you are correct sir - my bad, you need allow rule to the opendns IPs above your block that is allowed by any.. Good catch and my bad..

The issue is still in there then.

https://github.com/pfsense/FreeBSD-ports/commit/5fb1095cd2a5949f9f44fc985c0fe8aab77185ef.patch

I applied the patch and things started working:

: sockstat | grep 953 unbound unbound 80331 18 tcp4 127.0.0.1:953 *:* bind named 73689 24 tcp4 127.0.0.1:8953 *:*

Like stated in the issue I also would like to keep the control ports default (Bind: 953, Unbound: 8953), but for now this will work.

Thanks a lot!

Resolver and listen on lan port is default out the box configuration so not like you would of needed to do anything for that sort of setup..

You sure your client is pointing to pfsense? What is the output of your nslookup command, is that pfsense lan IP?

Did you mess with lan rules? Is the resolver actually running? As mentioned already going to need a bit more info to go on..

Ok... Got a VM... Here is lease it just got
192.168.2.216 02:11:32:25:fa:2d clean 2018/08/06 18:15:23 2018/08/08 18:15:23

That is out of the normal pool...So going to deny its 02:11:32, and put that into a different pool for allow.. Then do a reboot of that vm..

0_1533580531752_pools.png

So on reboot client got
192.168.2.40 02:11:32:25:fa:2d clean 2018/08/06 18:34:48 2018/08/08 18:34:48

And in log.

Aug 6 13:34:48 dhcpd DHCPACK on 192.168.2.40 to 02:11:32:25:fa:2d (clean) via igb2
Aug 6 13:34:48 dhcpd DHCPREQUEST for 192.168.2.40 (192.168.2.253) from 02:11:32:25:fa:2d (clean) via igb2
Aug 6 13:34:48 dhcpd DHCPOFFER on 192.168.2.40 to 02:11:32:25:fa:2d (clean) via igb2
Aug 6 13:34:47 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2
Aug 6 13:34:35 dhcpd DHCPRELEASE of 192.168.2.216 from 02:11:32:25:fa:2d (clean) via igb2 (found)

Worked exactly how it should..

edit
Ok so I now removed that extra pool... And rebooted that vm again... An now its getting told to F no free leases for you ;)
Aug 6 13:45:32 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2: network 192.168.2.0/24: no free leases
Aug 6 13:45:24 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2: network 192.168.2.0/24: no free leases
Aug 6 13:45:21 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2: network 192.168.2.0/24: no free leases
Aug 6 13:45:17 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2: network 192.168.2.0/24: no free leases
Aug 6 13:45:14 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2: network 192.168.2.0/24: no free leases

So my take would be your other pool you created is not correct, or don't have the allow setup correct on it? Or it didn't get started? etc..

So I removed the block mac listing on the normal pool and bam client got its IP..

Aug 6 13:48:47 dhcpd DHCPACK on 192.168.2.216 to 02:11:32:25:fa:2d (clean) via igb2
Aug 6 13:48:47 dhcpd DHCPREQUEST for 192.168.2.216 (192.168.2.253) from 02:11:32:25:fa:2d (clean) via igb2
Aug 6 13:48:47 dhcpd DHCPOFFER on 192.168.2.216 to 02:11:32:25:fa:2d (clean) via igb2
Aug 6 13:48:46 dhcpd DHCPDISCOVER from 02:11:32:25:fa:2d via igb2
Aug 6 13:48:46 dhcpd Server starting service.

And I got a developer response too, shit.

I did, and do have pfil_member set to 0, and pfil_bridge set to 1.

Rules were set to proto any, source any, dest any...
I'll reattempt either tonight or in the next day or two with one of my unused physical interfaces and let you know.

@johnpoz said in Reverse and recursive dns configuration:

Same here - I do not understand what you are asking... Maybe you would be better in your natural language section ;)

Thank you

My network looks almost as in the picture and detailed info as below

0_1533664861362_MySetup.jpg

Pfsense:
WAN Internet
LAN1 192.168.10.1 = Subnet1 = DHCP DNS = Clients Subnet1
LAN2 192.168.20.1 = Subnet2 = DHCP DNS = Ext + (Win2016) + Int. => Client Subnet2

Win2016 (DC DHCP DNS)
Ext = 192.168.20.200
Int = 192.168.30.1
Client Subnet2 = 192.168.30.0/24

I believe I have to set up NAT but I cannot find Instruction how to do NAT for the entire windows subnet?

