You think connecting interface 1 to interface 2 on the same em host is a valid config? It is FUBAR and Borked plain and simple..

but overall I'd say that 70% of post I read on this forum are techs insulting the crap out of people asking for help..

Utter Nonsense... You joined 26 days ago.. If you find posts offensive Report them!!! I have been here 10+ years.. What you find is the same question over and over and over again from people to lazy to do any research on their own. Getting fed the info on silver spoons.

What you READ into something is not my problem - if you take offense to stating something is F'd UP when it it... That is not someone offending you that is someone stating their freaking opinion on a public forum just like you have the right to do... I take offense at your post to be honest ;)

Here you go complaining about someone saying what you did was BORKED... Vs providing some info to work with.. While I am not a hyper-v guru... I am sure there are others here.. I don't need to be a guru to understand you don't interconnect interfaces on the same vm host together..

Then we have one nic port bridged with the lan that goes to out printer and smart tv.

Your nic is bridged where in hyper-v or pfsense? Why are you bridging interfaces in pfsense? If that is the case..

Do not use your host interfaces as switch ports... If you need switch ports - get a switch.. Is that what your doing? A network drawing would be very helpful.. Some logs? Changing your wan from dhcp to static would have zero to do with your other config.. So clearly something else going on that has nothing to do with that.. But without actual info of what you did impossible to guess - to start with what 2 networks did you connect together with your nics? Remove that - what doesn't work?

@johnpoz said in VLAN DHCP Issue:

Yeah we have been over than and over that.. They might not strip the tags - but they don't isolate either... So broadcast traffic is going to go everywhere no matter what vlan tag you put on it..

How much broadcast traffic will there be on a small network, that it causes a problem? For example here, my only need for a VLAN is to support guest WiFi (which I wasn't able to do thanks to TP-Link and their access point which doesn't properly support VLANs). Will there be much more traffic if I didn't have a VLAN and all WiFi used the same SSID? Also, with IPv6, which I run on my network, there's no such thing as broadcasts, so that issue is going away. On the other hand, claiming a managed switch is needed just to pass VLANs is just plain wrong. I am not against a managed switch and encourage use of them, but I don't like people spreading false info. Before claiming an unmanaged switch can't be used, you really should understand the context. There really are some where a managed switch won't make much of a difference. As for isolation, how many people, other than guys like us, are even capable of configuring an interface to access VLANs? That is assuming the computer is even capable of it. My ThinkPad isn't. Will someone using the guest WiFi be able to snoop on local traffic? There are certainly reasons for managed switches, but there are also many situations where they don't buy much.

@jimp On my installation, the default route is set to the cable modem static gateway, so no gateway group issue in play for me.

"Link#6" is igb5 which is my OPT4 interface going to the DSL modem. The modem has an IP of 192.168.254.254/24 (it's from Windstream), the pfSense box has .1, which we set statically.

"Link #2" is igb1 which is the static IP (/30) from Spectrum / Time Warner Business.

netstat -nr Routing tables Internet: Destination Gateway Flags Netif Expire default 70.60.x.y UGS igb1 1.0.0.1 192.168.254.254 UGHS igb5 1.1.1.1 70.60.x.y UGHS igb1 4.2.2.4 192.168.254.254 UGHS igb5 4.2.2.5 70.60.x.y UGHS igb1 8.8.4.4 192.168.254.254 UGHS igb5 8.8.8.8 70.60.x.y UGHS igb1 9.9.9.9 70.60.x.y UGHS igb1 10.17.0.0/24 link#1 U igb0 10.17.0.1 link#1 UHS lo0 10.254.254.0/24 10.254.254.2 UGS ovpns1 10.254.254.1 link#11 UHS lo0 10.254.254.2 link#11 UH ovpns1 70.60.x.w/30 link#2 U igb1 70.60.x.z link#2 UHS lo0 127.0.0.1 link#8 UH lo0 149.112.112.112 192.168.254.254 UGHS igb5 192.168.254.0/24 link#6 U igb5 192.168.254.1 link#6 UHS lo0 ping -c 4 192.168.254.254 PING 192.168.254.254 (192.168.254.254): 56 data bytes 64 bytes from 192.168.254.254: icmp_seq=0 ttl=64 time=1.170 ms 64 bytes from 192.168.254.254: icmp_seq=1 ttl=64 time=1.071 ms 64 bytes from 192.168.254.254: icmp_seq=2 ttl=64 time=1.084 ms 64 bytes from 192.168.254.254: icmp_seq=3 ttl=64 time=1.083 ms --- 192.168.254.254 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.071/1.102/1.170/0.040 ms arp -i igb5 -a ? (192.168.254.254) at 4c:17:eb:21:26:09 on igb5 expires in 1178 seconds [ethernet] ? (192.168.254.1) at 00:08:a2:09:5a:15 on igb5 permanent [ethernet] traceroute -I -i igb5 checkip.dyndns.com traceroute: Warning: checkip.dyndns.com has multiple addresses; using 216.146.43.71 traceroute to checkip.dyndns.com (216.146.43.71), 64 hops max, 48 byte packets 1 * * * 2 * * * 3 * * * 4 * * * ^C ping -c 4 -S 192.168.254.1 checkip.dyndns.com PING checkip.dyndns.com (216.146.43.71) from 192.168.254.1: 56 data bytes --- checkip.dyndns.com ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss [This seems like it might be some of the problem...]

