0

I have 2 VMs on Hyper-V:

  1. pfSense
  2. Ubuntu Server 22.04

The pfSense VM is connected to 2 virtual switches - External WAN and Private LAN, which acts as the internal switch for the rest of the VMs.

The IP range from my ISP router is 192.168.2.x/24, and the pfSense WAN IP is 192.168.2.25.

I then set the LAN in pfSense as DHCP with IP range of 172.25.100.x/24.

Then I connected the Ubuntu Server to this LAN switch, and it got the IP 172.25.100.2

There seem to be internet access because I can ping to the IP of other websites, but when I try to ping their domain name, I get: Temporary failure in name resolution

Why? where is the DNS resolving issue happening? At which part of this setup?

Improve this question

1 Answer 1

Reset to default
1

  • The first step is to check which servers the Ubuntu host is trying to use – look in the /etc/resolv.conf file, and if that file just says '127.0.0.53' (which is the 'systemd-resolved' DNS cache running on Ubuntu), then check the resolvectl command instead. Make sure the server addresses make sense.

    If Ubuntu is using DHCP, then it will be using whichever DNS servers have been advertised by the pfSense DHCP server (and possibly IPv6 Router Advertisements).

  • If pfSense advertises itself, then either its "DNS resolver" service (Unbound) or the "DNS forwarder" service (Dnsmasq) must be running – see documentation.

    For the "DNS forwarder" service (Dnsmasq) to work, it must be configured with a valid "upstream" DNS server to forward all the requests to – from what I recall, this is done in the global pfSense settings.

    The "DNS resolver" service (Unbound) doesn't require an upstream DNS server as it can do recursive lookups by itself, but if it does have some upstreams configured, then they must be valid.

  • In either case, the pfSense firewall rules must allow the DNS requests coming from the 'LAN' network towards the specified servers – that is, dst.port 53 for both TCP and UDP must be allowed.

    (The 'pf' firewall is stateful, so replies back to 'LAN' will be allowed automatically.)

  • Do not use 'ping' to test DNS – use an actual DNS client, such as host or dig, manually specifying the IP address of the DNS server that you want to test:

    $ dig google.com @172.25.100.1
$ host google.com 172.25.100.1
Improve this answer
8
  • thank you. I never set any firewall rules in pfSense, only set the 172.25.100.x/24 as the DHCP for the internal switch. I thought it means everything is open (Because I can ping from the Ubuntu machine to the home network @192.168.2.1). The DNS servers in resolvectl seem to be wrong - under "DNS Servers" I see the static IP I set for the DHCP server in pfSense for the LAN, i.e. 172.25.100.1 (Which is also the IP of the webConfigurator GUI). Which step should I follow from your answer? I think I may need to even do something prior to that and fix some other configurations?
    – Stackerito
    Commented Apr 13 at 20:24
  • 1
    Decide whether you want pfSense to provide DNS caching or not. If you do, then make sure one of the pfSense DNS servers is running (and that firewall rules allow access to it); if you don't, then change the pfSense DHCP server configuration to advertise a different DNS server.
    – grawity_u1686
    Commented Apr 13 at 21:22
  • How can I do that? Do you have a link that might help or can please explain because I've never done it? Is it done only via the web gui? Because it didn't ask me anything about DNS while I was setting up the LAN interface in the pfsense VM (cli)
    – Stackerito
    Commented Apr 13 at 21:45
  • 1
    Yes, it's only configurable through the web GUI (as is almost everything in pfSense; the initial CLI setup is only the bare minimum). If you want pfSense to directly advertise your existing DNS (e.g. your physical router), that's under Services - DHCPv4 - Servers.
    – grawity_u1686
    Commented Apr 13 at 22:10
  • 1
    For the initial setup, you could add a vEthernet interface to the host ("Allow management OS to access...") and then remove it later. But eventually you should add a firewall rule to allow access to the pfSense webGUI from its 'WAN' network (and to SSH just in case) so that you could access it from your PC directly, while removing the built-in rule that allows the same access from the 'LAN' – you don't want to keep it exposed to the untrusted VM.
    – grawity_u1686
    Commented Apr 14 at 8:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .