The pfSense Store

Author Topic: DNS & IPSec - What order?  (Read 2049 times)

0 Members and 1 Guest are viewing this topic.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
DNS & IPSec - What order?
« on: March 19, 2012, 07:50:49 am »
I have two VPN connections from two different sites.  Both sites randomly report problems with connecting to resources at my office and I never have a problem accessing any from their sites.  I'm thinking the problem must be DNS related because the IPSec connections are always working properly and so are the resources at my location.

I'm using v2.0.1 and have the following configuration listed in the general DNS section:

192.168.1.5
192.168.1.2
8.8.8.8
8.8.4.4

The first two DNS servers are the ones in my office.  We only have a couple of users at each site and so putting in a local DNS server is a bit much.  Besides, the pfSense box can cache the DNS entries anyway.  I added the google dns servers as backup in case the vpn goes down or our dns servers were to fail.

On the dashboard I get the following in the DNS section:

127.0.0.1
192.168.1.5
192.168.1.2
8.8.8.8
8.8.4.4

Is there something I'm missing, order wise, entry wise, or configuration wise that would cause clients not to be able to find resources randomly?  Thanks for your time and consideration of my question.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: DNS & IPSec - What order?
« Reply #1 on: March 23, 2012, 02:28:00 pm »
Nobody?

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: DNS & IPSec - What order?
« Reply #2 on: March 24, 2012, 03:27:00 pm »
With IPsec, you need this for the DNS forwarder to be able to use the remote DNS servers over the VPN.
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

Offline bitcore

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: DNS & IPSec - What order?
« Reply #3 on: March 28, 2012, 10:34:07 am »
Have you gotten this to work? I'm having trouble getting this working in our environment.

Offline Joolee

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: DNS & IPSec - What order?
« Reply #4 on: August 16, 2012, 09:32:57 am »
I also cannot get this to work. I can "see" the packets with a floating rule configured to log. (source: *WAN IP* destination: *IPSec Remote Subnet*) but I can't get it to use the LAN IP for pinging.

I have logged in to the local pfSense box by SSH and pinged manually. When using ping -S *LAN IP* *IP On Remote Side*, everything works correctly. When using ping *IP On Remote Side*, I can see with a little help from the floating rule that a ping package sourcing from my WAN IP with the correct destination is passed. I don't see any other messages like blocks. I also cannot see anything on the other side of the VPN.

I have tried:
 - Using a static route that points to a gateway with my LAN IP. (like the article states)
 - Using the floating rule to pass traffic to the gateway.
 - Meddling with NAT Rules

I can't figure out why the system uses my WAN IP as ping address.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: DNS & IPSec - What order?
« Reply #5 on: August 16, 2012, 11:16:41 am »
It seems the problem has been resolved by the few changes I made as I've had no complaints since.  What I did was change the router's (pfSense) DNS to be google's servers only (8.8.8.8 & 8.8.4.4).  Then I went into the DHCP Server settings and set the local clients to only use my DNS servers at my HQ (192.168.1.5, etc).

Ever since having done that, the problem has gone away.

Offline Joolee

  • Jr. Member
  • **
  • Posts: 25
  • Karma: +0/-0
    • View Profile
Re: DNS & IPSec - What order?
« Reply #6 on: August 17, 2012, 03:03:56 am »
The problem for me is that my IPSec connection is quite slow and untrustable and I only want to use that when a client requests a local address. Every other address should be resolved by the default dns server.

Offline GVJosh

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: DNS & IPSec - What order?
« Reply #7 on: August 17, 2012, 07:09:27 am »
Joolee:

If your connection isn't trustworthy and slow there are only two things you could do.

1) Upgrade to a better dedicated connection.

OR

2) Install a local DNS server that syncs with your master DNS server over the tunnel.  It may sometimes be out of date (if the connection is down for a prolonged amount of time) but it would continue to serve requests to clients (where possible; that is if the tunnel is down the local clients cant route to remote clients, etc).