It seems like I can't get a traceroute (ICMP) through the crappy DSL modem. However, apinger is not complaining about the connection being down, and it is set to ping 4.2.2.4 from that interface (instead of using the gateway IP). So maybe there's an apinger bug in play here and my connection is actually down but not correctly showing it?
It would be immensely more helpful if BSD ping could be forced to send from a specific interface... I'm wondering if ping -S <int_ip> is trying to send the traffic out the wrong interface somehow and is maybe a red herring?

So let's play some more - adding a static route to 216.146.43.71 (which is one of the IPs for checkip.dyndns.com) to force it through the DSL gateway:

route add -host 216.146.43.71 192.168.254.254 add host 216.146.43.71: gateway 192.168.254.254 ping 216.146.43.71 PING 216.146.43.71 (216.146.43.71): 56 data bytes 64 bytes from 216.146.43.71: icmp_seq=0 ttl=49 time=149.241 ms 64 bytes from 216.146.43.71: icmp_seq=1 ttl=49 time=150.749 ms 64 bytes from 216.146.43.71: icmp_seq=2 ttl=49 time=151.432 ms ^C --- 216.146.43.71 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss traceroute -I 216.146.43.71 traceroute to 216.146.43.71 (216.146.43.71), 64 hops max, 48 byte packets 1 192.168.254.254 (192.168.254.254) 1.165 ms 0.912 ms 0.930 ms 2 h3.176.142.40.ip.windstream.net (40.142.176.3) 20.753 ms 20.375 ms 19.908 ms 3 ae2-0.agr03.hdsn01-oh.us.windstream.net (40.136.113.108) 21.559 ms 22.031 ms 21.936 ms 4 et9-0-0-0.cr01.cley01-oh.us.windstream.net (40.136.97.135) 24.981 ms 20.902 ms 24.131 ms 5 et11-0-0-0.cr01.chcg01-il.us.windstream.net (40.128.248.71) 27.746 ms 30.224 ms 30.609 ms 6 chi-b21-link.telia.net (80.239.194.41) 30.788 ms 32.021 ms 28.424 ms 7 nyk-bb3-link.telia.net (80.91.246.163) 147.362 ms 149.769 ms 147.627 ms 8 ldn-bb3-link.telia.net (62.115.135.95) 144.829 ms 144.190 ms 144.030 ms 9 hbg-bb1-link.telia.net (80.91.249.11) 140.047 ms 132.839 ms 130.322 ms 10 war-b1-link.telia.net (62.115.135.187) 145.479 ms 146.117 ms 145.660 ms 11 dnsnet-ic-320436-war-b1.c.telia.net (213.248.68.135) 151.281 ms 147.401 ms 151.799 ms 12 checkip.dyndns.com (216.146.43.71) 150.409 ms 152.881 ms 151.245 ms curl -v --interface igb5 http://216.146.43.71 * Rebuilt URL to: http://216.146.43.71/ * Trying 216.146.43.71... * TCP_NODELAY set * Local Interface igb5 is ip 192.168.254.1 using address family 2 * Local port: 0 * Connected to 216.146.43.71 (216.146.43.71) port 80 (#0) > GET / HTTP/1.1 > Host: 216.146.43.71 > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html < Server: DynDNS-CheckIP/1.0.1 < Connection: close < Cache-Control: no-cache < Pragma: no-cache < Content-Length: 104 < <html><head><title>Current IP Check</title></head><body>Current IP Address: 75.90.aaa.bbb</body></html> * Closing connection 0 [!! WORKS !!]

Something really weird is going on here. For whatever reason the traffic is not correctly egressing through the specified interface when using curl --interface, and it's only going the way we want if I manually add a static route. I'm not exactly sure how the PHP code is hitting checkip.dyndns.com directly via a given interface, but something has changed behavior-wise that is making this fail. (Guessing maybe it's an underlying OS thing at this point, but I suppose it could also be something with curl if that is just being called via PHP?)

