Also needed to add this to the custom option textbox otherwise I was getting this in the logs 'sanitize: "removing public name with private address"  ' server: private-domain: internal.<companyname>.com</companyname>

You have one pfsense interface on a broadcast domain: 192.168.10.1/24 A sample configuration of a host on that interface would be this: Address: 192.168.10.10 Netmask: 255.255.255.0 Gateway: 192.168.10.1 You create an IP alias VIP on the same interface: 192.168.11.1/24 You put hosts on the SAME broadcast domain as the other hosts. An example host configuration: Address 192.168.11.10 Netmask: 255.255.255.0 Gateway: 192.168.11.1 Now the exercise: 192.168.10.10 wants to communicate with 192.168.11.10 on the SAME, shared, broadcast domain. What happens? Now you take the same problem - adding more host addresses to a broadcast domain.. You bite the bullet in a maintenance window and change the router interface to this: 192.168.10.1**/23** You change the DHCP server to set the host netmask to /23, expand the DHCP address pool to include the newly available addresses in 192.168.11 since the available hosts addresses has about doubled to 510 (192.168.10.1 - 192.168.11.254, with the firewall interface using .1). You also make sure all dynamic hosts release/renew and all statically-configured devices get the new 255.255.254.0 (/23) netmask. Now you have two hosts that want to communicate: Address: 192.168.10.10 Netmask: 255.255.254.0 Gateway: 192.168.10.1 Address: 192.168.11.10 Netmask: 255.255.254.0 Gateway: 192.168.10.1 What happens now? You are likely trying to do one of these things: Increase the number of available host addresses on a network - I doubt this is really what you are needing to do, but if that was the case, the SECOND method outlined above is the way to go. Add a new network, while maintaining both separation between the two and the ability to route/firewall between them - I feel this is likely what you are after and, in that case, the FIRST method above will only lead to pain and suffering and an asymmetric, hairpinning mess, as was evidenced by answering the FIRST exercise question above. What you want to do in that case is add another interface to pfSense (this can be physical or VLAN to a managed switch) That leaves you with this on pfSense: LAN: 192.168.10.1/24 Example host: Address: 192.168.10.10 Netmask: 255.255.255.0 Gateway: 192.168.10.1 OPT1: 192.168.11.1/24 Example host: Address: 192.168.11.10 Netmask: 255.255.255.0 Gateway: 192.168.11.1 Each has its own independent DHCP server, firewall rules, etc. Now 192.168.10.10 wants to talk to 192.168.11.10 - What happens?

I understand the last sentence here: https://en.wikipedia.org/wiki/IPv6_address#Representation that I'm allowed to do this. Wikipedia: During the transition of the Internet from IPv4 to IPv6, it is typical to operate in a mixed addressing environment. For such use cases, a special notation has been introduced, which expresses IPv4-mapped and IPv4-compatible IPv6 addresses by writing the least-significant 32 bits of an address in the familiar IPv4 dot-decimal notation, whereas all preceding ones are written in IPv6 format. For example, the IPv4-mapped IPv6 address ::ffff:c000:0280 is written as ::ffff:192.0.2.128, thus expressing clearly the original IPv4 address that was mapped to IPv6. And I guess pfSense wouldn't allow me to save it, if it wasn't a correct IPv6 address. When I put in ::ffff:a01:1/120 it works perfectly. The point of the IPv4 notation is simple legibility. I was hoping i could simplify my IPv6 adresses this way.

Finally, after 1+ year!…. Microsoft seems to had decided to fix their wrong dns configuration.... and now it works! PREVIOUS (WRONG) ;; ANSWER SECTION: sharepoint.com.        86400  IN      CNAME  sharepoint.microsoft.com. sharepoint.microsoft.com. 3600  IN      A      65.55.39.10 sharepoint.microsoft.com. 3600  IN      A      64.4.6.100 NOW (RIGHT, NO MORE CNAME RECORD IN ROOT) ;; ANSWER SECTION: sharepoint.com. 11 IN A 13.107.6.168 sharepoint.com. 11 IN A 13.107.9.168

Yes, unbound is the Forwarder for the SBS/AD-Domain. And no, the problem is pfsense itself - it can't resolve domain names of the AD-domain internally. As said - it works with dnsmasq but not with unbound and technically the same settings. The digs AD-Domain dig @192.168.2.223 orca.mb-mw.local A ; <<>> DiG 9.10.6 <<>> @192.168.2.223 orca.mb-mw.local A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1761 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;orca.mb-mw.local.              IN      A ;; ANSWER SECTION: orca.mb-mw.local.      1200    IN      A      192.168.2.225 ;; Query time: 0 msec ;; SERVER: 192.168.2.223#53(192.168.2.223) ;; WHEN: Fri Sep 01 08:53:09 Mitteleuropõische Sommerzeit 2017 ;; MSG SIZE  rcvd: 61 pfsense CARP dig @192.168.2.202 orca.mb-mw.local A ; <<>> DiG 9.10.6 <<>> @192.168.2.202 orca.mb-mw.local A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55831 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;orca.mb-mw.local.              IN      A ;; ANSWER SECTION: orca.mb-mw.local.      819    IN      A      192.168.2.225 ;; Query time: 0 msec ;; SERVER: 192.168.2.202#53(192.168.2.202) ;; WHEN: Fri Sep 01 08:53:01 Mitteleuropõische Sommerzeit 2017 ;; MSG SIZE  rcvd: 61 nslookup nslookup orca.mb-mw.local Server:        192.168.2.223 Address:        192.168.2.223#53 Name:  orca.mb-mw.local Address: 192.168.2.225

Unfortunately I was not able to get both the DNSBL and PIA to work at the same time. At the moment I'm not using DNSBL.

