@quadrinary I had the same issue... DHCPDISCOVER was going over the line just fine, but I was getting no DCHPOFFER from the modem. This is also on a pfsense VM on vSphere 6.7. Plugging my laptop directly into the cable modem was working just fine, getting an IP from the modem within a second. Disabling CDP on the vSwitch and rebooting modem and pfsense VM solved the problem. Thanks to this post, because I would have NEVER found the solution to the problem otherwise. So thanks! :)

@johnpoz

Thanks. That is what I typed in initially but then decided to go and look to make sure I was doing it correctly before actually enabling it. That's when I found the information I mentioned in my first post, but pfSense wouldn't accept the input recommended by OpenDNS. Since this just appears to be a text field for data that is passed to the service, I didn't understand why it was being parsed for invalid characters in the first place. However, I can go back to just trying the network name (NetworkLabel) in the box and see what happens.

Thank you very much for this else suggestion.. I will try to turn off DNSSEC too.

@AWeidner said in DHCP, multiple Access Points:

But it looks like pfSense and the client device cannot agree to an address a lot of the time.

If a client request IP address 1.2.3.4, and gets told NO.. via nak.. then it should send out a new discover.

Can you post up this pcap you took so we can take a look see to what could be going on.

I don't have a lot of android devices to play with - but guests are on my guest vlan, and never have any problems. My son android phone is on the network all the time, and he doesn't seem to have any issues. I have multiple devices that move about different SSIDS to new vlans and new IP ranges - without any issues switching to the new IP scheme on the different vlan, etc..

The vm is ok.
Gets an ipv4 address in the normal scope.
Removed the tftp:// but still the same.
virtualbox.png

@johnpoz Thank you for the insights..

Patching the script generating the config to include "update-static-leases on" in dhcpdv6.conf doesn't seem to help. The man page says that this isn't recommended anyway, so maybe I should add the records manually after all, but then update-static-leases shouldn't be switched on for IPv4 either.

So I came in this morning and I can no long get DNS resolution again...

I mean to the authoritative ns(ers) for your name space.

If you want to point your client to pfsense that sure have at it... But what you can not do is point the client to pfsense and then some public ns.. Since you never know where the client will query.

But if pointed to pfsense, and pfsense has an override to resolve domain.tld that points to where they can resolve that - that works too. You just need to make sure that when you forward to something that is going to return rfc1918 space that you correctly allow for rebind protection.

So you have to have a static public IP which is used for sending out mails and you need a public domain, where you assign a hostname to that public IP.
You may also need PTR Resource Record which points to that hostname. This can be set by your ISP.

Usually a smart host should rather use an authentication method than require all that.

@astph said in Can pfsense run the OpenDNS Updater?:

As mine is having 0.0.0.0 on the cached ip.

As long as the updating didn't work, you wind up having 0.0.0.0. That's normal.

I have :

737de201-72fe-4c54-9626-62e3b2825a0d-image.png

Notice : the hostname isn't a hostname here, but your "account ID" created with OpenDNS.

Use the "Verbose logging" option. When activated, you should check the logs, they will tell you everything ...

edit : extra checks :

See
6734e3ba-9f1c-4a64-8647-98f1413a86bc-image.png

Question : pfSense uses this URL to get your 'real' WAN IP. Does it really work for you ?

Answer : goto Console (SSH !) and use option 8.
Type :

curl http://checkip.dyndns.org

it should answer with something like this :

<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.127.34.254</body></html>

and yes, 82.127.34.254 is my WAN IP.

I shudder to suggest this but....

You can do this by running both the DNS forwarder and the DNS resolver (in forwarding mode). Obviously one has to run on a different port but you can use a port forward on whichever LAN is using it so clients still use port 53. You can a domain override on one pointing at the other one for your local hosts so you only need to maintain one host list.

It's ugly. It will probably come back to bite you at some point. It doesn't scale beyond 2. But it doesn't require any packages or custom config, everything in in the GUI and hence backed up.

Steve