@johnpoz Yh no magic. 🤣
dhcp_inside_lan.JPG
This would block dhcp traffic from going out and keep it inside that vlan? Sry for that dumb question, used to have different nic's before for this, haven't really worked with vlans before.

Here are the 2 settings I mentioned about prefetch and serve 0 ttl

In the advanced section of the resolver
settings.png

The dnssec settings have no meaning if you don't have dnssec enabled and are in forwarding mode.

It normally is bad to mess with TTLs, and you should use what the authoritative NS has set - but with many sites hosted by aws and the like having ttls of 60 freaking seconds.. I have set min to be 1 hour.. I just do not buy that I need to query for something every 60 seconds... Makes no sense..

So if I am on some website tooling around reading a blog or something for 5 minutes its going to be queried 5 times? Really? Come on!! ;)

minRR.png

I have not run into any issues with doing that - but your mileage may differ depending on what sort of stuff your visiting, etc.

My unbound has just restarted - doing some testing of stuff... if you run this cmd you can keep an eye on how your cachehit is doing

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num total.num.queries=588 total.num.queries_ip_ratelimited=0 total.num.cachehits=220 total.num.cachemiss=368 total.num.prefetch=0 total.num.zero_ttl=0 total.num.recursivereplies=368 [2.4.4-RELEASE][admin@sg4860.local.lan]/root:

So with a total 588 queries currently at 220/588 for cache hits.. 37% That will go way up over time.. I will post back latter with hit rate..

@loopery said in Multiple Issues with Full LAN Static ARP:

I bridge my WAP and LAN.

And when you turn on this static arp - which devices fail? The ones that are wireless?

If you just plug your AP into your lan switch there is no reason to bridge.. But depending on how your AP is working you might not be seeing the actual mac of the client, but the mac of AP wired interface..

My solution:

I tried removing pfBlockerNG to replace it with pfBlockerNG-devel and ran into an issue with it. The new package sucked in some lists from the old install that could not be removed. I removed the new version and reinstalled the original pfBlockerNG. To the good, it installed all my old lists plus all of the new ones I installed for pfBlockerNG-devel.

I will use pfBlockerNG as the backup for pi-hole when/if needed. It would take 10 seconds to switch over. it has about 200,000 sites blocked vs 1.3 milion with pi-hole, although I thought my old pfBlockerNG blocked a fair amount of sites as it was. (My LAN port 53 bypass sends all DNS requests to pi-hole, so pfBlockerNG can remain active with no CPU hit - of course it doesn't do anything, either)

Edit: DNSBL worked fine with the setup described above. I disabled it for now since it was duplicative.

@furriephillips said in unbound fails to start, after bungled external SSL cert installation:

DNS resolver to respond to incoming SSL/TLS queries from local clients

That is pretty stupid if you ask me... So you local network is hostile?

Or was it that your dns was too fast and your were looking to make it slower and require more config and way more resources.. And more complex to troubleshoot, etc.. ;)

You need to pick a domain name to use.. pfsense default to like localdomain I believe..

But you can use whatever you want - pick something that is not public and does not resolve on the public.. say ivan.lan or something..

Now all your machines can resolve other machines via the fqdn comuser.ivan.lan

If you don not want to type the fqdn, then setup search suffix, normally windows will use the domain handed out by the dhcp server for the domain as search suffix.

so your saying the log is completely empty with clog? pfsense uses circular logs - you need to view them from cli with clog.
https://docs.netgate.com/pfsense/en/latest/monitoring/working-with-binary-circular-logs-clog.html

You see the destination IP ?
It's ff02::fb

Google will tell you what it is (so now you know : harmless).

If needed : hunt down that device that is making these requests, shut it down / tip out the network cable :=> problem solved.
Or : do not log these inoffensive requests.

You should remove everything from options - and why exactly are you using pfblocker? Remove that until you are sure resolving is working how it should... Default of the box setting are fine.

If if you have 1 bad domain that you have issues to resolve - you could always just do a domain override for that specific domain..

Right. A /10 scope (4 million addresses) is pretty much ridiculous.

After looking closely at my rules, I found that my source was set for an address as opposed to the network. One quick change and all was good in the Universe!

@nkaminski said in WAN DHCP stopped working:

Have you tried fully power-cycling the modem when switching the connection between your Linux host and FreeBSD?

Yes, as I mentioned in the OP: " I have done all the standard troubleshooting including powering off all network and computer components and repowering in the appropriate order, etc., but that has not helped."
As it stands, it appears that Xfinity is not responding to the native MAC associated with my 4220. This weekend, I'll try to take some time to experiment w/some different MAC values to see if a) this problem persists, and, if so, b) is Xfinity rejecting this unique MAC, or is it some vendor-specific MAC block (as suggested by several posts) that is being rejected.

I will give that a try over the next day and see how I make out.

Thanks!

thank you. you originally gave me the information to fix in i believe you 2nd post.
this is resolved

Using something like the VM appliance lets you avoid the hassles of running Unbound and BIND with non-standard port configurations and you don't have to get the Windows AD boxes to forward their DNS queries to a non-standard port (meaning something besides port 53). So that seems like a big plus to me. I don't really see a downside other than hardware capable of being a VM appliance is going to be a little more expensive than a plain vanilla pfSense appliance would be, but in a large corporate deployment the cost differential is probably just a small blip in the accounting ledger. The good news in your case is that neither pfSense nor BIND are big RAM users, so you don't need some huge amount of RAM in the virtual machine host nor do you need multiple server-scale CPUs.

Sometimes doing it right takes a little longer, and 20 PCs isn't really that much. If it was me, I would change the printer and then push it down via group policy but whatever works best for you.

https://www.pfsense.org/download