0

I have a pfsense box set up. What happens is I set a rule so I can't hit the admin interface 192.168.3.1 from the box.

With the rule enabled

--- www.l.google.com ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 5080ms
rtt min/avg/max/mdev = 37.684/37.776/37.869/0.215 ms
root@bad-apple:/etc#

Rule disabled 

--- www.l.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 42.064/44.104/46.144/2.040 ms

disallow Rule that causes it. 

ID  Proto   Source  Port    Destination     Port    Gateway     Queue   Schedule    Description     

        *   APPLESERVER net     *   192.168.3.1     *           *        none

I don't want the server to be able to hit admin interface, but would like to hit internet for configuration of the machine. Has anybody had this problem before? I have below this disallow rule an allow all from APPLESERVER NET to * because if I set destination to WAN net dns dies.

atrueresistance
  • 132
  • 2
  • 9
  • 1
    Your question is a little unclear but from what I can tell you may have a slow DNS issue. Notice your rtt is about the same for both. Try just pinging by IP address or changing your DNS server. – resmon6 Feb 16 '12 at 19:38
  • Well what happens is with the rule enabled I ping and it shows up about every 5-10 seconds for a line to appear in ssh. Without the rule it runs like a normal machine, very fast-like. This issue doesn't either of my LANS and they have the same respective dns servers and block [pfsense]admin. [one lAN is admin lan so no block rule on that] I run everything on LAN2 and plug in manually to LAN1 for administration. – atrueresistance Feb 16 '12 at 19:46

1 Answers1

1

You're breaking your DNS. Most likely what you have is the primary DNS server pointed to the firewall interface IP, and when you take that rule off it's blocking that DNS attempt, so it has to wait for it to timeout, and then that host falls back to using other configured DNS server(s). Change that rule to only permit DNS.

Chris Buechler
  • 2,938
  • 14
  • 18
  • Or edit your DHCP server configuration to not announce the pfSense box as a DNS server. – Per von Zweigbergk Jul 26 '14 at 11:56
  • Better to have a local cache with the DNS forwarder, and its behavior of querying all configured servers simultaneously taking the fastest response, rather than clients waiting for a timeout, moving to another server, rinse and repeat. – Chris Buechler Jul 26 '14 at 19:38