DNS Issues with pfSense & Unifi

Networking
1

Just bought and (kinda) set up my new home network with pfSense on a Protectli device with a Unifi Switch 8 PoE & AP-AC-LR and the controller in a docker container on my PC. My intent is to set up VLANs for IOT crap and Guest on wifi, with those restricted from my main LAN. I’ve got things mostly working, but am unable to get anything connecting to the AP to access DNS.

These are my firewall and NAT rules. 
TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 127.0.0.0/8 to any port = isakmp -> x.x.x.x static-port
nat on em0 inet from 127.0.0.0/8 to any -> x.x.x.x port 1024:65535
nat on em0 inet6 from ::1 to any port = isakmp -> (em0) round-robin static-port
nat on em0 inet6 from ::1 to any -> (em0) port 1024:65535 round-robin
nat on ovpnc1 inet from 192.168.5.0/24 to any -> 10.10.0.4 port 1024:65535
nat on ovpnc1 inet from 10.1.10.0/24 to any -> 10.10.0.4 port 1024:65535
nat on ovpnc1 inet from 192.168.20.0/24 to any -> 10.10.0.4 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on em1 inet proto tcp from any to ! 192.168.5.1 port = domain -> 127.0.0.1
rdr on em1 inet proto udp from any to ! 192.168.5.1 port = domain -> 127.0.0.1
rdr on em1.10 inet proto tcp from any to ! 10.1.10.1 port = domain -> 127.0.0.1
rdr on em1.10 inet proto udp from any to ! 10.1.10.1 port = domain -> 127.0.0.1
rdr on em1.20 inet proto tcp from any to ! 192.168.20.1 port = domain -> 127.0.0.1
rdr on em1.20 inet proto udp from any to ! 192.168.20.1 port = domain -> 127.0.0.1
rdr-anchor "miniupnpd" all

