I also tried to hack the dyndns.class, but my check url myip.ch dont match the regex. But i tried to add the port :8245 to the checkip.dyndns.org and it is more reliable now. But i think developers have to add the functionallity in the script to be consistent with the GUI.

No,. it resolves to a private address on the MPLS network. Yes thanks have now turned off the rebind protection. PT

FYI- If you have an AP that won't update and appears stuck on an older firmware, like mine, set its WLAN config to 'off' and then run the update, then set it back to 'Default' or whatever WLAN group it was a member of. Why is that necessary? Who knows… But given everything else about them that's happened in the last day, I'm not surprised.  :-X

well your saying it works when dhcp on wan - but nothing when static?  Points to problem with your static settings.

No more inputs?

Hi, I confirm that "option-77" or user-class is not sent by dhclient on pfsense 2.4. View my result dhcpdump : –------------------------------------------------------------------------- TIME: 2017-03-15 12:41:57.540     IP: 0.0.0.0 (00:0c:29:5c:ac:dc) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)     OP: 1 (BOOTPREQUEST) HTYPE: 1 (Ethernet)   HLEN: 6   HOPS: 0   XID: a39a7bf5   SECS: 28 FLAGS: 0 CIADDR: 0.0.0.0 YIADDR: 0.0.0.0 SIADDR: 0.0.0.0 GIADDR: 0.0.0.0 CHADDR: 00:0c:29:5c:ac:dc:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: . OPTION:  53 (  1) DHCP message type        1 (DHCPDISCOVER) OPTION:  60 (  5) Vendor class identifier  sagem OPTION:  61 (  7) Client-identifier        01:00:0c:29:5c:ac:dc OPTION:  12 (  2) Host name                jr OPTION:  55 (  9) Parameter Request List      1 (Subnet mask)                                             28 (Broadcast address)                                             51 (IP address leasetime)                                             58 (T1)                                             59 (T2)                                             119 (Domain Search)                                               3 (Routers)                                               6 (DNS server)                                             90 (Authentication) OPTION:  90 ( 22) Authentication            0000000000000000 ........                                             0000006674692f64 ...fti/d                                             xxxxxxxx xxxxx view my config : interface "vmx0_vlan832" { #send-interface "vmx0"; vlan-id 832; #vlan-pcp 6; DHCP Protocol Timing Values timeout 60; retry 15; reboot 0; select-timeout 0; initial-interval 1; DHCP Protocol Options send dhcp-class-identifier "sagem"; send option-77 "+FSVDSL_livebox.Internet.softathome.Livebox4"; send option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:xx:xx:xx:xx:xx:xx:xx; request subnet-mask, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, domain-search, routers, domain-name-servers, opt ion-90; or interface "vmx0_vlan832" { #send-interface "vmx0"; vlan-id 832; #vlan-pcp 6; DHCP Protocol Timing Values timeout 60; retry 15; reboot 0; select-timeout 0; initial-interval 1; DHCP Protocol Options send dhcp-class-identifier "sagem"; send user-class "+FSVDSL_livebox.Internet.softathome.Livebox4"; send option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:xx:xx:xx:xx:xx:xx:xx; request subnet-mask, broadcast-address, dhcp-lease-time, dhcp-renewal-time, dhcp-rebinding-time, domain-search, routers, domain-name-servers, opt ion-90; Thanks for the help Best regards, fred

Thank you. I went thro all the steps described in the post you sent me. on top of that I had to add a new property in /boot/loader.conf.local in pfsense vm hw.xen.disable_pv_nics=1 . With this setting, the reboot asked me to set up all interfaces again with new interface names. Then I had internet on OPT1 interface.

