Ensure that Resolver is configured to respond to queries on LAN2. For LAN2 DHCP server, leave DNS blank to use the system default which would be LAN2 address. For Firewall, add a pass rule for LAN2 net to LAN2 address on port 53.

No that is fine. It is simply the /dev directory that is in the dhcpd chroot environment just like the other /dev. It is a special filesystem for representing device nodes. It always shows 100% used.

You should not be getting new IPs.. Unless your mac was changing you should renew the same lease you got before. You could most likely fix any such odd behavior by setting a dhcp reservation so that mac xx:xx:xx:xx:xx:xx always gets the same IP. I shouldn't be getting new IPs; they're bare metal boxes with only one NIC, so the macs are definitely not changing. There's gotta be something unique to the requests that's causing the IP to increment, no clue what that might be. Maybe an option PFSense DHCP settings would reveal it? I scanned through and didn't see anything that jumped out at me. I'll try the dhcp reservation, I think you're right, maybe that will settle things out. What part registers the dns where?  Your doing a domain override to this foreman.. The node then registers itself with the foreman NS.. What sort of ttl are being setup when they register their names?  I think all your problems go away when you figure out why the box is getting a different IP via dhcp.. Hosts have a lifecycle when managed and auto provisioned by foreman. When they initially boot (and foreman has no record of them), they PXE boot into barebones "Foreman Discovery Image". It gathers a bunch of facts about the machine like NIC info, MAC, other stats, and registers itself with the main Foreman box as a "Discovered Host". If you have things set up for auto provisioning, Foreman will assign it to a "Host Group", and decide based on some configuration logic what OS to kickstart that machine with. I think it shuffles around the PXE boot configuration based on that machine's MAC, and then reboots it into the correct OS kickstart to install the OS on disk. At this point, I believe the "Discovered Host" is graduated to a "Managed Host", and Foreman creates an A record for the host in its NS. After the OS install concludes, PXE boot configs are shuffled around again to tell the box to boot from local disk. Everything should be humming along at this point, with puppet periodically reporting the state of the machine to Foreman. I needed to configure Foreman to set the NS record with each of these reports, since I was seeing the records IP off-by-one with the IP increment of the last reboot. This looks like pretty fun stuff..  Think I found something to play with this weekend.. I should be able to setup a couple of nodes just on a VM, etc. It's been a great learning experience! Interested to hear if you're seeing similar things with IP drift. I'll try to lock things down with a reservation.

Do you have prefetch enabled in the advanced section?  If so your popular items should never really expire to ttl 0, since they will be updated before they expire when a client asks for that record, etc.  I do not recall if that is on out of the box or not. This option is prob better for you if your slow to resolve..

Have seen that specific error all the time.. Normally its configuration problem with the slave not accepting the notify..  If your seeing a lot of it, and your not actually making changes on the master.. And IPs are not really your master - then it could be some lame attack attempt.. Without a clue to your actual configuration..  for all we know you setup your notify to send to your public IP to be nat reflected and your source natting? Without anything to work with - its just all blind guessing.

This is why these devices blow..  They are designed to be the edge router, and not just an AP..  Not really designed to send the traffic vlans out the lan ports.  Can you put it in AP and tie the wan into the br0 and then just add your wifi ssid vlans to br0? Can you not just add your wifi with the vlan on it to br0?  And then have that vlan tagged on the port connected to pfsense?  Be it port 1, 2,3 or 4? If they have limits on br0, then ok create a another bridge.. But what you need to happen.. Is you need these vlans on the port that is connected to a port that is connected to pfsense.  If your going to then use this br to admin the device, then that is the IP you would use..

@gjaltemba: I am unable to find any documentation for this DHCP icon but I will guess that the icon is for a reservation. it very well could be, but i don't have any DHCP reservations on this pfsense box. interesting.

Did you ever try this? Below is language from pfsense domain config area Do not use '.local' as the final part of the domain (TLD), The '.local' domain is widely used by mDNS (including Avahi and Apple OS X's Bonjour/Rendezvous/Airprint/Airplay), and some Windows systems and networked devices. These will not network correctly if the router uses '.local'. Alternatives such as '.local.lan' or '.mylocal' are safe.

Well that sort of setup is pretty borked already if you ask me… But anyway - I tested this.. And its not left blank just use none..  As I said I had not had to edit a dhcpd.conf in a while directly.. So I edited that test host I was playing with to show you loopback.. So I killed dhdpd with killall -3 dhcpd I then edited the dhcpd.conf I then restarted it.. from cmd line.. you can find your start command with.. ps axww | grep dhcpd You could always create a file that does this for you and have it auto start in rc.d that loads your specific conf.. Once you do stuff like this the gui is going to overwrite stuff, etc.. Anyway you can see I edited so its none; for your routers and dns. Then started dhcpd.. I then did a release and renew on that client.  You can see that it had loopback, then when I had it get a new lease it got nothing for gateway and dns.  I sniffed this traffic and you can see in the offer that router and dns was not even in the offer. edit:  This is a hack of a work around for sure.. I would suggest you put in a feature request on redmine to allow for none on the dhcp reservation screens.. Since it clearly takes that value as input. [image: dhcpnone.png] [image: dhcpnone.png_thumb]

"have defined a couple DNS servers (not my ISP's) for pfSense to use them during upgrades and such." Why do you feel you need to do this?  I have never had any issues upgrading pfsense just using the resolver on its own..

@BBcan177: The pfBlockerNG pkg uses an include file in unbound with the Resolver set to either Forwarder or Resolver mode. So there must be something else that's causing your issue. Try adding the "server:" setting as indicated to see if that fixes it. Looks like you posted while I was editing my previous post. Yes, your suggestion was absolutely spot on. It was exactly what I had missed all along. Cheers!

@tonysud: I would like the client to ignore ipv6 Is it possibile to set dhcpv4 pfsense server to say clients to ignore ipv6? I don't need ipv6 in my lan One thing to bear in mind is that if IPv6 is not enabled on your network, you'll only get link local IPv6 addresses.  These start with fe80.  Other than neighbor advertisements, there won't be much else.  However, if you're running a Home Group network you need the link local addresses.  It won't work without them.  So, if you don't need IPv6 on the network, then there's really not much to do, as you won't have it, unless configred.