pfSense guest network not reaching DNS

Hi. Noob question here.

I have 3 VLANs I created in pfSense with different networks. Two are ok, but the third I created for a guest network can’t resolve or ping any DNS servers including the pfSense box itself. Whereas the other VLANs are ok. I have the firewall rules wide open (allow all to everywhere) on the guest VLAN. Any suggestions on what else I can check?

All 3 VLANs are DHCP enabled including the guest network. I get an IP assigned including the DNS servers I set. One difference is I set the guest network as The other networks are 10.x.x.x. From the 10.x.x.x networks I can ping the interface, but can’t ping when I’m inside the 192.168.200.x network with an IP assigned. I’m stumped…

How about the return path? Is the default rule on the private segments ALLOW * * ANY, or are you specifying to allow traffic to specific networks only? Are you possibly blocking traffic from the private networks to the guest network? And from the private networks can you ping anything else on the 192.168.200.x subnet? I sometimes think that pfSense shortcuts when it sees that you are pinging alternate IPs pointing to itself (I don’t know that that is true, but I have suspected it on occasion).

Hi. I’m allowing traffic from the private networks to the guest network. But even if that weren’t the case, the guest should still be able to get to with the ALLOW * * ANY, right?
Right now the guest network doesn’t have any restrictions as far as I can tell. But I can’t go anywhere…

Yeah, that is very strange. Check the “block private networks” setting on the guest interface. That could definitely cause something like this.

I say that because this is sounding like there is something profoundly wrong with the network. While you’re at it, double check your IP and DHCP settings on the interface as well. And is there any chance that there is another device on the network handing out DHCP? An IP scanner might be helpful here as well.

In keeping with the above, remember that DHCP requests are broadcast traffic, so the DHCP server could (at least in theory) hand out an IP / subnet that doesn’t include itself, leaving the device unable to talk to a gateway.

The “Block private networks” check box is not checked. And I’m sure there isn’t an overlapping network somewhere as this is a pretty small deployment.

Hmm, maybe I’ll recreate the network with another range and another VLAN id. I’ll try on Monday.

Thanks for your suggestions.

Oh, one last thought. The switch between the firewall and the rest of the network. Is it possible that the VLAN id (or PVID) is mismatched, or that the VLAN isn’t carrying through all the way (both in to the switch and then back out)?

I’ll double check that. I’m using an XG-7100U with the built-in switch.