


  • LAYER 8 Global Moderator

    "I know that it makes no sense, but it was worth a try."

    No not really..

    WAN; UP; 100baseTX <full-duplex>192.168.2.20

    So you are behind a NAT so did you forward whatever you want to allow get to pfsense wan on that device to pfsense wan IP of 192.168.2.20??  Until you do then no your not getting to pfsense wan from the internet no matter how many rules you create in pfsense.

    What does that device allow for dns?  Since when pfsense is in resolver mode it talks do roots and then walks the tree until it gets to ns who owns what your looking for.  If your device in front of pfsense does not allow that - then no dns wouldn't work.. If your isp hijacks dns queries then no that wouldn't work either.

    If you don't understand how this device in front of pfsense is setup or what your isp allows then set pfsense to forwarder mode again and just let it use what your wan gets which is most likely the router you have in front of pfsense.</full-duplex>



  • Hi,

    thx for your response.

    I have problems to understand what you want to say with the following text from a wording perspective.

    So you are behind a NAT so did you forward whatever you want to allow get to pfsense wan on that device to pfsense wan IP of 192.168.2.20??  Until you do then no your not getting to pfsense wan from the internet no matter how many rules you create in pfsense.

    Yes i am behind a NAT. I did not made any special entries/rules on my NAT / Router device for pfSense. PfSense is configured with a static IP within the Subnet of my "private WAN" / the network of the other router. I also tried DHCP configuration for pfSense on WAN side, but that made no differences.

    I have no clue how my router from the ISP works in detail - should work like every "cheap" and stupid router on the market. So i changed pfSense from resolver to DNS forwarder (just enabled the option, no other changes).

    Unfortunately the problem has not changed:

    • I am able to ping external IP-Adresse (complete outsite of my private networks)

    • I am not able to ping extneral webpages (based on their adress), no content in the "ping output box"

    • I am able to execute tracerout only on external IP adresse, not on webpagees

    • DNS Lookup has a query time for pfsense itself (127.0.0.1) but no response from all other servers

    i tried to enter additional DNS Servers (System: General Setup). 8.8.8.8 (with my Gateway of 192.168.2.1) and 8.8.4.4 without gateway. I am not sure if i have to define a gateway for external DNS Servers, so i tried both. In addition there is also my "local" DNS defined: 192.168.2.1 (DNS of my ISP router)



  • update:

    I disabled the firewall with: "pfctl -d" and i got responses from the DNS-Lookup within pfSense and was able to access pfSense from WAN side. I was not able to open any website within the pfsense network :(

    after enableing the firewall again "pfctl -e" it was the same behaviour as before.


  • LAYER 8 Global Moderator

    Dude I have no idea what you have done.. This really is clickity clickity out of the box working..

    Do a simple freaking query on pfsense for dns lookup does this work?  What did you point it to for dns if you setup wan as static?  What does a dhcp client connected to your isp nat router get for dns?  Use that!!

    Well no shit if you turned off the firewall you would be able to get to the wan of pfsense since you don't have the firewall running.  Out of the box pfsense blocks ALL inbound connections – so what do you want to access you would have to allow it and forward it on your isp router.

    Installing pfsense accepting defaults is a working setup.. dhcp on wan.. Connect a dhcp client to your lan and it should work, even behind a NAT as long as the network that is your wan is not the default pfsense network of 192.168.1.0/24

    "DNS Lookup has a query time for pfsense itself (127.0.0.1) but no response from all other servers"

    Are you forwarding or resolving?  Where are you forwarding too?  Just redo pefsense select all the defaults and you should be up in running in 30 seconds!

    You keep saying dns is not working.. But have given no details or example of it not working..  Please post screen shot of what you have setup in your forwarder and what pfsense resports for a dns query.




  • @johnpoz:

    Dude I have no idea what you have done.. This really is clickity clickity out of the box working..

    That is what i hoped and expected. I do not understand what is going wrong on my site. I re-installed already multiple times, but the problem still exists.

    @johnpoz:

    Do a simple freaking query on pfsense for dns lookup does this work?  What did you point it to for dns if you setup wan as static?  What does a dhcp client connected to your isp nat router get for dns?  Use that!!

    My ISP router is providing 192.168.2.1 as a DNS value to the clients. I entered this adress also in pfSense. Please see attached screenshot.

