@Zar-tsunkh said in Client is unable to connect Internet:

so I need to use DNS resolver and I can not configured it properly.

You know that, after installing pfSense, the DNS resolver works just fine ?
So, what did you do ? Undo that, and you'll be ok.

You and I have pretty much the same interface settings :
f5f17d85-61b9-4019-a96b-eeb704f2a237-image.png

Btw : my device :

7112d95d-83f0-4df8-85e2-bf10a789246c-image.png

Ok so was that client bug then.. Great..

Well like I said I can not find that on the "beta" ui, but I do see it on the classic view.. I do not recall ever enabling that, nor would I have reason to.. And some threads I found people complaining that it is on by default, etc..

Glad you got it sorted in the end..

All good now @johnpoz The packet capture on the WAN interface help confirm that requests were going to the right DNS server and helped me pinpoint additional overrides that were required.

Changing what interfaces unbound uses seems to fix, I think my issue is that I have IPv6 Addresses on WAN, and LINK Interface on Guest, but my Guest isn't getting a prefix delegation for IPv6 so unbound cannot assign an IPv6 listening port.

unfortunate.

Welcome to the club !

And you're right, if a device want to "TLS" to 1dot1dot1dot1.cloudflare-dns.com and the device that take the request (your own DNS) it will not have a cert that states it's "1dot1dot1dot1.cloudflare-dns.com" so it gets refused.
This forum has already many incidental questions and discussions about the subject.

Anyway, if it was possible, then MITM would actually work. And that will be much worse.

I think I put this in the wrong area. I'm deleting this and moving it to the CARP section.

Its weird. Its an Ooma telo for Voip phones. It worked fine with old (cisco rv325 router w/dhcp ) giving ooma and address. Now running pf sense on lan to work out kinks before it conndects to comcast modem.

Device wont take ip from pfsense, or so it seems. And comes up with 3 different ip's so far and 1 i tried to reserve, but stll shows 3 different ip's.

In the system log..

When you try to start the service.. disable it, and then re-enable it.

Yeah this touches on a hot topic right now to be honest.. Applications attempting to use dns that is not what the OS points to.. That they "call" it a security practice is nonsense plain and simple...

Taking control away from using the locally set dns is not going to be good for anyone - other than the people running the NS being pointed to.

Application(s) that overwrite what the OS says to use for dns is pure BS...

If an application wants to validate it has internet access and wants to query for something - sure, use OS assigned dns.. Or sure if you want to ping some IP like 8.8.8.8 or something.. Sure - but trying to circumvent the OS assigned dns is not a direction these companies should be going..

Can you provide a diagram of your network? It's hard to tell what is going on with the information given. Even if you draw it by hand and take a picture of it with your phone. Please post something here to help us understand the setup.

Searching a little bit... I found what I need:
Reverse proxy pfsense configuration

I going to try this.
https://travellingtechguy.eu/reverse-proxy-with-pfsense-and-squid/
https://www.reddit.com/r/homelab/comments/2vyiiy/til_reverse_proxy_via_squid_in_pfsense/

THIS IS NOW SOLVED. The issue was tagging.

Inside pfSense I went to Interfaces > Switch > VLANs and added tags for the VLANs on members 0 (default system VLAN) and 2 (LAN) which resolved my issue.

Thanks everyone!

@Gertjan thank you so much! I will give this a try.

Problem solved.

LAN A subnet must be added to DNS Resolver ACL on pfSense B and LAN B must be added to DNS Resolver ACL on pfSense A
Services -> DNS Resolver -> Access Lists -> + Add
The "Action" should be "Allow"

The DNS Resolver "Outgoing Network Interfaces" in both pfSense must be set to "LAN" and "Localhost"
https://forum.netgate.com/topic/103395/dns-server-domain-override-over-ipsec-vpn-not-working

If I am reading this right, you have a remote site that needs to reach AD DS services at a main site. You need to have some kind of connection up between the two sites, do you have a VPN connection? It's not just going to connect the two sites because they have internet. Assuming you have a VPN connection, you need to enable DHCP relay if the computers at the remote site will be getting IPs from the main site's DHCP. If using PFSENSE DHCP at the remote site, you would not need to enable the relay, just make sure that it gives out the proper DNS servers in the scope options. I believe you do need to configure DYNAMIC DNS in the DHCP options in PFSENSE for client registration in DNS, but I haven't used it (I just use MS dhcp/DNS) so I will leave that for someone else here to chime in on.