Captive Portal enabled with all defaults except Maximum concurrent connections : limited to 5 disabled concurrent user logins And custom login page. That's all By theway everything running fine after I reboot the pfsense but the problem repeated once or twice  every day

I made mention of this a couple of posts back. Your firewall config is held in /cf/conf/config.xml. The DHCP section has entries for 'staticmap', which define all the DHCP static mappings set within the firewall. You can edit this directly, following the formatting shown in any existing examples you can find in the config (if not, create a test static map entry to see what this looks like). Once you have finished editing the config file, you can run /etc/rc.reload_all to activate the changes you've made. I probably don't need to mention that you should take a backup of your config.xml file before making any direct changes.

Thanks for pointing out the Chrome problem, this was driving me up the wall.

do-ip6: yes Interface IP(s) to bind to interface: 0.0.0.0 interface: ::0 interface-automatic: yes Why do you have those??? If you do not want it to use IPv6 outbound then don't bind it to Ipv6 address # Interface IP(s) to bind to interface: 192.168.9.253 interface: 2001:470:snipped::1 interface: 192.168.2.253 interface: 2001:470:snpped::1 interface: 192.168.3.253 interface: 2001:470:snipped::1 interface: 192.168.4.253 interface: 192.168.6.253 interface: 2001:470:snipped::1 interface: 192.168.7.253 interface: 127.0.0.1 interface: ::1 # Outgoing interfaces to be used outgoing-interface: 24.13.snipped I would get rid of that do ipv6 in your config if you don't want it doing ipv6 as the easy way to prevent it.  You should be able to put it the advanced tab.. server: do-ip6: no I just tested and if you put those commands unbound isn't doing anything with ipv6.

@jimp: Unlikely to be a bug. Check your routing table, and if you have DHCP or PPPoE WANs, make sure to check the box that does not allow them to override your DNS settings. Especially with DHCP, if the ISP sends you a DNS server IP address, dhclient will add a route for it. If you are seeing that behavior then somehow the routing table is making the firewall send the traffic that way, usually because of conflicting routes (e.g. received from DHCP, or used as gateway monitor IP addresses, or even plain static route entries) As mentioned in my previous post I do not think the routing table is bad and I do not allow any DHCP overide. (not using DHCP. Static on both WANs) Please see the attached routingtable.  Routing_ipv4.jpg I have masked out some part of the IPs to protect some but you could see the content structure anyway. 120.0 is the LAN net (where .20 = pfSense) 121.0 is OpenVPN 125.0 is a local lan between PFS and a HiLink 4G modem. (that is USBSWITCHED)  WAN2MOBILE x.x.165.0 = WAN1 x.x.50.x remote end of a IPSec [image: Routing_IPv4.jpg] [image: Routing_IPv4.jpg_thumb]

Thanks… your correct my system is now working that way. I am now just using the dns resolver without another other dns entry in the General Setip. It is beter using the DNS Root servers this way.

"Now both pfSenses run the same domain" Well thats a bad idea right out of the gate..  To be honest if you want to run more than 1 authoritative ns for a domain unbound is a bad choice as well.  If you want to have either ns in either location return the results for IP in either location run an actual authoritative NS and setup your other sites to be slaves and do zone xfers so than when you add a record to your SOA your slave NS will also get a copy, etc. Unbound is not well suited for such a setup.  Or as geudrik mentions just run different subdomains for your locations. So you end up with host.siteA.domain.tld and host.siteB.domain.tld, etc.

So you have 2 different networks?  And your registering or have both addresses in play?  Just use 2 different names via you override.  This has come up a few times before. Here is one thread for example, you can do this with dnsmasq or bind and views where you can return an address based upon where the query came from.  But I am not aware of a way to do this in unbound without running multiple instances of it and listening on different interfaces with different records, etc. https://forum.pfsense.org/index.php?topic=106872.0

Great you got it sorted.

One thing you can try is Wireshark to see what's actually on the network.  Multicast traffic should be sent to all ports, other than the one it came in on, so you should be able to see it on any computer connected to the switch.  You might also be able to run it on the server. https://www.wireshark.org/

I never did respond back on the resolution. I did end up rebuilding the VM and reinstalling pfsense, provisioning it with 80GB of storage. No problems running out of space now. Thanks for the help!

For sure my trouble is the Cisco WAP351, he has a arp cache and use it for deliver the packet. Now with Iphone i can see he send a GRACIOUS ARP autonomouse that make the deifference, with this the switch of the wap351 undestand where he should send or block the packet. I've teste with iphone and macbook pro is fine (always) with windows 7 enterprise and pro NOT. This never send a Graciuous arp message autonomous. The true is ZYWALL every time send this ARP (who as tell) thath in fact let the WAP351 work well, like sayd i've tested the OpenDHCP instead of PFSENSE DHCP server and got the same issue, after i've add on the source code (and recompile) the ARP request these AP work well also with windows 7. Today i still using pfsense as main firewall and this zywall just as dhcp server delivering the address of pfsense as router and dns, on this situation everithings is fine, BUT i need 3 wifi network so i should use more than one zywall of buy somethings like zywall 200, but in this case pfsense will be replaced by this…. Please try to capture the traffic durring dhcp with wireshark, filter with "bootp and arp" and you will see the difference between IOS and Windows7. I believe the only solution will be arrange a new virtual machine with another dhcp server instead of use thath one of pfsense, is a stupid solution but works!, hope one day i can use just pfsense with these ap because many times when you need to install these ap the internal switch is a good idea for cable reduction, guess an hotel with all room inline just interconnect all ap toghether... Best regards.

@johnpoz: for what reason?  Opt interfaces on pfsense are not a switch ports, bridging them does not get you a switch.  I you need more ports on same network/vlan then use a switch. I had my ethernet over power connected to the LAN port and the time-capsule connected to the OPT1 port, so when I rebooted the time-capsule I didn't loose the ethernet connections connected via the ethernet over power. It's not connected that way now, LAN -> time-capsule.

I have set the DNS forwarder but for some reason the LAN comupters can only see each other by IP, which option should I pick to be able to search by name as well?

^^^^ My mistake.  I was thinking of pfSense, which does not have an obvious way to filter on MACs, as can be done with iptables on Linux or some versions of Cisco's IOS.

I put the pfsense IP address in "DNS Server 1" under "System -> General Setup". Does that answer your question?

If all your doing is a POC and you need some authoritative dns for that - then sure that would be one reason why you might host your own just for the POC.  But once it goes to production then no I wouldn't suggest running your own dns for public consumption.

Well your not wanting to use MS licensing for these clients, then I have to assume they are not members of your AD anyway.  If that is the case then sure you could provide services off pfsense for dhcp and dns for this network/vlan.