Pfsense Guest Network Issues

LIGISTX · June 16, 2024, 2:46am

Hi,

I have been runing pfsense for a few years now, and it only now occures to me that my IoT turned Guest & IoT network has some sort of routing or DNS issue that I really do not understand. I believe it is DNS related since if I cange the ~~DNS address from the pfsense’s internal DNS server~~ the DNS address handed out by DHCP for this subnet (which also has pfblockerng running) to say someting like 9.9.9.9 either in the DNS server settings in pfsesne or manually on a device, things work normally.

This tells me I likely have my rules for the subnet to agressive and its blocking the ability for clients to talk to pfsense’s DNS server. What I do not understand is… I have explicate pass rules for DNS. Does anyone see any glaring issues with my config?

Nat (the .69 network is my IoT network…)

tvcvt · June 16, 2024, 4:40am

The first thing I’d check is if your DNS server is enabled on the IOT interface.

LIGISTX · June 16, 2024, 4:53am

It is. Its enabled on all network interfaces.

tvcvt · June 16, 2024, 1:00pm

I don’t see anything obvious in your rules (hard to be sure because of aliases, of course). I’d see if you can load the firewall logs on dynamic mode and try to recreate the issue. It should then show you which rule is blocking if that’s really the case. Also, do check the floating rules in case there’s something in there that applies to the relevant interface.

xMAXIMUSx · June 16, 2024, 2:29pm

I am on 24.03 and I recently had an issue with the DNS server not working on an interface. A simple reboot of the service solves the problem. At least in my case.

Louie1961 · June 17, 2024, 1:29pm

I had this issue when I activated Kea DHCP. When I reverted back to the old DHCP (ISC) the issue resolved.

LIGISTX · June 17, 2024, 2:02pm

I have never heard of this before, what is that and how do I do it?

Sadly, no dice. That didn’t solve it.

Good thought, but I am still on ISC, I haven’t made the jump yet… maybe that’s the issue? Hmm. Maybe I should try Kea just to confirm?

tvcvt · June 17, 2024, 9:11pm

Go to Status > System Logs and click on the Firewall section. There’s a tab called Dynamic that will show you the live firewall log as rules are applied. On the top-right of that screen, there’s a filter button where you can set different criteria to view just a specific address or network or port.

Somewhere in there you should see the blocked packets if it really is a firewall problem and then you can narrow your search.

LIGISTX · July 5, 2024, 7:39pm

I let this thread go stale as I have not been home/had time to deal with this issue, but today I am away from home with family for the long holiday, and I am noticing the same exact seemingly DNS issue on my VPN split tunnel setup. I have wireguard running on pfsense and have 2 VPN’s set up for my laptop, one for split tunnel and 1 for full tunnel.

I am starting to thing it is not DNS…

The only difference between my wireguard configs on the client side are the “Interface Address” (same subnet, only off by 2 numbers in the last octet, and the “AllowedIPs” for the full tunnel being

AllowedIPs = 0.0.0.0/0, ::/0

And the split tunnel being a set of my prive IP’s that I use:

AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24

All other settings (minus keys) are the same. Both VPN’s work fine except for some websites I just can’t get to on the split tunnel much like the issue I have with certain subnets within my LAN. While on the split tunnel, I can ping a website like CNN via terminal, and I get responses, but the website just does not load.

In wireguard, for both tunnels, DNS is set to 10.1.15.1 which is the “wireguard” subnet I have set up in pfsnese. I really don’t know the full tunnel works fine, and the split tunnel reacts exactly like I am on one of the internal subnets that doesn’t seem to be getting correct routing. If I edit the split tunnel AllowedIP’s to be 0.0.0.0/0, ::/0, that connection suddenly works fine.

I am entirely at a lost, but I alst only know enough to know enough… I don’t even know where to start with this issue. I know at some previous point in time my split tunnel worked perfectly, but I have not used it in a while and I am not sure when it started to work incorrectly. I can’t imagine what I would have changed that caused this for the split tunnel or the other subnets - I assume its a single issue affecting both scenarios.

Rules for this subnet are extremely simple:

Wireguard settings for split tunnel:

[Interface]
PrivateKey = xxxx
Address = 10.1.15.4/24
DNS = 10.1.15.1

[Peer]
PublicKey = xxxx
PresharedKey = xxxx
AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24
Endpoint = xxxx

I can’t get the split tunnel interface to work correctly even just removing 1 subnet at a time from the AllowedIPs list. Only once I set it to 0.0.0.0/0, ::/0 does it work correctly.