Yep, the "domain overrides" function in the DNS Resolver settings allows you to input a domain name and the DNS server that you want to resolve hostnames for that domain. So you could input the domain name for your ISP, and any hostname queries within that domain would be directed to that DNS server, instead of going through the normal internet resolution process.

@johnpoz Thanks for the reply... I will start there. Every machine that has had a problem has been wired. Will post here when I have some news on it

Thanks again

The file

isn't used by any process neither unbound. It's there for historical show-case reasons - and eating some disk space.
Changing that file, or even deleting it won't make any difference.

@calin said in error: SSL handshake failed:

Worked for me too, thanks.

so, what worked for you ?

Btw : I guess this is/was also valid for 2.4.4-p1 - many years ago.

Offline just means that that mac for that IP is not in the arp table..

This could be that lease expired, was never renewed.. Or you have connectivity issue completely.. The arp table defaults to holding macs for 20 minutes..

As mentioned what does your log show for dhcpd? Are you seeing discovers/requests and then nothing being handed back?

You seem to have a 2 hour lease set, so at 1 hour clients should try to renew.. If they don't they will continue to try - the closer they get to that 2 hour mark the more often they should try... So your log should be quite active if clients are not able to renew.. Once lease expires - they will send out discover trying to get an IP..

You need to validate that your seeing these entries in your log, that your clients are renewing their leases, etc.. But yeah if dhcpd is not running, or for some reason not seeing the requests for renew or discover - then once the leases expired - client will be off the network..

@gertjan when I check the server is on green status means running but on LAN there is not DNS resolving . I'm using pfblockerng-devel 2.x version I have not updated yet . I don't to jump directly unless its safe to use with out bug so far. I've remove the check from DHCP registration for now and see what happen.

If the issue still occurred then what's is the next step?

Regards

@madcatinc Glad you got it sorted. That was as great catch by @jimp on the time being an issue with dnssec..

I normally just assume that time would be correct ;) I mean who doesn't make sure their time is correct? ;)

Would of prob taken quite a bit longer to find your issue if jim hadn't chimed in..

Unless you have some need for wire speed, that pfsense can not handle? I have no issues with full gig between interface on my sg4860..

Its easier to route at pfsense than at some downstream router (L3 switch).

Its going to be way easier to route and dhcp and firewall if you just let pfsense do it all and use your switch as only L2 to handle the vlans.

If your pfsense has ports you can always leverage multiple interfaces as uplinks for your different vlans that need lots of intervlan bandwidth where you don't want to hairpin that traffic over a single trunk interface.

Interesting to hear. I have AT&T U-verse (DSL) at home (not my choice) and have been using forwarding in the resolver in order to use Quad9 DNS, so would not have run into this (if it even applies to DSL). I would be curious to poke around in the AT&T router settings to see if there was anything there that could be turned off, for instance all security/firewall. I don't recall specific security features in my router but yours is surely different.

That's actually quite an old fix 2019 - but yes, this is not my only 950 hence I do know that there are useful fixes and just for the sake of eliminating all potential old issues, this time I started with updating it to the newest available 2020 firmware.

There's no options to "tune" this in the 950, as it is passthru....well, it is just passing thru. Not really sure what the 950 could actually do in this case either? Good ideas are welcome, I can always pass them on to the dev's.

@johnpoz yes thats true. I should use maybe amazon route 53 or another service. I got another vm that points to route 53 ns and doesnt have any issue.

So that's my big problem. A basic ns thing

You recommend another rather than amazon route 53?

Argh... It was the host override. I totally overlooked it.
Thank you for the fast help. :)

@raffi_ Agreed. The table by itself would be misleading. But the table with the instructions hopefully make it more clear. Either way, I deleted all the rules so I can't take a SS. I'll see if I can add them back this weekend and take a SS then.

Sorry for the confusion all! Wasn't trying to create problems.

Well then as I was saying your override is working, and your browser or device is not using pfsense as your dns..

Most likely doh, you know the browser makers looking out for your security by sending all your dns queries to them, vs where you actually want to send them.

@centaur5
have you verified that there is only 1 dhcp-server on your network? (is it pfsense handing out the bad subnet or something else)

a packetcapture when a client gets the wrong subnet would probably show a light

So you mean you running cert manger from ACME.. On some box behind pfsense.. So this has zero to do with pfsense at all. Its not the cert manager in pfsense.

You can have issues with that and cache as @kiokoman mentioned..

If your wanting to renew your acme certs with client behind pfsense, and your pointing to pfsense for dns.. Then yeah you could have cached the old entry, what ttl do you have set for those records?

I was having an sim issue with the dns-cloudflare settings even on the acme package on pfsense. I ended up setting the dns timeout to 180 and this seems to have corrected the problem..

So you could try updating the dns time out setting on your client.