Cannot resolve names?

[klabacita]

Hi people.

I have been using pfsense in my home to protect from the outside, now I want to setup my own firewall from scratch, is not the fist time I did this, before pfsense I build my own FW, but now something happen or I forget how to do it.

I setup my kernel for pf, I change my rc.conf to my settings:

sis0 -> gateway 
ifconfig_sis0="inet 192.168.50.1 netmask 255.255.255.0"
PPPoE interface
ifconfig_xl0=""

pf_enable="YES"                 # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_program="/sbin/pfctl"        # where the pfctl program lives
pf_flags=""                     # additional flags for pfctl
pflog_enable="YES"              # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_program="/sbin/pflogd"    # where the pflogd program lives
pflog_flags=""                  # additional flags for pflogd
ftpproxy_enable="YES" 

defaultrouter="192.168.50.1"
gateway_enable="YES"

/etc/resolv.conf my isp nameservers

nameserver IP-DNS1
nameserver IP-DNS2

pf.conf

ExtIF="ng0"
IntIF="sis0"
INTERNAL="192.168.50.0/24"

table <badhost> const {0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                        224.0.0.0/4, 240.0.0.0/4, 10.0.0.0/8, \
                        172.16.0.0/12, 192.168.0.0/16, 255.255.255.255, \
                        127.0.0.1/8}
table <allowhost> const {192.168.50.1, 192.168.50.2, 192.168.50.6, \
                         192.168.50.21, 192.168.50.7, 192.168.50.12}

set loginterface $ExtIF

scrub in all
scrub out all random-id max-mss 1440

# NAT section
nat on $ExtIF inet from $INTERNAL to any -> ($ExtIF)

# Remember default rule for non-matching packets are passed!!!
block             out log on $ExtIF           all
block             in  log on $ExtIF           all
block return-rst  out log on $ExtIF proto tcp all
block return-rst  in  log on $ExtIF proto tcp all
block return-icmp out log on $ExtIF proto udp all
block return-icmp in  log on $ExtIF proto udp all

# allow lo0 interface packet
pass in quick on lo0 all
pass out quick on lo0 all
# allow internal network traffic
pass in on $IntIF from any to <allowhost>
pass out on $IntIF from <allowhost> to any

# block spoofing attack
block in quick log on $ExtIF from <badhost> to any
# block nmap's fingerprinting attempt(FIN, URG, PSH)
block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP

# Create states
pass out log on $ExtIF inet proto tcp all flags S/SA keep state
pass out log on $ExtIF inet proto {udp, icmp} all keep state

I copied this rules from Internet.

My ISP service is DSL, I setup mpd daemon like this:

mpd.conf
        new -i ng0 PPPoE PPPoE
        set iface route default
        set iface disable on-demand
        set iface idle 0
        set iface up-script /usr/local/etc/mpd/mpd.links
        set bundle disable multilink
        set bundle authname "X"
        set bundle password "Y"
        set bundle no noretry
        set link keep-alive 10 60
        set link max-redial 0
        set link no acfcomp protocomp
        set link disable pap chap
        set link accept chap
        set link mtu 1492
        set ipcp yes vjcomp
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0
        set ipcp enable req-pri-dns
        set ipcp enable req-sec-dns
        open iface

mpd.links

PPPoE:
        set link type pppoe
        set pppoe iface xl0
        set pppoe service "prodigy"
        set pppoe enable originate
        set pppoe disable incoming

I can ping my lan, but went ever I ping the outside I cannot resolve names. I can ping my public IP, but I cannot reach the Internet.

Every time I get my public IP I reload pf manually, pfctl -Fa -f /etc/pf.conf

I have been checking my ng0 interface with tcpdump, if I try to use dig, host or nslookup, they exit saying that they cannot reach any server.

My ng0 interface never show me anything, is like is not getting any packet, I ping a public site and the ng0 interface never receive any data.

netstat -nr

Doesn't have my public IP as gateway, just to mention this.

I really don't know why I cannot resolve any public ip.

Looks like everything is correct, did it forget something?

freebsd 7.2 + pf.

Thanks all for your time!!!

 

[vivek]

For troubleshooting purpose - disable pf for a movement and connect to the Internet and see if you can ping public site such as freebsd.org or yahoo.com If so than you need to play with pf itself.

 

[klabacita]

Hi vivek.

I had test this but no answer, look this is my current routes went I run the mpd program:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.50.1       UGS         0     1915   sis0
127.0.0.1          127.0.0.1          UH          0        0    lo0
192.168.50.0/24    link#1             UC          0        0   sis0
192.168.50.1       00:15:58:4d:ca:9e  UHLW        2       20    lo0
192.168.50.2       00:15:f2:e5:95:f7  UHLW        1       77   sis0   1148
Public-IP          ISP-IP            UH          0        0    ng0
ISP-IP             lo0                UHS         0        0    lo0

Enable/Disable PF still cannot resolve names, enable dns-1 and dns-2 with mpd no answer, put my dns in /etc/resolv.conf no answer.

I really don't understand this, looks very simple to setup but I still cannot reach anything in the Internet.

I will continue this, thanks vivek.

 

[vivek]

Look like dns issue to me. Try public DNS servers such as in /etc/resolv.conf

nameserver 4.2.2.1
nameserver 4.2.2.2

Can you ping to 4.2.2.2 or 4.2.2.1?

Can you ping to your ISP gateway?

Does ISP provide static or dynamic IP via DHCP? If static it must be set via defaultrouter entry in /etc/rc.conf. This line doesn't look good to me. Your default gateway is set to your own IP. It should set to ISP's router:

default            192.168.50.1       UGS         0     1915   sis0

Do you know ISP's gateway IP? If so after connection try setting default gateway using the following command:

route add default xxx.yy.zz.ee
ping xxx.yy.zz.ee
ping 4.2.2.1

 

[SirDice]

It's not a DNS issue, it's a routing issue. Since there's no route to the Internet you can't resolve anything.

Remove the default gateway pointing to 192.168.50.1. Let mpd set the default gateway. It currently can't because you already have a default gateway. Run mpd without the -b switch so it stays in the foreground, that will make it easier to troubleshoot.

 

[klabacita]

viveok/SirDice.

U guys have show me the light, the problem was my default router, as soon as I remove my entry:

defaultrouter="bsd local ip"

/etc/netstart

Restart my mpd daemon, add my ISP dns, reload my pf.conf, check my routes, now my isp ip was my defaultrouter and done.

I can reach the Internet, thanks all of u, appreciated your grep help.

Now I can continue my goal .