There was a huge thread about this papercut stuff.. I do not recall how it turned out… I had installed their software and looked at it but hen got side tracked.. What I recall is their software was borked from there to sunset...

This is an interesting article and may help explain what I'm seeing:

https://www.easydns.com/blog/2011/05/02/dns-speeds-debunked/

Im not sure if you are still trying to figure this out. But this is how you make it work:

1. Go to Status > OpenVPN copy the "Virtual Address" of  the desired NordVPN connection
2. Go to Services > DHCP Server scroll down to "DNS Servers" under the servers section. Paste the VPN virtual address to DNS Server 1
3. Save and apply
4. Restart your Desktop's network card or restart PC
5. Test

5.1 If it still doesn't work, you many need to set your VPN interface as you default gateway by going to System > Routing > Gateways
  5.2 Click edit and check "Default Gateway"
  5.3 Save/Apply

6. Enjoy!

I found what was the problem, but not why.

I brought my laptop out to get access to xp on it so I could prep a new flash drive for flashing a new image on the thin client and I couldn't connect to the wifi access point that is connected to a router setup in router mode. Everything out here except one item is wired to the router and I've never had an issue with that one item. In fact it reports to an MQTT broker every 15 seconds and received commands etc… Never had an issue. Otherwise, everything else out there is ethernet.

Anyways, I decided to disconnect the wireless ap from the router and instantly the wyse thin client could get DHCP. I also tried the thing client connect with eithernet directly to the router and to the wifi access point via ethernet and neither would work.

I try to do a tracert on the thin client to see the path and it gives me over 30 hops and doesn't report each individual hop. Any idea how I can trouble shoot this? There DEFINITELY should not be 30 hops. There might be 5-6 hops/devices between the gateway and the thing client. That is absolutely the most. Almost seems like it must loop somehow. The ping on it is 1ms nearly every time, so it doesn't appear to be getting delayed anywhere.

It appears this is Bug #1819, over six years old.  Yipes!

That's not encouraging.

Well this next week is excellent time for me to mess with my network as most of the staff is on holidays and whatever staff is here, they will be "hardly" working. I'll try out VLANs on a portion of the network and see if i make it better or screw it up more. Ill post updates.

Thank you everyone for their help.

@PiBa:

…don't send the hostname ... readable from the first data packet/bytes passing over the tcp connection where the client speaks first

Thanks, you learn something new every day.

Well I was able to get the certificate signed using port 443 and standalone mode. I disabled my vpn server and ran the commands. I am just going to manually renew it every 120 days. Thanks for the help hopefully I will find a better solution it is just for my house so not a big deal.

Maby a late reply, has any of you found a solution? i found a pretty good one if you want it i can post it here, can't remember where i found it though.

I have the same issue. A client machine comes in from a OpenVPN connection and connects successfully, using IP address, however, name resolution does not work. I have added the domain overide in the DNS Resolver settings and I am still not able to resolve names, only IP addresses. I am not using PFSense for DHCP on my LAN. I have a Windows Active Directory setup and utilize Windows server for DHCP and DNS. How could I get this to work, or is there a recommended configuration for a Windows AD environment?

The DHCP pool is a separate setting on the DHCP page.  Address range has nothing to do with DNS.  You configure the DNS records to match the host address.  NAT is only a factor, if you have rules for incoming traffic.

multiple wans could have ZERO to do with it.. Zero…  He could have zero wans, or 100 wans nothing to do with dhcp servers running on lan side interfaces..

Basic layer 2 problem here.. Either he does not have his networks isolated like he thinks, or he has some other dhcp server running on that layer 2 handing out the wrong network ip range.

What ?
Do we need more then 4 coppers between 2 NIC's ? Shouldn't I use those phone wires ?l
;D

just .lan - single label?  Ugghh How about something.lan

So you can not find some fqdn media.lan with nslookup.. What response did you get.. if you were asking pfsense running unbound asking for something it could not resolve you would get nx… Is that what you got?

media.lan                                                   
Server:  sg4860.local.lan                                     
Address:  192.168.9.253

*** sg4860.local.lan can't find media.lan: Non-existent domain

Or was your client asking something other than unbound running on pfsense?  What does nslookup return as the server.. even on linux tells you that..

media.lan
Server:        127.0.0.1
Address:        127.0.0.1#53

** server can't find media.lan: NXDOMAIN

if your seeing something like that - says the linux box is pointing to local cache like dnsmasq... So you need to figure out where the linux box is actually pointing to..  likely your getting it from dhcp and you will see something like

user@ubuntu:~$ cat /etc/resolv.conf

Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

#    DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search local.lan
options single-request-reopen​
user@ubuntu:~$

In your /etc/resolv.conf -- you need to correctly configure your clients to use pfsense, and you need to make sure the entries you want to resolve are in there - bet via dhcp adding them, or static adding them or even a host override.

My guess is your linux boxes are being handed that 8.8.8.8 you want to forward too via dhcp your running.  And so no they will never be able to resolve your local stuff.

https://forum.pfsense.org/index.php?topic=140910.0

Hello

Thanks for the link to the German DNSSEC testing website. It confirms that Unbound on my pfsense box is operating in secure mode. Strangely when undertaking a dnslookup all my responses are still qualified as “non-authoritative”.

I have noted your various other tips (for which many thanks) and I shall bear these in mind.

Once again many thanks for your interest