Do you maybe have a link with a proper tutorial on configuring this?

Not specifically.  There are a million of them online.  Start with squid.  Get it working either transparently or explicitly.  Then add squidguard and get it working.  Ask for help if/when you get stuck.  That's how the rest of us learned.

That said, the OpenDNS solution using their child-friendly DNS feature may be the quicker & easier solution for you, but less flexible.

A temporary workaround that seems to be working so far is to use the BIND package.  IPv6 seems to work OK, I've yet to test some static assignments and pinging those.  It is promising so far.

https://redmine.pfsense.org/issues/7843

@cmb:

The hostname goes in the update URL with custom entries. For strato specifically, it looks like it should be:

http://dyndns.strato.com/nic/update/?hostname=myhost.example.com

Old topic, i know. :O

As far as I can see this worked for me (pfSense Version 2.4.2-RELEASE-p1 (amd64) )

Thanks!

https://www.ietf.org/rfc/rfc1035.txt

NSDNAME        A <domain-name>which specifies a host which should be authoritative for the specified class and domain.

How is 192.168.1.1 a domain-name?  I suggest you read the rfc ;)

Run your zone file through checkconf..

Yes your NS record will need a A record for its name pointing to the IP, etc. .. But an IP is not a valid NS record..</domain-name>

Any extra packages installed, like squid?

HI robina80,

Thanx for the reply as per your suggestion I created Rule Please find attached print screen file. but  when I run MTR on 192.168.2.10 host its gos through WAN 1 (MTNLFIBERCONNECTION)


For my Network Interfaces I have selected LAN, LAN2, VLAN1, etc…i.e. my internal interfaces.

For my Outgoing Network interfaces I have selected my VPN only...I have all my DNS going out my VPN to minimize "DNS leaks". You might want to select WAN depending on your configuration and if this doesn't matter to you.

If you are not using IPv6 no need to select it, however from a house keeping perspective maybe consider turning this IPv6 off.

Open to opinions if I am wrong...

https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver

your address has .sub which is wrong..

address=/.sub.domain.io/127.0.0.1

should be
address=/sub.domain.io/127.0.0.1

"Apply changes" will recreate a config file, needed for unbound, the Resolver.
Then unboud will get restarted - there is nothing you should do, or shouldn't do, to make that happen.

You're checking this log : Status => System Logs => System => DNS Resolver, right ?

I made a slight change to the DNS Resolver configuration last night.

I changed Network Interfaces & Outgoing Network Interfaces from ALL and selected the specific interfaces needed.
I also disabled the DHCP Registration & Static DHCP options.

Since then it's been resolving fine. I'll keep monitoring but so far so good..

Thanks

You got it there mate. There's definitely a race condition between the VPN and the DNS services at boot up.  :-\ When one of the two DNS services is silenced, everything is fine. Once the race condition happens and I let the the system reboot for several times, it gets out of the loop after some time.

I have coded in assembly for several years and you cannot let this happen, never. Process priorities need to be taken care of, otherwise everything gets broken and it's a mess to troubleshoot. That's why low-level IRQs have always had different priorities. In higher level coding, these basic rules are sometimes left behind at the profit of faster deployment. This is definitely something that must be worked out in future pfSense versions.

Besides that, I have to admit that pfsense kicks arse!  ;)

@RotorMotor2:

I am using the DNS resolver … I used a DNS benchmark program to find the best DNS servers for me...

Maybe read about DNS resolver and how it works!
You will not need a single one of those in the list, they aren't used anyways with the resolver.

Yeah I think I got it figured out. This was on a Cisco "Access port" un-tagged VLAN port for everyone else, and for some reason it was not tagging the packet on its way into the port so I still hit the "Native VLAN" which happens to be the one my device was connected to. It then let the un-tagged packet out the same port. Odd but hey what ever. I rebooted the switch and its working correctly now.

That all aside, i would love to seem some with done on the DHCP pages  ;)

@SteffanCline:

Same thing. The Custom page collects a username and password but does not send it as auth or provide a variable that I can see anywhere. Seems %IP% is the only one. So, why collect a u/p on this page?

Just remove - or better - change u/p on that page and see of it still works  :D
So, you know now that they are needed, and this transmitted.
To know how and why, checkout the technical from the DyNDNS you are using. If still questions, check out the source used by pfSense.

What does VLAN mean to you? What did you do?

@rafaelr:

DNS Forwarder cache and configuration issues - Fresh eyes needed

Hello all,

I haven't used dnsmasq in pfSense in a long time. Today, while testing DNS Forwarder in pfSense 2.4.2_1 (latest stable) I stumbled with a two issues:

1- DNS Forwarder does not seem to be caching requests
2- DNS Forwarder does not seem to read my custom /usr/local/etc/dnsmasq.conf file

When I dig a domain I'm not getting any cached responses from DNS Forwarder

I have later tried to use my own dnsmasq.conf configuration file but that hasn't helped me at all

/usr/local/etc/dnsmasq.conf

I have created a /usr/local/etc/dnsmasq.d directory to add additional .conf files but they do not seem to be loading at all.

For example, I've added a blacklist.conf file to block a bunch of hosts and I don't get the response I'm expecting from dnsmasq. It's like it isn't even looking at the file.

Hi,

"Never ever" change these files directly. Use the GUI. That's what is pfSense is all about.
Extra option to include can be pasted (before rigorous checking) into the GUI, who maintains the setting files on disk.

It's very well possible to set up dnsmasq manually - the old fashioned way, but in that case it might be better that you install a native FreeBSD, add the needed packages and create a firewall by hand. Now you have possibility of editing files manually without consequences.

Your last 7 images, those who show the settings used for the "DNS Blacklist generator" : the last images shows the path to something that could be related to unbound, not the forwarder.
What are you using, the forwarder (dnsmasq) or the resolver (== unbound) ?

The article I linked too is exactly in line with your question on controlling broadcast traffic..  And as mentioned such a question is way better suited for their forums since your using their hardware.

As to client isolation on unifi - you have to enable guest policy on the ssid you want to use it, and if you do not want the captive portal just do not enable that in the policy section… Again that is best suited for their forums and documentation... But yes they do support it they just call it a bit different then your typical soho AP that calls it client isolation or wifi isolation..

If you do not put networks or hosts in the access control portion of guest policy then no clients would not be able to talk to anything on these networks or other wireless clients, etc.

edit:  Here I found the doc for you
https://help.ubnt.com/hc/en-us/articles/115000166827-UniFi-Wireless-Guest-Network-Setup#lan%20client%20isolation

You can do it in the gui too… Just a simple host override.

Which should work for both the forwarder or unbound.  Just set it in which one your using..  The command way would be for sure easier if you wanted to block a whole bunch of hosts.. There is a way to do it for a whole domain as well with unbound  python script..  There is a thread around here about that method to fix netflix over HE I think was the problem they were looking to correct with that method.

edit:  Here is link to that thread about unbound python script.. Works..  So that is another option for you.
https://forum.pfsense.org/index.php?topic=134352.msg737158#msg737158

guiway.png
guiway.png_thumb