Custom DNS works only in wired lan, not in WIFI

Comments

20 comments

  • Avatar
    Firewalla

    are your wifi devices (AP's) all in bridge mode? If ethernet side work, and wifi (AP mode) doesn't work, double check your access points, they may be filtering DNS. 

    0
    Comment actions Permalink
  • Avatar
    Werner

    The AP's are in bridge mode. My WIFI clients get the FWG as DNS server. It's crazy. The first hit works, if I refresh the page it doesn't work.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Can I confirm this only happens via AP-connected devices? you don't see it via any ethernet devices?

    0
    Comment actions Permalink
  • Avatar
    Werner

    Yes, that's right. With ethernet connected devices it works well.

    Before I had another router instead the FWG with hairpininng NAT. There was no problem with WIFI clients. The rest of the network is still the same.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Firewalla can't distinguish between ethernet or wifi connected devices, so if your ethernet is working, likely something in your AP/WiFi that may be filtering DNS ... 

    0
    Comment actions Permalink
  • Avatar
    Werner

    Yes, that's also my opinion. I've double checked my network (AP's). It must work.

    One further question. Are the custom DNS rules the same like hairpinning? From external I can reach the server with homeassistant.mydomain.com. The way is: ISP - FWG - Nginx Reverse Proxy - Homeassistant

    Now I will use the custom DNS rules for internal accessing the homeassistant. Maybe the custom DNS rules are not the right way?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    NAT hairpins is nothing more than a NAT loopback; it is not related to DNS. So if you talk to your own public IP from inside the network where that IP is at, NAT hairpin will just reflect the traffic back to your own servers. 

    0
    Comment actions Permalink
  • Avatar
    Werner

    Ok, understanding. Can I create a NAT loopback in FWG? I didn‘t find a manual or a setting.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    NAT loopback/reflection/hairpin is all automatic. Meaning firewalla will not prevent you from talking to yourself when you are inside the network. 

    0
    Comment actions Permalink
  • Avatar
    Werner

    Ok, I have deleted the custom DNS rules in the FWG. NAT loopback must work without them and hairpinning is automatically created (like you wrote). But now it don't work neither with wifi nor with ethernet. It only work if I outside my network. Looks like the NAT loopback is not created automatically. I've already rebooted the FWG and the clients. Nothing happens...

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    What IP addresses are you trying to access? is it the WAN IP? or a LAN IP? If you are not sure, you can open a case with help@firewalla.com, someone can look at your configuration

    0
    Comment actions Permalink
  • Avatar
    Werner

    I open my domain which is reachable from outside via your DDNS service. On FWG I have made portforwarding (80 and 443) to my nginx reverse proxy (running on an unRAID server). If I inside my lan I also open my domain. But that's not possible because I'm in the same lan like the server I will reach (Homeassistant, Vaultwarden). In my old router I had a NAT loopback rule without problems. I made custom DNS rules on FWG to route the domain from the inside in. That is working well. But only with the ethernet wired clients (Linux). With WIFI clients it works only one time. Than it seems, that the the custom DNS rule isn't working anymore in WIFI.It's really strange. I have tested it with different browser (Safari, Chrome, Firefox) and different clients (iPhone, iPad, Macbook). Today I will test it with a Windows laptop. Maybe on the Apple devices the DNS server will be overwritten by an external DNS.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    When you are home, if you use the DDNS domain, will it work?

    edit: can you do a "nslookup <your DDNS address>" while on LAN as well? is it a public IP or a local IP?

    0
    Comment actions Permalink
  • Avatar
    Werner

    With DDNS lookup it's a public IP, with domain lookup a local IP.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    If you use the DDNS address inside the LAN, does it work? 

    If you use your own domain, since it is resolving to a local IP, does your servers black list LAN IP? or private IP?

    0
    Comment actions Permalink
  • Avatar
    Werner

    If you use the DDNS address inside the LAN, does it work?
    No, it doesn‘t.

    If you use your own domain, since it is resolving to a local IP, does your servers black list LAN IP? or private IP?
    No, not black listed.

    0
    Comment actions Permalink
  • Avatar
    Werner

    Is there any solution? DDNS works from outside but not from inside LAN.

    Looks like hairpinning doesn't work, unfortunately.

    0
    Comment actions Permalink
  • Avatar
    Support

    It's hard to troubleshoot the port forward with hairpinning via the support forum. Let's just get back to the custom DNS solution here.

    On a wireless client, can you please run

    nslookup your_custom_dns

    in the terminal or command line, see if it is resolved to the correct local IP. If it does, then likely some settings in the browser are the culprit causing failure after refreshing the page. If you want to stick to the hairpin approach, you can send an email to help@firewalla.com and we are glad to help.

     

    0
    Comment actions Permalink
  • Avatar
    Werner

    OK, will do if I'm back home from work.

    0
    Comment actions Permalink
  • Avatar
    Werner

    The nslookup show me the reverse proxy.

    From Windows Laptop im WIFI everything is ok. From ethernet PC (Linux) erverything is ok. But from Apple devices in WIFI I have the problems. Looks really like Apple does not get along with custom dns. Amazing.

    With hairpinning in my old router I havn't any problems. I'll write an email because of hairpinning.

    Thank you very much for your help.

    0
    Comment actions Permalink

Please sign in to leave a comment.