@mcury that is what I was looking for thank you.

@McMurphy keep in mind whenever you forward, ie your domain override is a forward, if the answer is rfc1918 it would be a rebind. So where your creating the domain override you would also need to set the domain as private.

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

You also need to make sure where your sending the query that the ACL on unbound allows for the query. I would do a directed query to the unbound on the far side of the vpn and make sure you actually get an answer, this would not take into account any rebind, but would validate your firewall rules and unbound acls allow for the query.

@McMurphy yes you’d have exclude the AD DNS IPs, perhaps an alias that contains only other IPs. See the tip there;

“With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible.

Tip

This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The Invert match box should remain checked.”

@johnpoz I tried following this guys video https://www.youtube.com/watch?v=ReSE3Bn5dFQ&t=11s. Like i said before just wanted to see if i can put all this stuff in pfsense but you are right. I decided to put it in a rasberry pi seperately. Works like a charm to be honest and less hassle. I didnt want to put it into another VM as I am running a few already in UNRAID so didnt want to stress it but this was interesting. I still would like to know how this guy made it to work in pfsense to be honest but I will do that when I have more time.

@conover yes is the default, you can see it in the conf

if you look in the conf right at the top

[24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: cat unbound.conf ########################## # Unbound Configuration ########################## ## # Server configuration ## server: local-zone: "0.168.192.in-addr.arpa" typetransparent chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 2 hide-identity: no hide-version: no harden-glue: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes

If you set no in the options box it will be lower in the conf

# Unbound custom options server: do-ip6: no ede: yes

@agmc tem algum switch no meio do caminho ?

@Gertjan yeah i was aware of that Problem. But since Everything worked so far, i didnt put changing my Home Domain to anything else aside.
It is interesting though, that dnsmasq does Not have this Problem but unbound does

Ok, this is resolved.

Along w/ my PFSENSE migration I added a ubiquiti Layer 2 managed switch. The only vlan setup on that switch was the default Vlan 1. B/c of that, any other traffic tagged w/ a different vlan was being automatically dropped.

So I went into UniFi > Settings > Network > Add New Virtual Network, added Vlan 3 there, and boom! Clients now get IPs and that SSID is working

@gbeever Okay then - so you are setting up a pfSense on the inside because??
Usually you would just have one or the other in the position where you dream router is now. I would never embark on having a double router/firewall/NAT setup as that is just asking for problems and misconfiguration.

But if you want pfSense to sit on the inside, you need a couple of things - alt least:

1: on pfSense WAN you need to uncheck “Disable Private Networks/RFC1918” - otherwise it wont work properly.
2: You need to deside if you want double NAT by having pfSense NAT it’s private network to, or you want to route traffic to the pfSense LAN using a static route in the dream router.

@kjiwa

Humm.
You're right.

3af6fbdf-8fd0-4229-b68c-77c42a4093aa-image.png

Go for htpc-tvs ?

@moelharrak said in DNS Resolver Status not showing the resolved domains:

Specify the DNS servers in the System > General Setup

My 'church' says : you'll add none.

This is the perfect way of doing things :

edc5ab82-3696-47b3-b5ea-3ae11e309d2a-image.png

And this goes with it :

62a4a894-240f-4713-b4db-c6ceff198f7b-image.png
(do not select that button ! )

Why ?
Because it's the default setting, Netgate has chosen these, and as these guy know their DNS around, that's what you should use.
But, of course, if you signed up a contract with "8.8.8.8" or "1.1.1.1" and they pay you for your private DNS info, then, why not, you should forward to these guys.
It's a free world after all, and if you can make some money out of it, then that's just great 😊

pfSense has its own resolver for years now, so you don't need to use any 'DNS server' - the only thing you need, is an access to the free 13 main DNS root server. These are the ones who make DNS work, these are the ones you should use, as it was intended when the Internet (DNS actually, DNS didn't exist in the beginning)

edit : another reason : these settings are part of the Keep It Simple concept.
Install pfSense - done nothing (well, you change the password) and your good, it works, like any other router you'll find out there.
The planet wide sickness "you have to use 8.8.8.8, or some other remote entity, as a DNS" has been crafted because your DNS traffic is worth gold, and I'm not exaggerating here, for them, and this belongs to the "You are the product" concept.

Also, when you belong to the "I resolve" club, you have statically spoken, less issues with DNS. It just works. and that's not a hazard or be lucky, the DNS system was meant to be used like that.
How DNS Works - Computerphile

Btw : all this is of course my own opinion.

@Samuelking said in unable to access webserver with static ip and port from pfsense only:

i am trying to access a webserver on th internet has ip address with port from my network

So you are trying to do a reflection. This IP is your wan IP of pfsense, and your hitting it from some client behind pfsense - and you want to be forwarded to some rfc1918 address on your network..

This is handled with split dns - there really is little reason to hit your public IP if the ip is the box next you on the same network.. Or you have to setup nat reflection.

Have you inspected the config.conf file to see if it is listed on that and boots with it?

After a bunch of testing today, I ended up checking traffic using pftop and compared entries when accessing MS services vs everything else (probably should have done this earlier)

Accessing other services - I see traffic destined for port 53, as expected
Accessing MS services - I see traffic destined for port 12000 (?)

Found another branded AP lying around, configured and connected to it and tried accessing MS services - I see a bunch of traffic to port 53 this time, no port 12000 to be found

NFI why the port is being changed. As a temp workaround I've translated port 12000 traffic back to port 53 and everything's working as expected. Now I'm chasing Netgear to ask W-T-F!

Cheers!

@johnpoz Thanks for the reply. The issue seems to have resolved itself overnight, everything's in sync now.

@johnpoz I have to admit 24 works better with KEA over 23.09 it was slow in that version

I took it that he was 192.168.0.0/24 and changed to 192.168.0.0/23.

@Jellman86 they might at some point add that when kea is ready for primetime - but currently no pfsense can currently not act as dhcp server unless its directly attached to the network..

If you have a windows box sure you could spin up dhcp on it.. But you could also just spin up any other dhcp server on anything say docker or vm, or pi, etc..

@mvikman For now, the problem has not manifested itself, but I must wait around forty days to be sure.