    @johnpoz:

    Well no shit if you turned off the firewall you would be able to get to the wan of pfsense since you don't have the firewall running.  Out of the box pfsense blocks ALL inbound connections – so what do you want to access you would have to allow it and forward it on your isp router.

    Even if i have disabled the "block private networks" option on the WAN device? I added a pfSense WAN Firewall rule: source any; destination any; pass (so: allow everything on wan device from any to any) but this is not solving the problem.

    @johnpoz:

    Installing pfsense accepting defaults is a working setup.. dhcp on wan.. Connect a dhcp client to your lan and it should work, even behind a NAT as long as the network that is your wan is not the default pfsense network of 192.168.1.0/24

    I tried it. Network (ISP Router) is 192.168.2.0/24

    @johnpoz:

    "DNS Lookup has a query time for pfsense itself (127.0.0.1) but no response from all other servers"

    Are you forwarding or resolving?  Where are you forwarding too?  Just redo pefsense select all the defaults and you should be up in running in 30 seconds!

    I changed from resolver to forwarder as recommended by you.

    @johnpoz:

    You keep saying dns is not working.. But have given no details or example of it not working..  Please post screen shot of what you have setup in your forwarder and what pfsense resports for a dns query.

    Please see attached screenshots.

    Thx for your support and time you are investing here.

    ![DNS Lookup.jpg](/public/imported_attachments/1/DNS Lookup.jpg)
    ![DNS Lookup.jpg_thumb](/public/imported_attachments/1/DNS Lookup.jpg_thumb)
    ![dns forwarder.jpg](/public/imported_attachments/1/dns forwarder.jpg)
    ![dns forwarder.jpg_thumb](/public/imported_attachments/1/dns forwarder.jpg_thumb)
    ![dns resolver sys log.jpg](/public/imported_attachments/1/dns resolver sys log.jpg)
    ![dns resolver sys log.jpg_thumb](/public/imported_attachments/1/dns resolver sys log.jpg_thumb)


  • LAYER 8 Global Moderator

    Well your router in front of pfsense is not answering queries..  And pfsense can not do queries outbound.  So to me it can not talk to your router even.

    So leave you wan as dhcp.. And let it get an IP from your router..  Do the same test.  And then from pfsense diag can you ping your router?  Can you ping 8.8.8.8 ??

    What does your router get for dns.. Its quite possible your isp only wants you to use them as dns??

    Also what is the make and model of this isp device in front of pfsense?




  • Hi,

    i attached the requested screenshots.

    i can ping 8.8.8.8 and my router (192.168.2.1) from pfSense.

    I already used other DNS Servers for testing purpose from my network when i used IPFire.

    My ISP Router is a Speedport W 921V from Deutsche Telekom (it is a re-named Arcadyan device).

    KR
    Itchy

    ![DNS Lookup2.jpg](/public/imported_attachments/1/DNS Lookup2.jpg)
    ![DNS Lookup2.jpg_thumb](/public/imported_attachments/1/DNS Lookup2.jpg_thumb)
    ![ping router.jpg](/public/imported_attachments/1/ping router.jpg)
    ![ping router.jpg_thumb](/public/imported_attachments/1/ping router.jpg_thumb)
    ![ping 8888.jpg](/public/imported_attachments/1/ping 8888.jpg)
    ![ping 8888.jpg_thumb](/public/imported_attachments/1/ping 8888.jpg_thumb)
    ![wan status.jpg](/public/imported_attachments/1/wan status.jpg)
    ![wan status.jpg_thumb](/public/imported_attachments/1/wan status.jpg_thumb)



  • ok i think i have a solution now, but i do not really understand it. I changed the LAN and WAN device, and now my WAN is working fine and my LAN is not working any longer  :(


  • Banned

    I have nothing against debugging, but your superbroken setup would be best flushed down the drain. Just restart from scratch.


  • LAYER 8 Global Moderator

    what??

    How do you have your devices connected?  Dude clearly your router 192.168.2.1 is not answering dns queries.. You can not query google.com from it.. So yeah that is broken..  Have you reastarted that device.  When you add 8.8.8.8 to your forwarders does that answer?

    Here is how you should be setup

    internet –- isp device --- 192.168.2.110 wan pfsense lan 192.168.1.1 --- 192.168.1.100 PC

    With pfsense wan being directly connected to a port on your isp device and lan from pfsense going into a switch that your other devices are connected into.. Or you PC directly connected to the nic that is pfsense lan if you have no other devices..



