Pfsense Guest Network Issues

Hi,

I have been runing pfsense for a few years now, and it only now occures to me that my IoT turned Guest & IoT network has some sort of routing or DNS issue that I really do not understand. I believe it is DNS related since if I cange the DNS address from the pfsense’s internal DNS server the DNS address handed out by DHCP for this subnet (which also has pfblockerng running) to say someting like 9.9.9.9 either in the DNS server settings in pfsesne or manually on a device, things work normally.

This tells me I likely have my rules for the subnet to agressive and its blocking the ability for clients to talk to pfsense’s DNS server. What I do not understand is… I have explicate pass rules for DNS. Does anyone see any glaring issues with my config?

Nat (the .69 network is my IoT network…)

My guess (without knowing what’s in any of your aliases) is the VPN rule at the top is catching all your local traffic from those sources and breaking DNS. I would move that to under all your local rules or if you create an alias that includes all your local subnets you can change the destination of that VPN rule from any to the inverse of that local alias (ie. the internet).

1 Like

Thats a good point, its all pretty obfuscated. The top VPN rule is a single IP address that gets routed out over a VPN, so I don’t think that would be the issue :confused:

I have it as an alias simply so I can quickly and easily change what devices to go over the VPN, but currently its only 1 device. Any other ideas?

I should also point out, the bottom “block” rule is just so this IoT network can’t talk to any private IP spaces:

I would still move or modify that rule because as it is that source can’t reach the local DNS server.

What exactly is the problem you’re having?

Do you mean in the system>general setup settings? If so this sets which DNS servers the internal DNS server will forward requests to if forwarding is enabled or it can’t resolve it itself. Setting DNS servers here doesn’t change which DNS server a client device uses (this would be set in the DHCP server) and won’t affect things like pfblocker. You should probably have something set here as a backup either way but if adding a server here fixes the issue then the problem might be that the DNS resolver isn’t able to resolve properly, so you might want to check the settings there.

1 Like

Good point…

I also miss-stated this. I meant if I set DNS to 9.9.9.9 for IoT DHCP (as in, it hands out 9.9.9.9 for automatic DHCP on that subnet).

Everyting works normally on my normal LAN, which also uses DHCP to handout the default subnet address as DHCP.

pfsense itself in system>general uses 9.9.9.9 and 1.1.1.1 as backup.

To explain further what is happening, and why it may not actually be DNS (but changing DNS seems to fix it… thus me thikning it is DNS), some websites will entirely not load, some load a portion of the site like the header but nothing else. I am assuming things that either have hard coded IP’s (phone apps? they mostly seem to work fine, although I am surprised anyone uses hard coded IP’s these days) and sites I have gone to recently and are cahced on the client device work fine. But if I try and go to a new site, the above issues arrise. I would imagine if it was DNS, nothing would resolve, not even website headers, but sometimes that does happen as well. I know enough to know something is broken, but not quite enough to figure out what…

Have you tried disabling pfblocker? It’s possible you’ve added a list which is blocking some CDN

I have not, but pfblocker is running on all of my subnets. My standard subnet my devices live on work fine. So I don’t think that’s it either.

Is the DNS resolver listening on the IOT interface?

Yes, its enabled on all interfaces:

I am sure there is some diagnostic tool either internal or external to pfsense I should look into using… but I am just not well versed enough to know what or how. Any thoughts?

It’s got to be DNS if changing the DNS server fixes it. I’d be making sure that’s configured correctly. You could try looking at a packet capture and see what’s going on, if DNS queries are being answered correctly. If it was a firewall issue it would show up in the firewall log but I don’t think it is.

I let this thread go stale as I have not been home/had time to deal with this issue, but today I am away from home with family for the long holiday, and I am noticing the same exact seemingly DNS issue on my VPN split tunnel setup. I have wireguard running on pfsense and have 2 VPN’s set up for my laptop, one for split tunnel and 1 for full tunnel.

I am starting to thing it is not DNS…

The only difference between my wireguard configs on the client side are the “Interface Address” (same subnet, only off by 2 numbers in the last octet, and the “AllowedIPs” for the full tunnel being

AllowedIPs = 0.0.0.0/0, ::/0

And the split tunnel being a set of my prive IP’s that I use:

AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24

All other settings (minus keys) are the same. Both VPN’s work fine except for some websites I just can’t get to on the split tunnel much like the issue I have with certain subnets within my LAN. While on the split tunnel, I can ping a website like CNN via terminal, and I get responses, but the website just does not load.

In wireguard, for both tunnels, DNS is set to 10.1.15.1 which is the “wireguard” subnet I have set up in pfsnese. I really don’t know the full tunnel works fine, and the split tunnel reacts exactly like I am on one of the internal subnets that doesn’t seem to be getting correct routing. If I edit the split tunnel AllowedIP’s to be 0.0.0.0/0, ::/0, that connection suddenly works fine.

I am entirely at a lost, but I alst only know enough to know enough… I don’t even know where to start with this issue. I know at some previous point in time my split tunnel worked perfectly, but I have not used it in a while and I am not sure when it started to work incorrectly. I can’t imagine what I would have changed that caused this for the split tunnel or the other subnets - I assume its a single issue affecting both scenarios.

Rules for this subnet are extremely simple:

Wireguard settings for split tunnel:

[Interface]
PrivateKey = xxxx
Address = 10.1.15.4/24
DNS = 10.1.15.1

[Peer]
PublicKey = xxxx
PresharedKey = xxxx
AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24
Endpoint = xxxx

I can’t get the split tunnel interface to work correctly even just removing 1 subnet at a time from the AllowedIPs list. Only once I set it to 0.0.0.0/0, ::/0 does it work correctly.