Minh

@jimp Thanks. I'll look in to this option :)

@jimp Disabling DNS sec is what did it. Previously I had just checked the forwarding check box without removing DNS sec.

Thanks for the help.

Well let us know when it fails again - and when it does please validate if local hosts resolve - ie your host overrides or any static registered devices.. pfsense own name for example.

Now just need to wait I guess.

Thank you for the tip, but it did not work, unfortunately. I think if this solution works, rebooting would have worked as well since that would definitely trigger a link-down event. I am wondering if the same issue would happen with a real hardware instance of pfSense or the issue is just limited to VirtualBox. Either the VBox virtual NIC has bad data it can't get rid of until I change the MAC address or there is something in pfSense I need to tweak.

So last night I shut everything down, changed the AP’s cable from opt1 to LAN restarted everything in sequential order and then assign the AP a static IP.
Now everything is functioning as it should. But since I changed two things I don’t really know what fixed it.
Just glad it’s currently working until the switch is delivered

To combine the two responses so far... like Derelict says, a separate subnet for the bench would be the best way to go... separate address range, you can manage where devices you're working on can go separate from everything else, etc... whether you use a separate interface on your pfSense box (if you have an unused interface to dedicate to the cause), or use VLANs and a managed switch, that's up to you.

Then you can set limiters on your main network, firewall rules to prevent your bench network from accessing the main network (or vice versa), and things of that sort.

Right. That is Cisco's private vlan edge. Brocade calls it uplink ports which makes all non-uplink ports on a VLAN isolated from everything but the configured uplink ports. This can be more flexible than cisco's protected ports because it is configured per-VLAN. Some switches have port isolation built in. Some can do it with asymmetric VLANs. The SG-3100 and XG-7100 can do it (on the built in switch) using a similar method.

Then there are true private VLANs which are harder to implement because to fully support it everything has to support it on VLAN trunk ports (APs, etc). It gets really complicated when you start trunking switches/gear together.

@virgiliomi Right, its how I did it actually using a different guide - that was just the first one that came up from a search.

Problem bypassed (not solved):

Using an ALFA AUS051NH did the trick. I suppose the QOTOM box's wireless adapter (reports as ath0) and pfsense just don't play well together. This being posted from wireless on this box.

It worked. I just didn't type "ifconfig /flushdns".
Thank you, Sir.

@jeetu3363 you're confusing me completely here. What you said you were trying to achieve and what you did doesn't match up. Maybe try to explain more clearly what your setup is next time, then you'll get better answers.

@nich17 said in Accessing external domain from inside:

@johnpoz @kpa @viragomann

I enabled the dns forwarder, now the dns server on the clients points to pfsense (192.168.0.254). I've written our internal domain on the domain override.
Internet works well, our internal domain works well, our external domain works well if you access it from outside our network, but when I access the external domain from inside the network, it's always the same thing, it points me to pfsense.
It points me to pfsense (192.168.0.254) and it's giving me the dns rebind error. I disabled the rebinding and, as I said, it points me to pfsense.

Can someone help me?

Hang on a second, how is your external domain resolving to an internal IP if you have only added your internal domain to the Domain Overrides?

I think you might be confusing terminology here.

Domain Overrides tells the DNS forwarder to use a different upstream DNS server for that specific domain.
Host Overrides tells the DNS forwarder to IGNORE all other DNS servers and send back the IP address specified for those hostnames. As such, I believe you don't even need an internal DNS server beyond pfSense, its much easier to manage all your internal DNS from within pfSense itself.

If you are wanting the external domain to resolve to internal IPs then you should be putting THAT into Host Overrides.

eg My public IP resolves to server.my.domain at my domains DNS host, in pfSense I have a Host Override for server.my.domain that points to its internal IP address. So when inside the LAN it resolves to the internal IP. I rarely ever use the internal domain for that server as its not necessary.

If you want to wildcard the whole domain (so that server1.my.domain, server2.my.domain, etc all point to the same IP address without having to add each one manually), you have to use custom options and add:

address=/my.domain/<SERVER ADDDRESS>

Replacing my.domain with your external domain and <SERVER ADDRESS> with your servers IP.

If you use DNS Resolver it works exactly the same except the custom option is:

server:
local-zone: "my.domain" redirect
local-data: "my.domain 86400 IN A <SERVER ADDRESS>"