FILTER RULES:
scrub on em0 all fragment reassemble
scrub on em1 all fragment reassemble
scrub on em1.10 all fragment reassemble
scrub on em1.20 all fragment reassemble
scrub on ovpnc1 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
pass in quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out quick on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
block drop in log quick inet6 all label "Block all IPv6"
block drop out log quick inet6 all label "Block all IPv6"
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard"
block drop in log quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
pass in quick on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out quick on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in log quick on em0 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in log on ! em0 inet from 24.229.245.0/24 to any
block drop in log inet from x.x.x.x to any
block drop in log on em0 inet6 from fe80::2e0:67ff:fe18:1978 to any
block drop in log quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
block drop in log on ! em1 inet from 192.168.5.0/24 to any
block drop in log inet from 192.168.5.1 to any
block drop in log on em1 inet6 from fe80::2e0:67ff:fe18:1979 to any
pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em1 inet proto udp from any port = bootpc to 192.168.5.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on em1 inet proto udp from 192.168.5.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! em1.10 inet from 10.1.10.0/24 to any
block drop in log inet from 10.1.10.1 to any
block drop in log on em1.10 inet6 from fe80::2e0:67ff:fe18:1979 to any
pass in quick on em1.10 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em1.10 inet proto udp from any port = bootpc to 10.1.10.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on em1.10 inet proto udp from 10.1.10.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! em1.20 inet from 192.168.20.0/24 to any
block drop in log inet from 192.168.20.1 to any
block drop in log on em1.20 inet6 from fe80::2e0:67ff:fe18:1979 to any
pass in quick on em1.20 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em1.20 inet proto udp from any port = bootpc to 192.168.20.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on em1.20 inet proto udp from 192.168.20.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! ovpnc1 inet6 from fdda:d0d0:cafe:1196::/64 to any
block drop in log on ovpnc1 inet6 from fe80::2e0:67ff:fe18:1978 to any
block drop in log inet6 from fdda:d0d0:cafe:1196::1002 to any
block drop in log on ! ovpnc1 inet from 10.10.0.0/16 to any
block drop in log inet from 10.10.0.4 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out route-to (em0 24.229.245.1) inet from x.x.x.x to ! 24.229.245.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (ovpnc1 10.10.0.1) inet from 10.10.0.4 to ! 10.10.0.0/16 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (ovpnc1 fdda:d0d0:cafe:1196::) inet6 from fdda:d0d0:cafe:1196::1002 to ! fdda:d0d0:cafe:1196::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em1 proto tcp from any to (em1) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em1 proto tcp from any to (em1) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on em1 proto tcp from any to (em1) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
pass in quick on em0 reply-to (em0 24.229.245.1) inet from ! 24.229.245.0/24 to any flags S/SA keep state label "USER_RULE"
pass in quick on em1 inet proto tcp from any to 127.0.0.1 port = domain flags S/SA keep state label "USER_RULE: NAT Redirect DNS"
pass in quick on em1 inet proto udp from any to 127.0.0.1 port = domain keep state label "USER_RULE: NAT Redirect DNS"
pass in quick on em1 inet proto udp from any to ! 192.168.5.1 port = domain keep state label "USER_RULE: Allow DNS to LAN"
block return in quick on em1 inet proto udp from any to any port = domain label "USER_RULE: Block DNS to WAN"
pass in quick on em1 inet from 192.168.5.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on em1.10 inet proto udp from any to 10.1.10.1 port = domain keep state label "USER_RULE: Allow DNS to IOTCrap"
pass in quick on em1.10 inet proto tcp from any to 127.0.0.1 port = domain flags S/SA keep state label "USER_RULE: NAT Redirect DNS"
pass in quick on em1.10 inet proto udp from any to 127.0.0.1 port = domain keep state label "USER_RULE: NAT Redirect DNS"
block return in quick on em1.10 inet proto udp from any to any port = domain label "USER_RULE: Block DNS to WAN"
block drop in quick on em1.10 inet from 10.1.10.0/24 to (self) label "USER_RULE: Block Firewall Access"
pass in quick on em1.10 inet from 10.1.10.0/24 to ! 192.168.5.0/24 flags S/SA keep state label "USER_RULE: Allow Internet Block Local"
pass in quick on em1.20 inet proto udp from any to 192.168.20.1 port = domain keep state label "USER_RULE: Allow DNS to Guest"
pass in quick on em1.20 inet proto tcp from any to 127.0.0.1 port = domain flags S/SA keep state label "USER_RULE: NAT Redirect DNS"
pass in quick on em1.20 inet proto udp from any to 127.0.0.1 port = domain keep state label "USER_RULE: NAT Redirect DNS"
block return in quick on em1.20 inet proto udp from any to any port = domain label "USER_RULE: Block DNS to WAN"
block drop in quick on em1.20 inet from 10.1.10.0/24 to (self) label "USER_RULE: Block Firewall Access"
pass in quick on em1.20 inet proto tcp from any to ! 192.168.5.0/24 flags S/SA keep state label "USER_RULE: Allow Internet Block Local"
anchor "tftp-proxy/*" all

ALTQ:
queue qACK on em0 priority 6 priq( red ecn )
queue qDefault on em0 priority 3 priq( red ecn default )
queue qLink on em1 priority 2 qlimit 500 priq( red ecn default )
queue qACK on em1 priority 6 priq( red ecn )

