I'm also trying to figure out how to configure pfsense to use the youtube filters: https://support.google.com/youtube/answer/6214622?hl=en If anyone has another approach I'd love to hear it. Thanks Jon

If you are on 2.3.4-p1 you can fetch an updated dnsmasq as well pkg update -y dnsmasq That should find the update and install it, afterward you have to restart the dnsmasq service

There are no current plans to make it available, so there is no estimation of when it might happen in the future.

Here is the outbound nat table, it still binds to the .3 address even if i disable the nat. Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description Actions   WAN x.x.x.135/32 * * * NO NAT *     WAN x.x.x..0/24 * * * NO NAT *     WAN x.x.x.132/32 * * * NO NAT *     WAN x.x.x.131/32 * * * NO NAT *     WAN x.x.x.133/32 * * * NO NAT *     WAN x.x.x.134/32 * * * NO NAT *   WAN x.x.222.0/24 * * * x.x.x.27/32 *   WAN any * * *         x.x.x.3/32 *

https://www.netgate.com/blog/no-plan-survives-contact-with-the-internet.html Read the part about dnsmasq.  The recommendation is to use the resolver. But since DNS Resolver resolves  and DNS Forwarder just forwards to whatever DNS you have entered into your DNS fields or your WAN picks up via DHCP Id bet those DNS  might be having issues?!? Try different DNS and see if that helps.

Hi, +1 for this.

You have some options=400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO> Maybe it's time to "kill" some of these ?! Jumbo frames ? Gardware checksum ? TSO ? VLAN_HWCSUM ? Aren't these by default "off" ? What are all these references about VLAN ?

If you're worried about the exposure of the management interface you can dedicate the interface that is now marked as LAN solely as the management interface and use an OPT interface for the real "LAN" network where the untrusted clients are. Of course you have to add proper filter rules on the OPT interface to block any attempts to access the LAN interface or anything connected to it and also the pfSense webgui and other services running on pfSense.

Add 1000 to your vlan (eg 1030, 1031 ….)ca

Just spins.. Maybe their dnssec is broken ;) How long should such a test take.. I can point to my isp dns and test it..  Would have to sniff to why maybe its failing using the resolver.. What should happen is they should report my wan IP in normal operation since that would be the IP doing the queries to where ever they point to in the test, etc.. Ok figured out why their site broke for me – my adblocker blocking some shit they prob use to test with.. So I turned off adblocker and pointed my client to my isp dns 75.75.75.75 - oh my gawd I leaked that I am from the US and use comcast.. I am F'd now ;) hehehehe But atleast I can test the "leakage" thing we were talking about.. But have to wait til later this morning.. Off for my morning walk and then off to work.. [image: justspins.png] [image: justspins.png_thumb] [image: whybroke.png] [image: whybroke.png_thumb] [image: dnsleaked.png] [image: dnsleaked.png_thumb]

I had written a follow up question and note but later deleted the post…resubmitting a new question based on some basic testing. I see a interface for pfBlockerNG, specifically: "10.10.10.1 (pfB DNSBL - DO NOT EDIT)", I see this for both interface for both "Network Interfaces" and "Outgoing Network Interfaces". I am using pfBlockerNG/DNSBL(both to deny inbound and outbound). Should one select "10.10.10.1 (pfB DNSBL - DO NOT EDIT)" interface for both "Network Interfaces" and "Outgoing Network Interfaces"? If you have a VPN provider (interface setup for VPN) and wish to have your DNS resolver use the VPN for its queries do you select this interface for "Outgoing Network Interfaces"? I tried testing different variations, checked my DNS leaks at dnsleaktest.com and found if I chose VPN provider and WAN I got leaks??? Left it at All for both "Network Interfaces" and "Outgoing Network Interfaces" until I understand this more. Any thoughts or feedback? Thanks

I accept that you should not create a situation where another source will edit your Dynamic DNS IP address. The point is to create awareness about the consequences of doing this, and that pfSense will not correct the error - even though it periodically checks its Public IP Address. It is helpful to recognise why this is the case - as you point out the DynDNS service would be flooded, if not for the cached IP address solution I would have thought it best to discuss such issues within this forum, - we're all here to learn.

@ypanier: would you mind testing my patch for this issue? Use System Patches and install commit f0f56a7f4ea9b6636102c380d2d210983a08c996 I tested this on 2.4.0.r.20170925.1424 and it does work for me. edit: I submitted a PR#3832 to get more feedback. (boring part below) a bit more info on how I arrived at this patch • when dhcpleases is sent a signal, anything less than TERM(15) causes it to not delete the auto-added entries from /etc/hosts • the code in dhcpleases.c@L560 that handles the HUP signal seems bugged (when could hostssize ever be <0, and if it's >0 then it seems like this would just reset the "deletion pointer" so that the dynamically added entries would now never get deleted when the SIGTERM eventually comes – but I can't be 100% sure so best to just never send this signal and just always kill and respawn • replacing the sigkillbypid() calls with /bin/pkill -x appears more reliable, since there seem to be some conditions where >1 copy of dhcpleases is running yet only 1 has a var/run/pidfile • the if (is_process_running("dhcpleases")) { … } ~L630 in system.inc appears useless; whether dhcpleases running or not, it needs to be killed & respawned - so let's just go ahead and do that This may not all be correct but it is the best I could do w/ my limited research and does fix the issue for me

Your question about the gateway led me in the right direction.  I had not set the correct gateway on the DNS Server.  Silly oversight on my part.  Thanks for the tip off!

Change your pool from .10 to .254 I assume because .255 is broadcast address. To have 2 pools.. .10 to .108 .109 or higher to .254 The set your nas as static on the nas or set a reservation. 2nd piece of FREE advice - never ever ever hard code ips into anything.  Why would you not have all your shortcuts/mappings point to nas.yourdomain.tld so now it doesn't matter what IP your nas getgs changed too just simple update of your dns to reflect where nas.yourdomain.tld points too.

Unbound and other DNS forwarders/resolvers can use a separate file for root servers but since they change so rarely it's not worth it and the compiled-in list is sufficient.

"and it does indeed add all the addresses correctly." So then what is the exact problem your having?

Hi, Understood  :D I'm not typing 192.168.1.1 neither - I set up the name 'pfsense' as a host and 'mynetwork.local' as a domain name. Go here to do that : System => General Setup - first and second line. Now, when I use a first time "pfsense.mynetwork.local" as an URL, I'll connect just fine to the GUI. Remember : pfSense is doing DNS :) A next time, just typing pfsense and my browser will fill in the rest for me. Btw : better yet : I can't even use the address as 192.168.1.1 because I use the https access I used to enter the GUI. IP addresses are normally forbidden in that case, and I have to use a host and domain name, which are, of course, part of the certificate.

Not sure if you can or with forwarder, but this is pretty simple in the resolver (unbound) You can just do it in the custom options box.. server: rrset-roundrobin: yes local-zone: "google.com.local" transparent local-data: "google.com.local A 8.8.8.8" local-data: "google.com.local A 8.8.4.4" So see how it changes the order of returned. Curious what possible function this could?  For pointing to googledns? [image: roundrobin.png] [image: roundrobin.png_thumb]