  • Hi,

    I am really really sorry that I was not able to respond earlier. I had to go on a business trip last week monday (unplanned) and when I got home a excavator has destroyed the cable with my Internet Connection - great weekend.

    But now, back to our topic:

    I tried the following scenarios:

    1. WAN connected to USB LAN Adapter; LAN connected to onboard interface.
    2. WAN connected to onboard interface; LAN connected to USB LAN Adapter.
    3. Scenario 2 and in addition a W-LAN devices as OPT1.

    My ISP Router has the IP-Adress 192.168.2.1. and the interfaces are connected in the right way.

    In scenario 1 my router is not answering dns querier. I cannot query google.com. I have added 8.8.8.8 to my forwarder but nothing has changed. No response. In Scenario 2 (connected to pfSense from "WAN" site) and scenario 3, all problems (mentioned before) are sorted out. Only the LAN interface is not working.

    My setup looks like this:

    INTERNET –> ISP Router --> 192.168.2.110 WAN pfSense    --> 192.168.1.100 PC behind PfSense
                                          --> 192.168.2.125 Computer WAN


  • LAYER 8 Global Moderator

    So when you use your onboard interface connected to your router.. It works from pfsense diag screen.  using 192.168.2.1 as your dns..  Post this screenshot.

    Now on your lan side using usb.. Your clients get dhcp from pfsense 192.168.1.x and they point to what for dns??  Pfsense 192.168.1.??

    What are you using in pfsense, the resolver or the forwarder?  By default resolver is used and pfsense try to directly query root servers.  So what are you using in pfsense for dns when your setup wan onboard, lan usb?



  • Hi,

    yes, when i use my onboard interface as WAN on PfSense i am able to ping 192.168.2.1.

    When i use my USB LAN interface on PfSense the clients recieve an IP-Adresse and the DNS entry points to pfsense (192.168.1.1).

    I tried both on pfsense. Resolver and Forwarder, but it did not make any differences.

    In the meantime i have an additional information: my USB LAN device has a AX88772C chipset, which is not supported by FREEBSD. The last AX88772 version, which is support is AX88772B.

    KR
    Itchy2


  • Banned

    Awecome. Perhaps use non-shitty supported HW.


  • LAYER 8 Global Moderator

    I really don't get why anyone would use a usb nic for anything than maybe an OLD school laptop that had no nic, or the lan onboard died, etc..

    Why anyone would attempt to use a usb nic for any sort of router/firewall just make no sense to me..  You have multiple pieces of hardware and you want to run special distro as your router/firewall - so cleary your beyond the $20 soho router users.  But you can not afford a $10 nic to put in your machine or for that matter some $100 hardware to run your pfsense on?



  • Hi,

    i have a system with only one LAN interface. The system has a very low power consumption and is working very well. I decided to use it as a test platform for PfSense before I decide to buy a "bigger solution". Just wanted to check out if it fullfills my requiremets.

    KR
    Itchy2



  • Hi,

    I am still trying to get a usb lan dongle working - somehow. I bought a new one, which is definitly supported by FreeBSD (ASIX AX 88772). I am expieriencing the same problem, but in the console i have a new message: arprequest: cannot find matching adress.

    Somebody an idea?



  • Start a new thread since your current problem has nothing to do with your last one.



  • I'm not sure if there is a connection between those two topics or not.


  • LAYER 8 Global Moderator

    "arprequest: cannot find matching adress."

    For what address?  Why don't you just get a REAL nic??


  • Banned

    @johnpoz:

    Why don't you just get a REAL nic??

    And skip REALtek there. :P



  • I can confirm that there are some serious issues with USB ethernet adapters.
    I also tested the above mentioned ASIX AX 88772 and had the same problems as the thread opener: pings to IPs do always work, DNS lookups do never work and standard TCP transfers do work sometimes.
    If, with the same config, I replace the USB by a PCI card, everything works fine.

    The reason why i did this: USB card is 9€, low profile PCI card + 90° riser card for this case is 55€, but the time I spent working on this problem is worth way more…

    If you want to see some serious shit, look at the attached Wireshark capture. This was captured on my home router (192.168.66.2), with 192.168.66.21 being a windows machine making a reference lookup and 192.168.66.199 being the USB-WAN interface of the pfSense machine in question. Don't ask me why I don't get any query responses (but two) to the pfSense machine's requests...

    [dns problem.pcap](/public/imported_attachments/1/dns problem.pcap)


Log in to reply