STATES:
em0 udp 255.255.255.255:68 <- 10.15.24.1:67       NO_TRAFFIC:SINGLE
em0 icmp x.x.x.x:46144 -> 24.229.245.1:46144       0:0
ovpnc1 icmp 10.10.0.4:46566 -> 10.10.0.1:46566       0:0
em0 udp x.x.x.x:40452 -> 193.148.18.226:1196       MULTIPLE:MULTIPLE
em0 tcp x.x.x.x:888 <- 193.32.163.111:58898       CLOSED:SYN_SENT
em0 tcp x.x.x.x:2801 <- 185.209.0.84:57629       CLOSED:SYN_SENT
em0 tcp x.x.x.x:8759 <- 185.216.140.252:44948       CLOSED:SYN_SENT
ovpnc1 udp 10.10.0.4:59343 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:48398 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:44579 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:48917 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:24127 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:38986 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:11555 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:7685 -> 23.211.61.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:31433 -> 23.211.61.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:65085 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:10272 -> 23.211.133.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:42825 -> 23.211.133.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:36817 -> 23.211.133.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:44708 -> 23.211.133.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:20390 -> 184.85.248.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:9019 -> 84.53.139.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:25791 -> 84.53.139.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:25181 -> 84.53.139.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:22127 -> 84.53.139.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:43200 -> 84.53.139.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:18621 -> 84.53.139.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:61198 -> 95.101.36.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:18258 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:43684 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:56907 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:40117 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:22438 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:56029 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:10755 -> 184.26.160.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:28654 -> 23.74.25.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:41809 -> 184.85.248.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:28591 -> 23.211.133.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:51123 -> 23.211.133.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:14945 -> 23.211.133.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:21417 -> 96.7.49.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:16928 -> 96.7.49.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:48314 -> 96.7.49.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:61723 -> 2.22.230.193:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:57238 -> 193.108.88.1:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:50677 -> 23.74.25.192:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:49701 -> 23.55.235.68:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:59403 -> 23.192.125.86:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:22946 -> 23.38.171.183:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:58523 -> 23.55.235.68:53       MULTIPLE:SINGLE
ovpnc1 udp 10.10.0.4:59742 -> 23.55.235.87:53       MULTIPLE:SINGLE
em1 udp 192.168.5.1:53 -> 192.168.5.106:21491       SINGLE:NO_TRAFFIC
em1 udp 192.168.5.1:53 -> 192.168.5.106:65204       SINGLE:NO_TRAFFIC
ovpnc1 udp x.x.x.x:123 -> 208.79.89.249:123       MULTIPLE:SINGLE
ovpnc1 udp x.x.x.x:123 -> 171.66.97.126:123       MULTIPLE:SINGLE
ovpnc1 udp x.x.x.x:123 -> 162.159.200.123:123       MULTIPLE:SINGLE
em1 udp 185.217.69.122:1302 <- 192.168.5.101:56349       MULTIPLE:MULTIPLE
ovpnc1 udp 10.10.0.4:13365 (192.168.5.101:56349) -> 185.217.69.122:1302       MULTIPLE:MULTIPLE
em1 udp 192.168.5.255:32412 <- 192.168.5.101:35891       NO_TRAFFIC:SINGLE
em1 udp 192.168.5.255:32414 <- 192.168.5.101:34288       NO_TRAFFIC:SINGLE
em1 udp 192.168.49.255:137 <- 192.168.5.105:34450       NO_TRAFFIC:SINGLE
ovpnc1 udp 10.10.0.4:19730 (192.168.5.105:34450) -> 192.168.49.255:137       SINGLE:NO_TRAFFIC
em1 udp 192.168.5.255:32412 <- 192.168.5.105:51202       NO_TRAFFIC:SINGLE
em1 udp 192.168.5.255:32414 <- 192.168.5.105:52185       NO_TRAFFIC:SINGLE
em1 tcp 173.194.204.188:5228 <- 192.168.5.105:42230       ESTABLISHED:ESTABLISHED
ovpnc1 tcp 10.10.0.4:52498 (192.168.5.105:42230) -> 173.194.204.188:5228       ESTABLISHED:ESTABLISHED
em1 tcp 45.79.197.58:443 <- 192.168.5.105:58362       ESTABLISHED:ESTABLISHED
ovpnc1 tcp 10.10.0.4:8009 (192.168.5.105:58362) -> 45.79.197.58:443       ESTABLISHED:ESTABLISHED
em1 tcp 45.79.197.58:443 <- 192.168.5.105:58364       ESTABLISHED:ESTABLISHED
ovpnc1 tcp 10.10.0.4:18425 (192.168.5.105:58364) -> 45.79.197.58:443       ESTABLISHED:ESTABLISHED
em1 tcp 192.168.5.1:443 <- 192.168.5.101:45738       ESTABLISHED:ESTABLISHED
em1 tcp 192.168.5.1:853 <- 192.168.5.105:55426       TIME_WAIT:TIME_WAIT
em1 tcp 172.217.12.202:443 <- 192.168.5.105:49218       ESTABLISHED:ESTABLISHED
ovpnc1 tcp 10.10.0.4:56761 (192.168.5.105:49218) -> 172.217.12.202:443       ESTABLISHED:ESTABLISHED
ovpnc1 tcp 10.10.0.4:60845 -> 162.208.119.41:443       TIME_WAIT:TIME_WAIT
ovpnc1 tcp 10.10.0.4:57015 -> 162.208.119.41:443       TIME_WAIT:TIME_WAIT
ovpnc1 tcp 10.10.0.4:57016 -> 162.208.119.41:443       TIME_WAIT:TIME_WAIT
ovpnc1 tcp 10.10.0.4:57017 -> 162.208.119.41:443       TIME_WAIT:TIME_WAIT
em1 udp 172.217.10.131:443 <- 192.168.5.105:38931       MULTIPLE:MULTIPLE
ovpnc1 udp 10.10.0.4:4135 (192.168.5.105:38931) -> 172.217.10.131:443       MULTIPLE:MULTIPLE
em1 udp 255.255.255.255:67 <- 0.0.0.0:68       NO_TRAFFIC:SINGLE
em1 udp 127.0.0.1:53 (193.138.218.74:53) <- 192.168.5.106:21491       NO_TRAFFIC:SINGLE
ovpnc1 udp 10.10.0.4:12720 -> 184.85.248.193:53       MULTIPLE:SINGLE
em1 udp 127.0.0.1:53 (10.8.0.1:53) <- 192.168.5.106:65204       NO_TRAFFIC:SINGLE

