Not using minimization,

I've set a domain override for that now so it uses 1.1.1.1, it resolves but its really slow see below how long it takes to resolve (Query time: 2051 msec) compared to doing a dig directly to 1.1.1.1 (Query time: 17 msec)

stevetozer@Steves-MacBook-Air:~$ dig epdg.epc.mnc020.mcc234.pub.3gppnetwork.org ; <<>> DiG 9.10.6 <<>> epdg.epc.mnc020.mcc234.pub.3gppnetwork.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25550 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;epdg.epc.mnc020.mcc234.pub.3gppnetwork.org. IN A ;; ANSWER SECTION: epdg.epc.mnc020.mcc234.pub.3gppnetwork.org. 2677 IN CNAME epdg.epc.wip.mnc020.mcc234.pub.3gppnetwork.org. epdg.epc.wip.mnc020.mcc234.pub.3gppnetwork.org. 1 IN A 188.31.254.71 ;; Query time: 2051 msec ;; SERVER: 192.168.50.1#53(192.168.50.1) ;; WHEN: Sat Jan 04 15:35:46 GMT 2020 ;; MSG SIZE rcvd: 114

Thanks for all your help with this

Not sure if they will or won't. It is hard to find information about this.
I found some examples of peoples using pfSense directly behind the external ONT provided by the ISP. But that was with older versions of the device with an external ONT, It is included in the device for the new version.

Not sure asking for the old version is a good option since it will likely reduce the bandwidth.

I will need to ask to the support if I want more information on this.

@jimp That makes sense, thanks! It did seem to "default" before, but no biggie. I'll open a (minor) feature request, as you say.

Thanks again.

@johnpoz : I just tried it : my domain a mere TLD .fr and the rest of the domain as a host name.
It ... works.
Common sense is still barking to me.

Read the first results from here.

I realize this is an older topic AND is marked as (SOLVED), but I was also having a problem with OpenDNS not updating.

I changed my password so that it did not include any special characters except for "$", minus the quotes, and it works now, sweet!

Thanks for the help!

@justas said in DHCP Server wrong function / crash by adding Static Mapping in another VLAN:

I was able to use double quotation mark in the cliend-id.

Thought you said there was no error in the dhcp, and it was running, etc.

No shit if the dhcpd is not running nobody could get IPs, or if it fails to parse its conf and runs with no settings... Then again nobody would get IPs either... This is not what you stated!!!

Yup plex another one that is served up that box on 32400, etc..
https://nas.local.lan:32400/web/index.html

If the service is not going to listen on standard ports, then it needs to be part of the url!! That is the way it works!

Here all 3 of these bookmarks have ports in the url
bookmarks.jpg

Once the bookmark is created - why does it matter?

And here is the thing, most browsers even if you start typing the the url it will finish it for you - with the port..

All I typed is sg, and the rest of where I have been came up as options.. to click on, etc..

alltyped.jpg

@yanafig said in Block Internet access on static ip address:

Because I only have simple setup

Sounds like a good reason to up your equipment to support what your wanting to do..

You mention using something other than pfsense - when all you need is switch(es) that support vlans.

You mention users changing IPs, you understand its childs play to change mac as well... When you want to control like you ask, you use different vlans.. Does not matter what the users IP is nor the mac..

But static arp has nothing to do with your firewall rules.. You can for sure set static arp to prevent a mac from using a different IP... The control of what IPs can do via firewall rules has nothing to do with that setting.

You understand this could also be accomplished with dumb switches, as long as your pfsense has more than 1 nic to use for lan side networks, and or a $30-40 smart switch to put between pfsense and the dumb switches. There are multiple ways to isolate your networks.

isolation.jpg

Even dumb wireless can be added to these now different networks be it vlans or actual physical separation.

So what what wrong with the statics? I looked through them I didn't see anything that was out of scope..

@ghostshell

Well, if you look in the help, you'll find:

"The Status > DHCP Leases page only reports systems as “online” if the MAC address for a given system appears in the pfSense® firewall’s ARP table. This can be verified by checking Diagnostics > ARP Table. Systems that have not communicated with or via the firewall in the past few minutes will appear as offline."

In order for a MAC address to be in the lease table, the device has to have communicated with the pfSense system. This could be actual traffic with it, such as DHCP, DNS requests, etc. or just being routed through it. If pfSense hasn't seen any traffic from the device, it will disappear from the ARP cache and will be listed as offline.

@wanabe said in Newbie question regarding "Disable DNS Forwarder" setting:

Although most take place over encrypted connections some do not.

Web sites or API connections (or any form of mail) that do not use TLS/SSL ? That wasn't been band from the net ??
You're right, if you have to handle financial stuff over 'clear lines' then you should use a VPN that has his end-part "in front of" the site hosting the non-TLS/SSL site. remember : when the traffic leaves the VPN supplier it will go clear over the net.

@Gertjan

When creating a rule to allow traffic on an interface, normally the source is specified similar to OPT1 Subnet so that only traffic from that subnet is allowed out of that segment. With DHCP, that is not enough. Because a client does not yet have an IP address, a DHCP request is performed as a broadcast.

That is reson ? I know firewall was blocked DHCP traffic but i dont know how to config that.
I will try config follow this document.
Thank you.

@johnpoz well, I don't need FTP to work locally, the problem I'm experiencing now is with http and https.

Yes, it is unbound. The pfsense acts as a resolver for the LAN, and should forward requests from the domain override to the remote server.

I don't think unbound was restarting. The option that makes DHCP lease store client names in the resolver has been disabled a long time ago.