Ok, this is resolved. Along w/ my PFSENSE migration I added a ubiquiti Layer 2 managed switch. The only vlan setup on that switch was the default Vlan 1. B/c of that, any other traffic tagged w/ a different vlan was being automatically dropped. So I went into UniFi > Settings > Network > Add New Virtual Network, added Vlan 3 there, and boom! Clients now get IPs and that SSID is working

@gbeever Okay then - so you are setting up a pfSense on the inside because?? Usually you would just have one or the other in the position where you dream router is now. I would never embark on having a double router/firewall/NAT setup as that is just asking for problems and misconfiguration. But if you want pfSense to sit on the inside, you need a couple of things - alt least: 1: on pfSense WAN you need to uncheck “Disable Private Networks/RFC1918” - otherwise it wont work properly. 2: You need to deside if you want double NAT by having pfSense NAT it’s private network to, or you want to route traffic to the pfSense LAN using a static route in the dream router.

@kjiwa Humm. You're right. [image: 1721922150651-3af6fbdf-8fd0-4229-b68c-77c42a4093aa-image.png] Go for htpc-tvs ?

@moelharrak said in DNS Resolver Status not showing the resolved domains: Specify the DNS servers in the System > General Setup My 'church' says : you'll add none. This is the perfect way of doing things : [image: 1721816821161-edc5ab82-3696-47b3-b5ea-3ae11e309d2a-image.png] And this goes with it : [image: 1721816960713-62a4a894-240f-4713-b4db-c6ceff198f7b-image.png] (do not select that button ! ) Why ? Because it's the default setting, Netgate has chosen these, and as these guy know their DNS around, that's what you should use. But, of course, if you signed up a contract with "8.8.8.8" or "1.1.1.1" and they pay you for your private DNS info, then, why not, you should forward to these guys. It's a free world after all, and if you can make some money out of it, then that's just great pfSense has its own resolver for years now, so you don't need to use any 'DNS server' - the only thing you need, is an access to the free 13 main DNS root server. These are the ones who make DNS work, these are the ones you should use, as it was intended when the Internet (DNS actually, DNS didn't exist in the beginning) edit : another reason : these settings are part of the Keep It Simple concept. Install pfSense - done nothing (well, you change the password) and your good, it works, like any other router you'll find out there. The planet wide sickness "you have to use 8.8.8.8, or some other remote entity, as a DNS" has been crafted because your DNS traffic is worth gold, and I'm not exaggerating here, for them, and this belongs to the "You are the product" concept. Also, when you belong to the "I resolve" club, you have statically spoken, less issues with DNS. It just works. and that's not a hazard or be lucky, the DNS system was meant to be used like that. How DNS Works - Computerphile Btw : all this is of course my own opinion.

@Samuelking said in unable to access webserver with static ip and port from pfsense only: i am trying to access a webserver on th internet has ip address with port from my network So you are trying to do a reflection. This IP is your wan IP of pfsense, and your hitting it from some client behind pfsense - and you want to be forwarded to some rfc1918 address on your network.. This is handled with split dns - there really is little reason to hit your public IP if the ip is the box next you on the same network.. Or you have to setup nat reflection.

Have you inspected the config.conf file to see if it is listed on that and boots with it?

After a bunch of testing today, I ended up checking traffic using pftop and compared entries when accessing MS services vs everything else (probably should have done this earlier) Accessing other services - I see traffic destined for port 53, as expected Accessing MS services - I see traffic destined for port 12000 (?) Found another branded AP lying around, configured and connected to it and tried accessing MS services - I see a bunch of traffic to port 53 this time, no port 12000 to be found NFI why the port is being changed. As a temp workaround I've translated port 12000 traffic back to port 53 and everything's working as expected. Now I'm chasing Netgear to ask W-T-F! Cheers!

@johnpoz Thanks for the reply. The issue seems to have resolved itself overnight, everything's in sync now.

@johnpoz I have to admit 24 works better with KEA over 23.09 it was slow in that version

I took it that he was 192.168.0.0/24 and changed to 192.168.0.0/23.

@Jellman86 they might at some point add that when kea is ready for primetime - but currently no pfsense can currently not act as dhcp server unless its directly attached to the network.. If you have a windows box sure you could spin up dhcp on it.. But you could also just spin up any other dhcp server on anything say docker or vm, or pi, etc..

@mvikman For now, the problem has not manifested itself, but I must wait around forty days to be sure.

@laov said in Override website address (DNS lookup): Thus I would like to automatically redirect all website.com lookups to website.net. Both have the same IPv4 and or IPv6 ?

@Gertjan if you are blocking bogons and local addresses on WAN, a double nat may not be possible with an ISP router.

@kevdog A different (sub-)domain, right. For WireGuard, it would be better if at least one side has a static IP-address. But when both are dynamic, sure, go with DDNS. If it doesn't change regularly, you shouldn't notice any problem.

@NickJH Check this one : [image: 1720542373225-0a2b3de4-9ed3-4396-9d83-12078a0f97fa-image.png] and hit the big bleu save button at the bottom of the page. Worked for me edit : and we never believe a GUI as it nature is hiding all the info we're looking for : a test !?! Because I know I've entered this : [image: 1720542563808-9d3fe825-15f5-4190-ad49-62c7c62fe8ec-image.png] This must work : C:\Users\Gauche>nslookup bureau2 Serveur : pfSense.bhf.tld Address: 2a01:cb19:beef:a6eb:92ec:77ff:fe29:392c Nom : bureau2.bhf.net Addresses: 2a01:cb19:beef:a6eb::88 192.168.1.2 and this is correct ... I'm also using static "IPv6 leases" because I really dont want to have to deal with IPv6 like '2a01:cb19:beef:a600:46d4:54ff:fe2a:36dc'. My LAN IPv6 '2a01:cb19:beef:a6eb:92ec:77ff:fe29:392c' is already a horror. Gone are the day you can 'quickly' ping LAN using "192.168.1.1"

It is switched back to ISC and thought I was sure it was set to register dynamic and static leases (I mean, it worked before, so it had to be set at some point). However, I realized I didn't do a full reboot since switching back to ISC, and after doing that, those were both unchecked... Either I'm crazy or it was a gui glitch resolved by the reboot. Thank you very much for your time

@RyanM said in DNS request timed out., then works: It doesn't provide a work-around for the lack of DNS registration of static DHCP leases. Is this capability on the roadmap? Has been said here on the forum : this is the initial pre lease of KEA. Its been worked on right now. "The next pfSense version is always better".

@MatDepInfo well that isn't sending it to your local anything - yourdomain.outlook points to public IPs owned by MS.. So your sending the email there, and then it forwards that to you I take it.