I will add those to the wiki notes..

On what version of pfSense? I fixed a bug there some time ago ( https://redmine.pfsense.org/issues/6821 ) but I'm not sure that ever made its way back into 2.3.x, it may just be fixed in 2.4.

I have checked that if on a lan client (rules permit all the traffic pass) I put it as dns the ip of the lan does not go to the internet, but if I put the external dns then I can. This is my log. Level 3 dns resolver logs: Sep 1 11:54:40 unbound [85952:b] info: new pside target L.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] info: new pside target L.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query L.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] info: resolving L.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] info: priming . IN NS Sep 1 11:54:40 unbound [85952:b] debug: return error response REFUSED Sep 1 11:54:40 unbound [85952:b] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone Sep 1 11:54:40 unbound [85952:b] info: validator operate: query L.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query L.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] info: resolving L.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] info: priming . IN NS Sep 1 11:54:40 unbound [85952:b] debug: return error response REFUSED Sep 1 11:54:40 unbound [85952:b] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone Sep 1 11:54:40 unbound [85952:b] info: validator operate: query L.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_wait_subquery event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query . NS IN Sep 1 11:54:40 unbound [85952:b] info: processQueryTargets: . NS IN Sep 1 11:54:40 unbound [85952:b] info: new pside target M.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] info: new pside target M.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query M.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] info: resolving M.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] info: priming . IN NS Sep 1 11:54:40 unbound [85952:b] debug: return error response REFUSED Sep 1 11:54:40 unbound [85952:b] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone Sep 1 11:54:40 unbound [85952:b] info: validator operate: query M.ROOT-SERVERS.NET. AAAA IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query M.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] info: resolving M.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] info: priming . IN NS Sep 1 11:54:40 unbound [85952:b] debug: return error response REFUSED Sep 1 11:54:40 unbound [85952:b] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone Sep 1 11:54:40 unbound [85952:b] info: validator operate: query M.ROOT-SERVERS.NET. A IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_wait_subquery event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query . NS IN Sep 1 11:54:40 unbound [85952:b] info: processQueryTargets: . NS IN Sep 1 11:54:40 unbound [85952:b] debug: out of query targets – returning SERVFAIL Sep 1 11:54:40 unbound [85952:b] debug: return error response SERVFAIL Sep 1 11:54:40 unbound [85952:b] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone Sep 1 11:54:40 unbound [85952:b] info: validator operate: query . NS IN Sep 1 11:54:40 unbound [85952:b] debug: iterator[module 1] operate: extstate:module_wait_subquery event:module_event_pass Sep 1 11:54:40 unbound [85952:b] info: iterator operate: query urs.smartscreen.microsoft.com. A IN Sep 1 11:54:40 unbound [85952:b] info: processQueryTargets: urs.smartscreen.microsoft.com. A IN Sep 1 11:54:40 unbound [85952:b] debug: Failed to get a delegation, giving up Sep 1 11:54:40 unbound [85952:b] debug: return error response SERVFAIL Sep 1 11:54:40 unbound [85952:b] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone Sep 1 11:54:40 unbound [85952:b] info: validator operate: query urs.smartscreen.microsoft.com. A IN Sep 1 11:54:40 unbound [85952:b] debug: cache memory msg=264377 rrset=264216 infra=19378 val=264424

really disappointed of the support here…

The solution for me was to change dynamic DNS provider. I can conlude that DNSExit sucks big time. I use NO-IP this time around and it has been working flawlessly eversince.

"not to trust the GUI." I wouldn't say that.. You at some point created a reservation for it would be my guess.

@ProxyMoron: I spent way too long on this,… This is how you learn.  When you're comfortable, you can help others out on here, pay it forward. I can't fathom the number of hours I spent building and breaking stuff in pfSense and in my homelab network(s)!!

Thanks everyone for the help.  You have confirmed that the problem isn't something bigger than it is.  Yesterday and today it's been quiet, no reported issues. I did inherit some fun. In a few weeks a point to point fiber between the two buildings should be online; this requires a phone system change up.  Perfect excuse to get phones on a separate network! Your thoughts on the NCIS is interesting.  If I had time, a wireshark dump would be interesting.  Thanks again!

@johnpoz: Well yeah or they would also be forwarded too.. You also need to make sure you do not allow override from dhcp. I already unchecked "do not allow" but removing DNS Server from General Setup did it. Thanks for the help! Appreciate it.

doesn't work that way.  Your client should add the domain you want to search if all you want to do is put in a hostname.

Also, it is possible to build IP networks that do not have MAC addresses at all.