INFO:
Status: Enabled for 0 days 06:17:12           Debug: Urgent

Interface Stats for em1               IPv4             IPv6
  Bytes In                       165467802                0
  Bytes Out                     2550976393                0
  Packets In
    Passed                         1188929                0
    Blocked                         111895                0
  Packets Out
    Passed                         2302285                0
    Blocked                             55                0

State Table                          Total             Rate
  current entries                       85
  searches                        11248578          497.0/s
  inserts                            76375            3.4/s
  removals                           76290            3.4/s
Counters
  match                             195930            8.7/s
  bad-offset                             0            0.0/s
  fragment                              20            0.0/s
  short                                 28            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                      1824            0.1/s
  state-insert                          15            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

LABEL COUNTERS:
pass IPv6 loopback 192407 0 0 0 0 0 0 0
pass IPv6 loopback 87 8 392 4 196 4 196 0
Block all IPv6 192239 0 0 0 0 0 0 0
Block all IPv6 60105 1904 148490 0 0 1904 148490 0
Block IPv4 link-local 190496 0 0 0 0 0 0 0
Block IPv4 link-local 132216 0 0 0 0 0 0 0
Default deny rule IPv4 132216 868 133648 868 133648 0 0 0
Default deny rule IPv4 190498 526 128494 0 0 526 128494 0
Default deny rule IPv6 190486 0 0 0 0 0 0 0
Default deny rule IPv6 58280 0 0 0 0 0 0 0
Block traffic from port 0 190491 0 0 0 0 0 0 0
Block traffic from port 0 190043 0 0 0 0 0 0 0
Block traffic to port 0 190491 0 0 0 0 0 0 0
Block traffic to port 0 190045 0 0 0 0 0 0 0
Block snort2c hosts 190488 0 0 0 0 0 0 0
Block snort2c hosts 190497 0 0 0 0 0 0 0
sshguard 190488 3786 220010 3786 220010 0 0 0
GUI Lockout 0 0 0 0 0 0 0 0
virusprot overload table 129379 0 0 0 0 0 0 0
allow dhcp client out WAN 128430 2742 1023204 2742 1023204 0 0 0
allow dhcp client out WAN 58345 0 0 0 0 0 0 0
block bogon IPv4 networks from WAN 6963 0 0 0 0 0 0 0
Block private networks from WAN block 10/8 1594 0 0 0 0 0 0 0
Block private networks from WAN block 127/8 1594 0 0 0 0 0 0 0
Block private networks from WAN block 172.16/12 1594 0 0 0 0 0 0 0
Block private networks from WAN block 192.168/16 1594 0 0 0 0 0 0 0
Block ULA networks from WAN block fc00::/7 1594 0 0 0 0 0 0 0
allow access to DHCP server 125911 65 21942 65 21942 0 0 3
allow access to DHCP server 29 58 19348 29 9780 29 9568 3
allow access to DHCP server 182735 0 0 0 0 0 0 0
allow access to DHCP server 694 6 3456 6 3456 0 0 0
allow access to DHCP server 2 4 1808 2 1152 2 656 0
allow access to DHCP server 58947 0 0 0 0 0 0 0
allow access to DHCP server 0 0 0 0 0 0 0 0
allow access to DHCP server 0 0 0 0 0 0 0 0
allow access to DHCP server 58286 0 0 0 0 0 0 0
pass IPv4 loopback 127551 120 9002 60 3940 60 5062 10
pass IPv4 loopback 55365 0 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 182801 53125 1630961 26375 779598 26750 851363 325
let out anything from firewall host itself 55946 5924 1186597 2416 865308 3508 321289 81
let out anything from firewall host itself 46705 2885239 2251680900 1937923 2133884766 947316 117796134 1334
let out anything from firewall host itself 46726 0 0 0 0 0 0 0
anti-lockout rule 189906 15931 8862322 6368 648660 9563 8213662 2
anti-lockout rule 187207 15456 8636691 6168 626626 9288 8010065 0
anti-lockout rule 187207 15456 8636691 6168 626626 9288 8010065 0
USER_RULE 189915 2181 212101 1628 138265 553 73836 96
USER_RULE: NAT Redirect DNS 5617 0 0 0 0 0 0 0
USER_RULE: NAT Redirect DNS 3795 367 26772 367 26772 0 0 310
USER_RULE: Allow DNS to LAN 10920 98 7102 94 6799 4 303 0
USER_RULE: Block DNS to WAN 111811 111515 7920887 111515 7920887 0 0 0
USER_RULE: Default allow LAN to any rule 2156 2902412 2287723961 947481 121088155 1954931 2166635806 86
USER_RULE: Allow DNS to IOTCrap 56639 0 0 0 0 0 0 0
USER_RULE: NAT Redirect DNS 481 0 0 0 0 0 0 0
USER_RULE: NAT Redirect DNS 481 24 1608 24 1608 0 0 3
USER_RULE: Block DNS to WAN 660 660 43425 660 43425 0 0 0
USER_RULE: Block Firewall Access 24 24 2016 24 2016 0 0 0
USER_RULE: Allow Internet Block Local 0 0 0 0 0 0 0 0
USER_RULE: Allow DNS to Guest 55948 0 0 0 0 0 0 0
USER_RULE: NAT Redirect DNS 478 0 0 0 0 0 0 0
USER_RULE: NAT Redirect DNS 478 0 0 0 0 0 0 0
USER_RULE: Block DNS to WAN 0 0 0 0 0 0 0 0
USER_RULE: Block Firewall Access 0 0 0 0 0 0 0 0
USER_RULE: Allow Internet Block Local 0 0 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start           237600 states
adaptive.end             475200 states
src.track                     0s