Well we have 3 box internet. the whole residence can use it by paying 17€ per year to us. When they have paid, we take their MAC addresses and we give them IPs. We had a huge problem with win10 and i found out that everyone had to set manually his IPv4 adress, the subnet mask and DNS. But we fear that if someone does this (without paying and being registered by us) with someone else IP adress, given that this IP adress is in thet DHCP list, he can use "our" internet …

Are these devices in standby or something? Devices will sometimes try and update their lease while they are on standby every so often.. Dhcp server is saying hey your lease is not yet 50% expired.. Come back and ask for a new lease when you hit the 50% mark - for now.. just use that lease.

yeah they took out resolving hostname only without a domain. Your clients need to use a fqdn to resolve what is they are trying to resolve.  Its possible your client is not using the domain you handed out in dhcp, or maybe they just had not updated their lease to get the info. But yes you need to query fqdn to get an answer - my understanding this is how it is going to be going forward.  You should always query fqdn so not sure how this is a problem? https://redmine.pfsense.org/issues/6064 non-fully qualified hostnames included in hosts file and Unbound local-data

"It's only for me to play about with and there aren't many entries." Your still hosting dns to the public.. BAD IDEA!!!  Host your dns elsewhere…  Where is your 2nd NS?  You really need to have 2... And sorry unbound is not designed to be an authoritative NS.. If you want install the bind package.. And that domain your using.. I show it pointing here yourdomain.net.      3600    IN      SOA    ns0.zen.co.uk. netman.zen.co.uk. 2017030305 14400 1800 604800 86400 What your doing is a really bad idea and makes no sense.. You can host up your domain for FREE multiple places and point to ipv4 and or ipv6.. If you want to play - I have a domain I like to play with for dnssec signing, etc.  I host it on vps that I gte for 15$ a year.. Yeah I have 2 of them, because its not proper dns to only have 1..  There are only a few records in it, both ipv4 and ipv6.. It is my play box for doing stuff with dnssec..  And yeah it points to my other vps, and my home IPs.. etc.. I would never in a million years host up NS services off my home connection.. ZERO point to to it!!  Also too easy to make a mistake and now your connection is offline because your part of dns amplification attack..  Want to host up dns to your local network - sure been doing that for years and years..  Hosting to the public is a not something that makes any sense to do off your home connection.  Nor does rarely make sense for even the largest of enterprises.  It makes sense when your in the business of serving dns ;)

@nogamer: Is it possible to have a setup so that the LAN can go through ISP DNS server and I can access local netflix with ads blocked and VPN subnet go through VPN interface and queries VPN DNS for US netflix and block ads. As far as having different subnets use different DNS settings, yes you can do that. The best way to do that is to turn off forwarding mode and just use the built in Resolver as is. All you are doing by using your VPN or ISP's DNS servers is using a man in the middle. Both the VPN & then ISP get their information form the root servers and then pass that info on to you. PfSense allows you to cut out the middle man and go straight to the root servers yourself. Since you are using a VPN client and use their DNS server, I assume you are in it for anonymity. You can have even more anonymity by just using the resolver without forwarding: On your LAN interface write a firewall rule to pass DNS and under advanced select your VPN client as your gateway, now all of your DNS requests are routed through your VPN to the root servers. On the interface you want non-VPN DNS on, just don't specify the VPN as the gateway. Check these out: https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense Unfortunately, I don't believe that any of this will solve the problem you are talking about. Netflix is blocking you based on your VPN IP, they don't care which DNS server you use they are still going to block you if you use the VPN IP.

Why are you bridging interfaces? That's not a recommended nor supported option - pfSense is not a switch. If you remove the bridges and use a (smart | managed)switch do all of your problems go away?

Hi jimp, thanks for that.  I shall give it a try. Cheers, Chris.

Yeah I just found a bug related to exactly this and added information about my issue: https://redmine.pfsense.org/issues/6186 I understand the problem, although I feel that unbound should probably just fail to start if it doesn't find the interfaces it's configured to use as opposed to reverting to its default of using all interfaces, in explicit violation of the user's configuration.  It's not clear to me though whether that behavior is an unbound thing or a pfSense thing.

Just wanted to provide an update because I think the issue I'm observing is different.  I haven't seen unbound fail to start after a reboot, but it consistently fails to restore the saved "Outgoing Interfaces" settings.  I confirmed this by examining a diff of /var/unbound/unbound.conf immediately following a reboot and then after going to the "Services > DNS Resolver" page and clicking "Save" followed by "Apply Changes".  The conf file immediately following a reboot had no "outgoing-interface" entries, which means it defaults to using all interfaces.  The conf file after I did the "Save" and "Apply Changes" reflected my explicit outgoing interface settings, which is to only use my two ovpn client interfaces.