# LAN no Internet Access (dns)



## jeffcarpio (Feb 28, 2010)

I am building a FreeBSD firewall.  My LAN pcs can ping each other and ping the firewall NIC cards, but they cannot ping any internet address - no route to host (error).

If I do a nslookup from one of the LAN pcs it is unable to find the hostname for the internal NIC card.

I do not have a DNS server setup.  Should I enable DNS on the FreeBSD firewall, so my LAN pcs can resolve hostnames?

What do others do if you do not have an internal DNS server?


Thank you,
Jeff


----------



## trev (Feb 28, 2010)

I punch holes in the firewall to allow internal hosts to resolve Internet hostnames and use an external DNS source.

This, of course, doesn't work for internal hosts unless they have public IPs. For the internal hosts you can either setup a DNS server on the LAN or edit host files. The latter becomes old very quickly and you find yourself setting up internal DNS and forwarding unresolved queries to your external DNS source 

Note: internal DNS server knows nothing about public IPs, only private LAN IPs which is why other queries get forwarded through the firewall.


----------



## jeffcarpio (Feb 28, 2010)

Thank you trev.  I will look into setting up a DNS server.  You don't recommend running DNS on the server?


----------



## sniper007 (Feb 28, 2010)

jeffcarpio said:
			
		

> I do not have a DNS server setup.  Should I enable DNS on the FreeBSD firewall, so my LAN pcs can resolve hostnames?
> 
> What do others do if you do not have an internal DNS server?
> Jeff



You can use DNS servers from your ISP.

check */etc/resolv.conf*


----------



## jeffcarpio (Mar 1, 2010)

I have the address of my ISP router in resolv.conf (172.16.0.1).  I can access the internet from my firewall (ie. lynx connects to the internet), but LAN pcs can't access the internet.  The LAN pcs can ping each other and the firewall.  The LAN pcs cannot resolve names or IPs located outside of the firewall.  The error I get when doing nslookup is a 'name resolution' error.

Should I enable named on the firewall OR should my LAN pcs be able to talk to my ISP router to do name resolution?  I allowed udp port 53 outgoing.


----------



## DutchDaemon (Mar 1, 2010)

Try putting an OpenDNS (1) and/or a Google Public DNS (2) nameserver in resolv.conf. It is likely that the router address (I'm assuming this is a cable/DSL modem?) is not reachable/routable from your LAN.


```
(1)
208.67.222.222
208.67.220.220

(2)
8.8.8.8
8.8.4.4
```


----------



## jeffcarpio (Mar 1, 2010)

I will add the IPs and report back.

I am just wondering... why would my previous firewalls not have needed any third party DNS servers?  My LAN pcs connected and resolved names without issue.  Is it because they have a DNS server installed by default?


----------



## sniper007 (Mar 1, 2010)

Does your LAN PCs have correct DNS settings ? Do you using NAT ?


----------



## jeffcarpio (Mar 1, 2010)

Yes.

I have my int_if (IP 192.168.0.1) and all of the LAN pcs have the default gateway set to the int_if for the default gateway and dns server.  I have ext_if set for DHCP to my ISP router (172.16.0.1).  

I am using this:  
	
	



```
nat on $ext_if from !($ext_if) -> ($ext_if:0)
```

I also have a dmz_if NIC.


----------



## sniper007 (Mar 1, 2010)

You need to set LAN PCs to using this ( *172.16.0.1* )DNS server because you don't runing DNS server on your gateway. If you want that LAN PCs using your DNS server you need to configure your own DNS server (BIND or smth)


----------



## jeffcarpio (Mar 1, 2010)

Yes.  This is what I was looking for.  

I would rather not use a DNS server outside of the 192.168.0.0/24 network.  

Do you recommend setting up an internal dns server or one on the gateway?


Thank you for taking the time.


----------



## DutchDaemon (Mar 1, 2010)

Just install a simple DNS resolver (unless you're well versed in BIND -- otherwise use e.g. dns/unbound or similar) and bind it to the 192.168.0.1 address and set that IP as your LAN's DNS.


----------



## sniper007 (Mar 1, 2010)

You can also set *caching-only* name server with BIND.

Something like this in /etc/namedb/named.conf:


```
options {
        directory "/etc/namedb";

      forwarders { ISP DNSs IP address };

zone "0.0.127.in-addr.arpa" {
       type master;
       file "localhost.rev";
};
```


----------