LIMITS:
states        hard limit   396000
src-nodes     hard limit   396000
frags         hard limit     5000
table-entries hard limit   400000

TABLES:
bogons
snort2c
sshguard
virusprot

I have the VLANs set up on both pfSense and Unifi, ensuring the VLAN tags match, but I still get ‘DNS Timeout’ issues on all my wireless devices, not on LAN.

Any help?

2

It’s hard to read those rules, can you do screenshots of the interface pages instead? Not each rule just the rules page for each interface.

Also make sure that in the dns resolver you either have network interfaces set to all or you select all your local networks that you wan tot be able to access the dns server.

3

Ah, didn’t realize I could post screenshots directly. Wouldn’t let me link to imgur for the rules, so i got an output from pfSense. These are likely a mess, so forgive me ahead of time.

LAN

image
image.png1140×342 39.8 KB

IOT

image
image.png1140×234 32.1 KB

4

And Guest, since I’m only allowed 2 pics per post.

image
image.png1140×268 34.1 KB

DNS resolver settings

image
image.png1130×912 80.4 KB

6

So I think DNS is both TCP and UDP, so if you change those DNS allow rules to use both that will probably fix it. If not then to test if it’s a firewall problem add an allow any to any rule to the IOT network and see if it works then. But I think adding TCP will work.

1 Like
7

Unfortunately that didn’t help. I’m going to reset everything to factory defaults and start over.

8

When changing the firewall rules it can help to reset the state table otherwise old states can still apply and the rule changes may not appear to work

9

hi,

Since you’re telling the DNS resolver to listen on the IOTCRAP interface, you do not need that redirect rule.(The one redirecting DNS to 127.0.0.1). I think that might be the issue. I am not sure where they come from…The 2nd fw rule to 127.0.0.1 also isn’t needed(Has no matches either).

I run a similar config at home, and it works quite well. Let the resolver listen on each VLAN’s interface, and simply allow DNS to only that specific address, and block all other DNS access in a later rule as you have done.