@kom Good catch, the image has been corrected. Thanks!

If you're on a UNIX-like system you can use this to capture remotely from a UniFi AP and from pfSense -- I found this somewhere and noted it down. Change X.X.X.X for the correct address. UniFi AP ssh ubnt@X.X.X.X 'tcpdump -f -i br0 -w - not port 22' | wireshark -k -i - You need Wireshark installed, obviously--works on Macs too and it won't get super hot like when you capture directly on it. pfSense ssh root@X.X.X.X 'tcpdump -f -i em0_vlan100 -w - not port 22' | wireshark -k -i - Here you'll need to change em0_vlan100 for the correct interface, but you can SSH in and get them with ifconfig. :) Good luck!

Wanted to get some feedback on DNS privacy from the group, I've gone back and forth on this issue several times and it seems that there is no perfect solution. Either you run your on recursive resolver with QNAME minimisation or you forward to an external resolver via TLS over DNS. I've never been a fan of passing the security buck on to someone else, which is exactly what you're doing when you forward via TLS to Cloudfare or others, you are trusting they are not using your data for nefarious purposes and maybe they aren't .... today. But that leaves running your own resolver which still posses privacy issues for the ISP or others inline who can sniff the traffic. Some of this is mitigated with Qname mimimisation but the last query from the resolver to the authoritative server will have the full query.

@johnpoz Well, maybe you're right. Because it does make sense that something else was getting in the way of unbound. I just know what I saw under system services because I thought of that several days ago and specifically looked to see if BIND was running or not. After I installed suricata and pfblocker on my test install and DNS resolver still worked as it should, that triggered me to go ahead and uninstall BIND because it was the only difference between my test and production pfsense units. But either way, the problem is solved, and I appreciate your help in doing so. Have a great weekend, Nate

@johnpoz said in pfSense VLAN and TP-Link switch: how to debug?: ;) I spent quite a bit of time on the phone with some guy at TP-Link, who insisted it was normal. He couldn't seem to grasp the idea that VLANs are supposed to act as physically separate networks. BTW, you can still use that switch for port mirroring. It works reasonably well for that..

DNS rebinding isn't the issue. You are hitting the firewall web interface when you expect to be hitting something else. You can solve that in one of two ways: NAT Reflection (ew) DNS host override pointing that hostname at the local system you expect to hit for clients on your local network.

This is what the resulting cronjob looks like: [image: 1551370121724-screen-shot-2019-02-28-at-11.02.15-am-resized.png]

@johnpoz Copy thx !

@finger79 said in [Resolved] Allow DNS Queries from WAN Interface: access forum.netgate.com via PIA VPN endpoints See here https://forum.netgate.com/category/20/forum-feedback for possible reasons. More and more people use VPN's these days sot it's quiet understandable that many IP addresses used by these VPN companies have become totally useless (they are refused because used ones for less-the-honest occupations).

I have been over this a few times as of late - you need to use powershell to put your switch in trunk mode.. Pretty sure I did some screenshots with walk through recently Here is thread where I show doing vlans with hyper-v https://forum.netgate.com/topic/139891/solve-hyperv-2012-vlans-support-hn0

Solved by enabling " Enable Forwarding Mode"

I think I have figured out a easy way. goto https://dnsleaktest.com and run the test, for me I got for isp "Optimum Online". then i made the changes at https://www.netgate.com/blog/dns-over-tls-with-pfsense.html and run the test and again and this time I got for isp "Cloudflare". so do you think my way to testing is a good way? thanks,

Must be doing file ownership for unbound files different now because I did a quick install on VirtualBox and it's the same. 2.4.4-RELEASE][root@pfSense.localdomain]/var/unbound: ls -la total 48 drwxr-xr-x 3 unbound unbound 512 Feb 21 15:14 . drwxr-xr-x 26 root wheel 512 Feb 21 14:16 .. -rw-r--r-- 1 root unbound 177 Feb 21 15:14 access_lists.conf drwxr-xr-x 2 unbound unbound 512 Nov 26 16:42 conf.d -rw-r--r-- 1 root unbound 0 Feb 21 15:14 dhcpleases_entries.conf -rw-r--r-- 1 root unbound 0 Feb 21 15:14 domainoverrides.conf -rw-r--r-- 1 root unbound 398 Feb 21 15:14 host_entries.conf -rw-r--r-- 1 root unbound 300 Feb 21 14:17 remotecontrol.conf -rw-r--r-- 1 unbound unbound 166 Feb 21 15:14 root.key -rw-r--r-- 1 root unbound 1865 Feb 21 15:14 unbound.conf -rw-r----- 1 unbound unbound 2459 Feb 21 14:17 unbound_control.key -rw-r----- 1 unbound unbound 1330 Feb 21 14:17 unbound_control.pem -rw-r----- 1 unbound unbound 2455 Feb 21 14:17 unbound_server.key -rw-r----- 1 unbound unbound 1318 Feb 21 14:17 unbound_server.pem

tracert will follow the configured dns servers. btw. leave the root hints checked if no forwarders are available if you have a pfsense ha cluster.

@chudak said in DNS Resolver Log Error sending queries to 1.1.1.1: @bldnightowl said in DNS Resolver Log Error sending queries to 1.1.1.1: "page" is a link in my post above. Wonder if Quad9 has similar test page ? No. https://www.quad9.net/faq/#Is_there_a_URL_we_can_check_to_see_if_a_given_domain_is_blocked,_and_what_a_user_might_get_if_they_go_to_a_blocked_site