Can't connect to internet

Grogorio

stumped by this one…. my pfSense box suddenly stopped working - could access the admin i/f ok but clients could not connect to internet. Thought it might be a package installation that had failed so I re-installed pfSense from scratch, but same same. I'm not new to pfSense, but seem to have suffered a brain freeze on this one.

System:
Version 2.2.4 i386 FreeBSD 10.1-RELEASE-p15

Symptoms:
Dashboard: Unable to check for updates.
Client pc can access admin interface but can't connect to the internet

I have gone through the troubleshooting checklist at https://doc.pfsense.org/index.php/Connectivity_Troubleshooting. Bear in mind this is a completely fresh install - everything is standard out of the box using the installation wizard.

WAN Interface - ok
LAN Interface - ok
Firewall/Rules - ok
Outbound NAT - ok
Diagnostic Tests - ok
Client Tests - some issues
Test if the client can ping the LAN IP of the firewall - ok
Test if the client can ping the WAN IP of the firewall - ok
Test if the client can ping the WAN Gateway IP of the firewall - ok
Test if the client can ping an Internet host by IP address (e.g. 8.8.8.8 ) - ok
Test if the client can ping an Internet host by Host name - FAIL
Miscellaneous Additional Areas - ok

Interfaces are both UP

So I assume some kind of DNS issue.

I am using DNS servers 8.8.8.8 and 8.8.4.4 and 103.244.30.142 (public DNS thrown in for testing)

Diagnostics -> DNS Lookup reports:
127.0.0.1 No response
8.8.8.8 No response
8.8.4.4 No response
103.244.30.142 No response

DNS forwarder is not enabled

DNS resolver enabled or disabled, makes no difference. What should the settings be here?

Connecting client pc direct to the internet accesses the web no problem.

Feel I'm missing something obvious :-[

muswellhillbilly

Have you checked with your ISP to see if the issue may be at their end? Have you tried running a dig or nslookup from the command-line on the PF? When you test using the laptop directly plumbed into the internet, you are using the same connection/IP as the PF, aren't you?

chris4916

It looks like client is facing name resolution issue, meaning you're in right section so far :)
Could you please tell us more about:

client settings (DHCP, DNS inherited from DCHP ?)
DNS settings

did you try nslookup instead of ping and chane DNS here to, just to be sure issue is with DNS.
What's about FW rules from LAN to WAN (e.g. port 53 if pfSense is not your DNS)

Grogorio

@muswelhillbilly

isp staff read off a flowchart and give boilerplate responses, no way would they begin to comprehend what my problem is
nslookup on pfsense: command not found
yes direct connection is via the same isp (and works fine)

@chris4916

client settings are automatic, works fine when plugged directly into isp
DNS settings are automatic
nslookup on pfsense: command not found
nslookup on client: connection timed out; no servers could be reached
ping www.google.com from pfsense console: cannot resolve www.google.com: Host name lookup failure

I ran the setup wizard again and noted a step involving the DNS Resolver. However now that I try again that step does not appear. Strange. I have tried DNS resolver enabled and disabled, no difference apparent. Is DNS Resolver something new to pfSense? I am not familiar with it.

I ran the setup wizard yet again, this time selecting the checkbox for Override DNS. Suddenly pfSense can see that it's running the latest version, although sadly the client pc still cannot access the internet.

One more reboot. Same. I'm stumped :'(

muswellhillbilly

@Grogorio:

I ran the setup wizard yet again, this time selecting the checkbox for Override DNS. Suddenly pfSense can see that it's running the latest version, although sadly the client pc still cannot access the internet.

So the PF can resolve external addresses now (assumedly, since it can check the latest version against the external db), but your client can't access the internet. What DNS settings is the client using? Are your clients picking up via DHCP or have you hard-wired the settings? Have you tried setting your client network settings statically instead of using DHCP (assuming you're using DHCP internally)? Have you tried running an nslookup from your client to a specific external DNS server (eg: 'nslookup www.google.com 8.8.8.8').

Not sure why your PF is saying 'unknown command' when running an nslookup. Mine does so from the command-line without any trouble.

Derelict

nslookup is pretty much deprecated:

[2.2.4-RELEASE][root@fw]/root: nslookup
nslookup: Command not found.

Maybe it's still installed by a package (bind) or something.

Use drill.

