Localize the problem. If via packet capture you can see that the DNS request leaves one network for another and there is no reply traffic, then the problem is with the server itself somehow. Do captures on both SKYNET and SKYWIFI while testing to confirm that SKYNET sees the DNS request packets coming from the requester destined for the DNS server, and SKYWIFI sees the packets going to the DNS server and the reply traffic.

Are you running any packages that might interfere with local traffic, like Snort, Suricata or pfBlockerNG?

Good follow through @kiokoman thanks.. There are many ways to validate that dnssec is actually working - looking for the ad when doing dig +dnssec is prob the easiest.. Or just doing query to a test fqdn that is set to fail..

Go to /interfaces.php?if=wan

Down to "Reject leases from"

@bhjitsense said in Unbound restarts when host joins network:

Anyone have any insight?

Yep.
When a new DHCP lease comes in, and you have checked "DHCP Registration" :

7f8b8dab-131f-4df5-a498-b95ae1462b3c-image.png

then the Resolver (unbound) gets restarted.

Solution :
Define a static lease for your portable - this way it will always obtain the same IP, and .... the Resolver will know about it upfront, and doesn't get restart any more.
The "Static DHCP" should be checked.

@KOM I'd rather use certificates; what's what I was doing before.

This has finally been fixed: https://github.com/pfsense/pfsense/commit/cedc8184606a4cfdf6cb7542e43d205205005865?_pjax=%23js-repo-pjax-container

@jimp said in Multiwan and DNS Resolver:

For policy routed traffic, yes. But default gateway switching doesn't support load balancing, only failover.

Yes I can now confirm this. Thank you @jimp! Now my DNS Resolver is working flawlessly.

@JasonHarper said in Different DNS Forwards for each VLAN + Internal DNS:

internal DNS database that can perform local lookups and then forward queries to a specific public DNS server based on VLAN/interface?

You do understand you now have a common cache.. So if teachers go to something that teachersallowed.com it will then be cached... Then student tries to go to there and since cached they will look it up from cache..

You can not do what your asking to do when you have local cache that is shared.. You would need to 3 different NS locally so that your caches different, these 3 can do a delegated forward to your local dns running on pfsense for local resources.

Sure you could setup a view and vlanX gets forwarded here, and then vlanY gets sent there.. But your problem is going to be the common cache.

I found the problem. I set the TTL too low. The minimum TTL that GoDaddy allows is 600 seconds.

Well, the thing is that we try to avoid this solution because I create two dependencies for my DHCP. Plus, this was our initial configuration and we decided to move the DHCP service to pfsense,

According to the old forum post that I posted previously, these sub-options can be added if we edit the services.inc file. This we haven't tried it yet, because we do not have a test environment. But the initial question remains: wouldn't be nice to add these sub-options as a patch in a future release?

Otherwise, does anybody know if the above mentioned solution (to edit the services.inc file) will work?

How can we know if Netgate would be interested if we made them a patch and give it to them?

Chris

@KOM

I just now realized what you meant. Thank you. Mine is set up so if by any chance both of the vpn servers get disconnected by a hacker, pfsense will not expose my real ip. I like it like that. So If I need to disable my vpns myself, I just have to change the gateway to wan in system> general settings manually.

I should've looked at the pinned topics, I found the answer there.

@JSchenk said in How to Setup AD Integrated DNS with .local TLD on LAN Interface?:

Fisher-Price networking. ;)

heheh - dude I am sure I have seen worse ;) Good luck, have fun fixing it.. And if you have any questions there lots of smart people here that love to help.

excellent !

No didn't mean for you to do it ;) Just stating how it "could" be done hehehehe

Guess it could be somewhat useful for someones who's unbound is restarting all the time.. I would look to why that is happening and stop it.. For example dhcp registration, or maybe pfblocker restarting every hour on a cron or something.

Or maybe your connecting is flipping over to backup, or going down whatever.. The dhcp is easy, just don't have it register dhcp leases. Your connecting going down or flipping might be harder to fix - but that shouldn't be happening on a regular basis that is for sure.

As to how often pfblocker restarts unbound - have to get with BBcan on that, off the top not sure when it might restart unbound.

@gwaitsi you can configure policy based routing, by selecting gateway for appropriate network segment
see https://www.netgate.com/resources/videos/multi-wan-on-pfsense-23.html

in such way you can configure to route through WAN_GW for destination 8.8.8.8 (needed DNS) on VOIP_LAN interface

Screenshot from 2019-08-30 18-16-33.png Screenshot from 2019-08-30 18-23-36.png

@JKnott said in Can this be done in DHCP settings?:

@pete-s said in Can this be done in DHCP settings?:

Is there a way to do this in pfsense, maybe with some of the advanced dhcp options?

Is there even a DHCP option for that? The closest thing I've heard of is connecting to a TFTP server.

It's one of the recommended ways of doing fully automatic installations of debian and derivatives.