Pfsense Subnet Routing Issues
Pfsense Subnet Routing Issues
Hi, I have been runing pfsense for a few years now, and it only now occures to me that my IoT turned Guest & IoT network has some sort of routing or DNS issue that I really do not understand. I believe it is DNS related since if I cange the DNS address handed out by DHCP for this subnet (which also has pfblockerng running) to say someting like 9.9.9.9 either in the DNS server settings in pfsesne or manually on a device, things work normally. This tells me I likely have my rules for the subnet to agressive and its blocking the ability for clients to talk to pfsense’s DNS server. What I do not understand is… I have explicate pass rules for DNS. Does anyone see any glaring issues with my config? Nat (the .69 network is my IoT network…) Furthermore as I am on vacation right now trying to troubleshoot since I am bored and have some downtime and I am noticing the same exact seemingly DNS issue on my VPN split tunnel setup. I have wireguard running on pfsense and have 2 VPN’s set up for my laptop, one for split tunnel and 1 for full tunnel. I am starting to thing it is not DNS… The only difference between my wireguard configs on the client side are the “Interface Address” (same subnet, only off by 2 numbers in the last octet, and the “AllowedIPs” for the full tunnel being: AllowedIPs = 0.0.0.0/0, ::/0 And the split tunnel being a set of my prive IP’s that I use: AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24 All other settings (minus keys) are the same. Both VPN’s work fine except for some websites I just can’t get to on the split tunnel much like the issue I have with certain subnets within my LAN. While on the split tunnel, I can ping a website like CNN via terminal, and I get responses, but the website just does not load. In wireguard, for both tunnels, DNS is set to 10.1.15.1 which is the “wireguard” subnet I have set up in pfsnese. I really don’t know the full tunnel works fine, and the split tunnel reacts exactly like I am on one of the internal subnets that doesn’t seem to be getting correct routing. If I edit the split tunnel AllowedIP’s to be 0.0.0.0/0, ::/0, that connection suddenly works fine. I am entirely at a lost, but I alst only know enough to know enough… I don’t even know where to start with this issue. I know at some previous point in time my split tunnel worked perfectly, but I have not used it in a while and I am not sure when it started to work incorrectly. I can’t imagine what I would have changed that caused this for the split tunnel or the other subnets - I assume its a single issue affecting both scenarios. Rules for this subnet are extremely simple: Wireguard settings for split tunnel: [Interface] PrivateKey = xxxx Address = 10.1.15.4/24 DNS = 10.1.15.1 [Peer] PublicKey = xxxx PresharedKey = xxxx AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24 Endpoint = xxxx I can't get the split tunnel interface to work correctly even just removing 1 subnet at a time from the AllowedIPs list. Only once I set it to 0.0.0.0/0, ::/0 does it work correctly.
Unbound should work fine since it’s configured to respond on all network interfaces by default. You can verify this in Services > DNS Resolver. It might seem reasonable to blame pfBlockerNG for breaking sites, but my NAT rule is already set up: a firewall rule for the IoT subnet, and a Port Forward rule directing any DNS or Time server attempts through the router. Wireguard has caused issues before, though I haven’t encountered specific problems with certain sites—sometimes it just fails to load or becomes very slow, especially during remoting in or when connecting from pfSense to a VPN. That’s why I prefer OpenVPN.
I'm working with unbound. I attempted to turn off pfblocker testing to check if that would help, but it doesn't seem to make a difference. It appears pfblocker functions correctly on my private LAN and works fine with WireGuard when I set all IPs as allowed. So it's not pfblocker either. It looks like there might be an IP conflict or something is blocking traffic. I'm not sure what's causing this issue. I've reset pfblocker several times, but I'm still unsure why some subnets behave normally and why changing the allowed IPs in my WireGuard client resolves the problem.
You should review the Status section under System Logs and Firewall. It’s not the most intuitive place for detailed data, but it might help. Also, examine the Rules in Firewall and check if the blocked count is increasing—manually refreshing the page may be necessary. Clicking on these links usually leads to Active States rather than showing blocked connections or expired states. This omission would make the tool less useful, as it doesn’t automatically filter logs for blocked traffic. Improving this feature would greatly benefit users.
I don't notice anything unusual... refreshing the page is similar to cnn.com and the firewall logs look normal. On my WireGuard subnet, there are no block rules and the network is fully open. This issue seems more confusing because WireGuard behaves differently when not using a full tunnel, especially on this simple subnet. It makes me wonder if I'm missing something in the settings or configuration that nobody would consider.
After further trials, it seems the issue stems from the DNSBL service being active. The reason lies in its configuration, which affects functionality. Removing it and restarting unbound while clearing states resolves the problem. Re-enabling it and forcing an update disrupts the setup.
Yes, I'm using the same ISP and it's only a short distance away—just a few hundred miles. This also occurs on local subnets. I first experienced it on my IoT network when I logged in from my phone after setting up a device, feeling frustrated because I couldn't access websites. Right now I can't test it directly unless I spin up a VM on that network. It seems to affect more than just the WireGuard subnet. My main private LAN doesn't have this problem, so I didn’t notice it then.