@derelict Damn, ok thanks.

Ok, all clear, thank you!

You need to pass it the full path to the config file.

$ unbound-control -c /var/unbound/unbound.conf stats_noreset

Any time - I could discuss DNS for hours and hours ;) So if you ever have any questions about DNS just post a thread I will more then likely see it and comment..

The problem of when a firewall updates its aliases is problem with pretty much every firewall have worked with in the last 30 years when client might use or get something different. When there is more than 1 IP for some fqdn.. Be it based upon geo location of the query or some sort of roundrobin, or from a cache that resolves from a different location then the firewall/user, etc.

It's not just pfsense that such issues can be seen that is for sure.. Blocking of url based stuff is normally done better with a proxy where the proxy so you can base the filter on the actual uri being requested vs the IP of said fqdn in the url.. Proxy also allows for filtering on path or other words in the url and not just the hostname portion, etc.

DNS based lookups and blocking of the IP work fine when its static sort of IPs returned, but when your wanting to talk to something hosted on a CDN that returns lots of different IPs for the same fqdn then yeah you can run into complications.

Ah okay, that would explain it, thanks!

@derelict Haha I didn't actually mean to reply to you, but to him. No idea how that happened.

^ agreed, The online/offline status can be confusing to new users for sure.. It is not very helpful to be honest ;)

The online/offline status would really only be valid if pfsense was actively arping for devices every X amount of time.. And even then the status would only show that something replied to arp for that IP Time-X ago..

All it currently really tells you is that that IP is currently listed in the arp cache - and pfsense arp cache is actually fairly long..

@jafr said in DHCP failing when moving between AP's:

HP 2530

Quick look shows that that switch can do dhcp snooping since I see in the manual dhcp snooping events for snmp.. So you need to look at the configuration of that switch or the port your AP is connected to.

If pfsense does not see the discover for dhcp then no it would never offer an IP..

@zprime It seems very similar for sure and seeing you posted this 5 days ago and no replies doesn't make me feel very good. I wish I knew what was going on. I can hold my own but this problem is way out of my league, hints me asking for help.

you can query them by just host name if you add more search suffix, you can have more than 1 and put them in order.. Your box will just do multiple queries with each suffix.

@rosch
Okay, would have thought that would be there even if traffic was blocked. Perhaps is has some dynamic gateway monitoring or something that told it not to define that route when it wasn't available. The dhcp packet from pfSense side wouldn't be any different though afaik. But well its fixed :) i guess no further investigation is needed just to satisfy my curiosity 😉 . Thanks for reporting back 👍

@viragomann I have some "holes" between all my devices IP List. I reserve IP by kind devices and keep free IP for future devices, I don't want shift all my IP address because there is no IP available in the range I want to use. So Maybe I will have to reduce my "holes" range to save extra space for the DHCP pool. This is an other approch, it is quite different. Maybe I don't like to change my way to do it ! Thanks for your reply ☺

@comet424 said in setup multiple subnets with DHCP question:

house 1 200 feet away

Is that 100 to 200 feet away or 1200 feet away?

200 is not going to cut it... Lets look at this one for example
https://www.canadacomputers.com/product_info.php?cPath=27_1045_349&item_id=071622

Camera's look like 9w max each, that above switch says can do 75 total... So your right at the very limit.. And its 50% over your budget.. And its only 10 port with 8 of them being poe.. So doesn't leave you ports for much else.. The next size at 28 ports is close close to $500..

So your talking 8 x 250ish or 2 Grand in Camera's but your at 200 for your switch to run your whole network??? Makes NO Sense!!

You can save some money if you use power ejectors with your camera's vs using a POE switch.. Many come with them, some you have to order separate. This allows you to inject power into onto the ethernet without having a poe switch. This is fine when you have a couple of poe devices. But if your wanting to run 6 or 8 camera's then yeah your prob going to want a switch.. You could get say that low end one - but not a lot of wiggle room for total poe power available. And then you would want another smart switch for your non poe devices. Which prob put you close to the cost of the bigger poe switch anyway.

@rommelzkie said in DHCP wont Start Version 2.3.4:

The problem happened when we had power iinterruption last night. If forces our pfsense box to shut down forcefully.

That likely corrupted the disk, take a backup of your config and do a fresh install. Preferably with a currently supported pfSense version, the 2.3 line is EOL and 2.3.4 isn't even the most current in the 2.3 line. Also get an UPS to protect against power interruptions.