Grogorio

@muswellhillbilly you might be onto something with the ISP settings - maybe they are blocking 3rd party DNS or something… Can't check now I will get onto it after a long sleep

chris4916

@Grogorio:

@chris4916

client settings are automatic, works fine when plugged directly into isp

DNS settings are automatic

nslookup on pfsense: command not found

nslookup on client: connection timed out; no servers could be reached

ping www.google.com from pfsense console: cannot resolve www.google.com: Host name lookup failure

My question was a bit more oriented toward real content.
Sure DNS settings are automatic but when you look at your client, what are these DNS inherited from automatic process?

And it also looks like you are facing some issue on pfSense itself if you can't resolve name like google.com.

Perhaps this is the right time to discuss about what is really configured instead of keeping debate on the theoretical aspects?

Grogorio

if I look at my network settings (client directly connected to internet), only 'automatic' is displayed and all other fields are blank (and disabled) - not very helpful I know…

if I issue the command (ubuntu 14.04)

more /etc/resolv.conf

it returns:

Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8 )

# DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1

probably not what you wanted to hear either

Sure DNS settings are automatic but when you look at your client, what are these DNS inherited from automatic process?

Apart from what I have already tried, I'm not sure how to check that. It would be good to know, to get to the bottom of it.

BUT here's a curious thing - on booting up my box to check the connection through pfSense again, I find it working and the client can now access the internet. Nothing has changed on my side since the last reboot, so what gives? ISP fault? Incorrect sequence of reboots?

muswellhillbilly

From your previous reply, it looks like your client is using itself as it's DNS server. If it isn't set up that way, change the settings on the client to point to something like the external addresses you mentioned earlier (8.8.4.4).

If your connection is now working, then I'd put my money on the ISP.

PS: I know nslookup is deprecated (I sometimes use dig instead), but as it was available on my PF I used it. I'm using an earlier release, which may account for how I can run it.

Grogorio

ok it's working again this morning so I tried a couple more commands on a client connected directly (actually via gateway router with IP 192.168.20.1) and via pfSense:

nm-tool | grep DNS

direct connection client output:
DNS: 192.168.20.1

pfSense client output:
DNS: 8.8.4.4
DNS: 103.244.30.142
DNS: 8.8.8.8

dig www.google.com

direct connection client output:
SERVER: 127.0.1.1#53(127.0.1.1)

pfSense client output:
SERVER: 127.0.1.1#53(127.0.1.1)

pfSense shell output:
dig command not found

Gateway router (192.168.20.1) is getting DNS dynamically from the ISP. There is an option to set DNS but the fields on the admin form are disabled. There will be no gateway router where the box will be finally deployed (pfSense box will be the gateway router).

Sooo, what does it all mean? I am no networking guru as you can probably tell. I tend to agree it was probably an ISP hiccup and it's probably now a case of continue to monitor the situation, unless somebody has further diagnostic suggestions.

(I don't want to change client DNS settings as my goal is to deploy this pfSense box in a semi-public area using captive portal, so will have no control over client settings.)

oneaway

@Grogorio:

ok it's working again this morning so I tried a couple more commands on a client connected directly (actually via gateway router with IP 192.168.20.1) and via pfSense:
nm-tool | grep DNS
direct connection client output:
DNS: 192.168.20.1

pfSense client output:
DNS: 8.8.4.4
DNS: 103.244.30.142
DNS: 8.8.8.8
dig www.google.com
direct connection client output:
SERVER: 127.0.1.1#53(127.0.1.1)

pfSense client output:
SERVER: 127.0.1.1#53(127.0.1.1)

pfSense shell output:
dig command not found

Gateway router (192.168.20.1) is getting DNS dynamically from the ISP. There is an option to set DNS but the fields on the admin form are disabled. There will be no gateway router where the box will be finally deployed (pfSense box will be the gateway router).

Sooo, what does it all mean? I am no networking guru as you can probably tell. I tend to agree it was probably an ISP hiccup and it's probably now a case of continue to monitor the situation, unless somebody has further diagnostic suggestions.

(I don't want to change client DNS settings as my goal is to deploy this pfSense box in a semi-public area using captive portal, so will have no control over client settings.)

Dear Grogorio,
I had a problem like you. My client use dns google 8.8.8.8 not resolve domain name when connect direct to pfsense. But when It used dns server of domain AD resolve domain name is ok. Can you show me step by step?
Thanks for help.