I am and fu**kingidiot.  My issue is when I added the DMZ interface, I didn't configure any rules to allow traffic to pass.

I am so much better than that better than that.

Sorry.

Randy

????

The DNS TTL only affects devices that have queried the name.  If a device hasn't requested an IP for the host name it will not have the address in it's cache.  So, let the new device boot up, get it's MAC, create the static entry and point the host name to it.  Then, when some other device queries that name, it will get the static address.

I think you may be imaging problems that don't exist.  You'd only have to worry about DNS TTL if a host name had been in use and then the address changed.  The TTL only affect pfSense for host names learned from elsewhere.  When you control the host names on a local DNS, for local devices, there's no cache in pfSense to worry about, as it will rely on what's saved in /etc/hosts.

Oh yeah, I updated from 2.4 to 2.4.2 today, so maybe something between the two versions changed and why now maybe it no longer likes the stats config line?

Thanks for all your suggestions. The problem was when I assigned the IP the default netmask was set to 32 which I did not notice. I've updated the netmask to 24 which has solved the issue.

Thanks again everyone for your help :).

@gjaltemba:

Did you try Other Options -> Dynamic DNS -> Advanced

That option is for registration of hosts into a remote DYNDNS compatible DNS server. Probably totally not related to the question.

I am on IOS 11.2….no issues here. Been working good...

I had an issue +/-30 days ago(a few times) when I restarted pfsense...strange but it only connected when a non Apple product went online first in my network(then worked going forward). Haven't seen this issue again...

I also had challenges when I was changing DNS settings in pfSense...

No recent issues on any Apple on my network, including iPad, AppleTV, iPhone(various models).

If it is working on other WLANs OK...I would look at: Do you have fixed IPs by WLAN? Aliases with this iPhone included? Rules with an alias? Did you try "renewing" lease on the iPhone?

I found something. Both nodes are unable to communicate between them.

SNAT on loopback is translated to "interface address" so it should be good.

I did a firewall alias with both real IPs 10.6.0.1 and 10.6.0.2 and I added a rule on interface "GUESTS1006" like:
any protocol source "alias" to interface address

no way! nodes can't ping each other.

By the way, I have an other interface with CARP, on other subnet and nodes can ping each other. I can't see difference… Both interface are VLAN, CARP configuration is exactly the same, SNAT too. Diff is on firewall rules but I tried a any2any rule on GUESTS1006 and does not work. No packets matches the rule, I can't explain.

Hmm it’s indeed a good idea to move over to static ips for important devices and leave clients as they are.
But wouldn’t there be a reasonable solution? Like a conf reload for unbound instead of a restart?

I realized I never attached my rules on my original post so adding them now.

I tried shutting down my firewall a few times to replicate but I have struggled to replicate this issue in the last few days….

I have decided to test the "policy filtering" in what was detailed in this post below:

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

I added a "mark" of  "NO_WAN_EGRESS"  to my rule #1 and rule #3 and a "Quick" floating rule with my outgoing WAN per the blog....

Beyond the "tin foil hat"/DNS leak/ISP monitoring concern (I admit I am one of those!) this seems like a possible attack path for a malicious actor. Simply attack and restart a vulnerable downstream modem(seems like a lot of them are already vulnerable), briefly shutdown the OpenVPN connection and then monitor the ongoing traffic of the unencrypted traffic after a modem restart that ensues(while the user thinks they are using a VPN)? The only reason I discovered my DNS was going through my Cable company was I happened to do a DNSleak test one morning....

I'll surely report back if this solution doesn't work....thank you pfSense you are the rock in my network!

Happy holidays,
V


^ exactly.. My whole point with just more wording ;)

@JKnott:

Here's the capture file, for anyone who's interested.

Take a look at how the DHCP server address keeps changing.  In this capture I see:
10.217.176.1
10.217.16.1
10.189.104.1
10.215.208.1

The requests are being NAK'd for having the wrong network address, but has the the wrong adddress because that's what it was previously assigned!

UNBELIEVEABLE!!!

No wonder this connection is so screwed up!  With a /22 subnet mask, it's being told to use a DHCP server that's on a different subnet.

BTW, this happens with both Linux & Windows.  My Android tablet also has problems with this.

Also, can't you just set up DHCP to give the IP address of your AD Domain Controller for DNS?  This way all Windows clients in your Winlab will send all DNS traffic to the domain controller instead of to pfSense.  This is simpler than the port forward option above.

@kejianshi:

Why should netflix work and amazon not?  That is fairly backwards

That's never made sense to me.  All else being equal, why would Amazon work when using the Asus router for OpenVPN but Amazon doesn't work when using pfSense for OpenVPN?  So weird.  lovan6 says the configurations are exactly the same, which means we should expect the same results.  shrug

Yeah someone put up some instructions how to use python script for specific domains a while back

here it is
https://forum.pfsense.org/index.php?topic=134352.0

Just modify it to do more than netflix.

Seeing if pfsense can in itself lookup up dns would be a good start as finger79 suggests.

Out of the box pfsense would resolve, and its interface out to dhcp clients for dns.

What is in front of pfsense - could it be blocking resolving?  Which is different than forwarding.. it will walk down from roots, and talk to the authoritative servers down the chain until it gets to the authoritative ns for the domain your actually looking for a record in.

ISP that intercepts dns could cause issues with that.  Is unbound actually starting?  You should be able to see that in the pfsense logs.  ISP that blocks outbound dns could also prevent that from working - its possible your isp only allows dns to NS it runs on the isp network?

Try with:

Its a simple host override..

your server sits on 192.168.1.100, create a host override either in the resolver or the forwarder which ever your using.. To point your fqdn www.domain.com to 192.168.1.100

There is no rebind attack in this scenario… There would be for sure if your public dns is pointing to a rfc1918 address?  Did you try and do that on your public dns?  Host override is done on pfsense.  So clients using pfsense get this answer.. Clients on the public internet would get whatever your public IP is for your pfsense wan address and be forwarded in.

Wan is set up as DHCP, was unsure if I need to spoof the MAC tho?

Hello!

The DNS resolver configuration page has a setting where you can select outgoing interfaces for DNS traffic. Select your VPN interface to direct your DNS queries there. You also need to ensure that your DHCP server is configuring the desired LAN clients to use pfSense's DNS resolver by adding the firewall's inside interface IP for the specified LAN which your DHCP server is listening on. This change can be made in your DHCP server settings menu. Also make sure the clients themselves are not specifying an undesired DNS server in their network configuration on those devices.

With query forwarding enabled, you can send the DNS traffic to a DNS service you specify in system > general, you can also specify which gateway the given DNS query will use. Otherwise if query forwarding is disabled, unbound will query the root name servers directly using the interface selected in the outbound network interfaces section.

If you are using query forwarding and you have a couple of DNS servers in your System > General configuration which are using different gateways, be aware that it appears to me that the resolver will forward the DNS query to all servers listed in the system > general configuration menu, through the gateways designated there for each query sent.

If I have misunderstood your question, please let me know as I would like to be helpful.