Ok, first off - thanks for thinking with me. This is what I would like to accomplish. I have two physical GBit interfaces, one WAN and one LAN. I could add another two LAN card (or two el-cheapo USB3.0 ones, my network is not that demanding) I could then map these physical interfaces to pfSense interfaces, and have DHCP work on each one. Even though connected to the same switch, I could still 'sort' the DHCP traffic that way by using static mapping to the correct network. It would be less physically secure than the VLAN route but should thwart most of my children's evil plans (they do not do network design ;-) ) [image: Network.png] [image: Network.png] [image: Network.png_thumb]

"I am using Bind DNS configured in both firewalls." So which is the SOA for dsekar.internal? "I have configured the dns forwarders to correct values." Where and what does that mean exactly..  So what does ubuntu use for dns?  Bind running on pf2?  Is this bind authoritative for dsekar.internal - is he secondary to soa on pf1?  Are you creating the records?  Wanting dhcp to do it?  etc..

Ah - then yeah this makes sense.  Thanks for feeding my curiosity cat ;)  He gets real cranky when info is missing - hehehe

Thanks Master.

I had the same issue.  Updated a mikrotik switch to swos 2.5 and none of the devices on my network was able to get DHCP info.  Downgraded to swos 2.4, everything works again.  Wasted 8 hours trying to figure out what was going on because I had just made the switch to pfsense 2.4 just before I upgrade the mikrotik switch.  Thought pfsense 2.4 had broken everything but this post gave me the answer.  Hugely grateful!  Thank you.

In the dhcp server hand out what ever dns you want the dhcp clients to use.  On the firewall rules for that vlan only allow dns to what your handing out. Block all other dns. Remember rules are evaluated top down, first rule to trigger wins no other rules are evaluated.

@Veldkornet: If anyone else comes looking: Feature #7843: DynamicDNS Widget - Show Description Feature #7842: Add DynamicDNS Provider - Mythic-Beasts Anyone with some time that can put in some pull requests on Github? I can help with the cURL commands for the second one…

what image are you running.. I would guess maybe the nanobsd.. You could be in a read only mode? You do understand the settings are in the config.xml if you grab a central xml then yeah you would go back to your old settings, etc.. What I can tell you for sure is that in a normal system out of the box.. click it on, click it off - that simple..

No, because failover is not designed to work with a long-term peer outage. Multiple things will fail (xmlrpc sync, for example) If you will have a long outage you'll have to manually remove some of the sync settings until the peer is repaired.

It still isn't added by default on 2.4. Usually the firewall would automatically hand out its own LAN IPv6 address to clients, not the LL address though. It's certainly possible to add code for that, but it may not be a good idea for it to be in by default. It could also allow LL queries from devices on the WAN subnet if rules were made improperly, which is what the ACLs in unbound are crafted to prevent. If unbound supported interface scopes on access control lists then maybe it could be allowed but at least from the docs it does not appear to. For example if igb0 is LAN and igb1 is WAN, then you'd have an access list allow from fe80::%igb0/10 which is scope-limited to LL on LAN and not other interfaces.

Thanks both! This makes sense… will give it a whirl. Would be great if that feature would include an option (default?) to automatically add views for resolving the pfsense's fqdn to the interface which the query is coming in on.

Right but that appears to only be a limitation of the current setup.. not a limitation of the DHCP server itself. is that just a "Management Decision" vs actual capability or another issue with workflow on other items to make it simpler? I understand that isn't possible now however I see it does easily support DHCP relay - which I can spin up a DHCP server and setup Ranges and data for those Subnets/VLANS just was wondering was all. (I really like the dhcp configuration options in a GUI and haven't found a current one I like that supports the Single IP way I'd prefer to do) only CLI supported for those configurations - which also isn't bad really - DHCP doesn't really need many edits / changes very often.

@johnpoz: Make sure you uncheck to forward reverse for rfc1918, on your pihole under advanced dns as well.  Or it will not forward PTR queries for rfc1918 addresses. This checkbox need to be checked or not? This double negation made a doubt… [image: 3ejU13G.png]

Thank you for your input. It makes sense on assigning addresses on PfSense rather than the device itself.

If you have an interface on ix0_vlan10, you need to make sure VLAN 10 is tagged to pfsense on the switch port ix0 is connected to. Any host on the switch on an untagged (access) port on VLAN 10 will get DHCP from that DHCP server. You can also statically assign a workstation to say, 192.168.XXX.100/24. See if it can ping 192.168.XXX.1. If not see if it has ARP for 192.168.XX.1 after trying to ping it. If not, your Layer 2 is not right. No, the parent interface ix0 does not need to be assigned for the VLAN interfaces to work. If it is assigned, it might have to be enabled for the VLANs on it to function. I would have to test that. Look in the switch to see if you can see all the MAC addresses associated with VLAN XXX. I used to do things like that all the time to quickly determine if a VLAN was properly tagged through the infrastructure. On a Brocade it would look something like this: telnet@6450#show mac-address vlan 999 Total active entries from VLAN 999 = 12 MAC-Address    Port                Type          Index  VLAN d468.4d1f.5a00  1/2/2*1/2/4          Dynamic      51600  999  3c07.540c.2316  1/2/2*1/2/4          Dynamic      27692  999  0060.2e02.45bd  1/1/24              Dynamic      8132  999  d468.4d1f.7140  1/1/43              Dynamic      52932  999  6c19.8f93.953b  1/1/43              Dynamic      49840  999  0008.a20a.5942  1/1/44              Dynamic      1500  999  1c5f.2bb5.ee37  1/2/2*1/2/4          Dynamic      39464  999  6805.ca0a.3b21  1/1/26              Dynamic      992    999  0026.bb5a.7f32  1/1/3                Dynamic      14620  999  d050.99e1.5612  1/1/25              Dynamic      39044  999  001e.8cf1.e910  1/1/42              Dynamic      21712  999  66b5.a87f.db78  1/1/41              Dynamic      64596  999 I know that 1/2/2*1/2/4 is a lagg to another switch. Since I am getting MAC addresses there I know VLAN 999 is tagged properly between them.