It could, it also depends on whether or not you have the "Register DHCP leases" option enabled in the forwarder or resolver.

I just thought of something. Why not add another DHCP server as a package, this way the basic configuration wouldn't change, but those who want the option would have it?

Well what else is running on it?  Who said it wasn't a borked setup in the first place then?  Maybe its got bad hardware? etc..

I've kind of given up on making this work. I've swapped network cards twice with old linksys cards and with old 3com cards. Done complete clean install of pfSense with no added packages. The results are still the same. I have to enable forwarding otherwise DNS queries just don't work if my internet bandwidth is near saturated. However when saturated if forwarding is enabled dns works and pages will load, again slower but they still work. Hopefully the next release will have some improvement.

Is there a better place than the forum to put useful information on bugs in front of a package maintainer?

Thank you very much for this valuable information, a lot of my assumptions have been corrected and for that I am thankful. I've decided to let WPAD be the only deciding factor weather not a client uses the proxy. The port forwards just aren't working for some reason. I wanted to use the port forward as a sort of 'fail-over' for devices that don't support auto-detect. I was aware SSL could not be cached, it's a shame since a good majority of traffic uses a secure socket. I feel like filtering at the DNS level is…more accurate?...than filtering at the URL level? I had to uninstall pfBlockerNG today, all of a sudden nobody could access any webpages, uninstalling it remedied the issue. Needless to say I'm crossing my fingers that SquidGuard can achieve the same level of ad filtering DNSBL could.

@pfcode: If you have pfBlockerNG installed and have DNSBL enabled. That will be causing it. Its not a package issue but pfSense. I do have PfBlockerNG installed however DNSBL is disabled. Also I'm not using service watchdog.

I've got 419,418 hosts across 9 lists, currently using pfBlockerNG DNSBL Feeds. I don't have a need for any of the other provided features aside from DNSBL. There must be an alternate method to block these hosts through Unbound?

Thanks!  I was about to submit my own PR but as I was about to push it, I noticed that you had already changed the text ;)

Thank you so much johnpoz, I don't understand why I haven't find this thread, I was looking for info since 10 days, and can't find anything about memory … Effectively,, I've just checked my Log file from SysLog Server and found : 2016-07-25 17:18:22 err local7 dhcpd /usr/local/www/pfblockerng/pfblockerng.php: PHP ERROR: Type: 1, File: /etc/inc/config.lib.inc, Line: 202, Message: Allowed memory size of 268435456 bytes exhausted (tried to allocate 13129085 bytes) Why system imput this error to DHCPD instead of PfBlockerNG ?

@Derelict: You cannot have the same IP subnet on WAN and LAN. You need to change one or the other. Interfaces > LAN Change the IP address to 192.168.2.1 /24 Press Save. Do NOT press Apply. Services > DHCP Server Change the pool from 192.168.1.100 - 192.168.1.254 to 192.168.2.100 - 192.168.2.254 Save Back to Interfaces > LAN, Press Apply. Your devices will need to DHCP release/renew or be rebooted to get an address on the new LAN subnet. If you have any rules set to 192.168.1.X instead of LAN address, LAN net those will also have to be updated. Thank you Derelict! I will try that later when I get home :)

@KOM: You could probably avoid this whole mess by dropping NAT Reflection and using split DNS instead.  Then there is no outbound NAT issue or gateway issues. thank you for the suggestion. I disabled all NAT reflection and added 3 host overrides to the DNS Resolver and all is well. MUCH simpler. If anyone else is struggling with NAT reflection, please use the DNS resolver.

@johnpoz: in my previous example server: local-zone: "example.com" redirect local-data: "example.com A 10.0.0.8" this will direct anything.anything.etc.example.com to the IP you use.. Thanks, this is what i wanted in the first place ;)

Your fix is probably the easiest solution, though it's tough to say what might have been wrong to start with. Power outage might have led to some filesystem corruption, some additional runs of fsck might have been a good idea before making more changes.

Both of my "Interfaces" settings in the resolver configuration are "All". My tunnel network is 10.56.235.0/24 and my resolver ACL has two networks in it, 192.168.10.0/24 and 10.56.235.0/24. From the pfSense command line, I can successfully resolve: > dig gateway @192.168.10.254 ; <<>> DiG 9.10.4-P2 <<>> gateway @192.168.10.254 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52322 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gateway. IN A ;; ANSWER SECTION: gateway. 1 IN A 192.168.10.254 ;; Query time: 0 msec ;; SERVER: 192.168.10.254#53(192.168.10.254) ;; WHEN: Wed Aug 03 14:19:33 MST 2016 ;; MSG SIZE  rcvd: 52 Doing the same from over the VPN, however, times out: > dig gateway @192.168.10.254 ; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.254 ;; global options: +cmd ;; connection timed out; no servers could be reached I can query a different DNS server over the VPN, however: > dig gateway @192.168.10.241 ; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.241 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58311 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gateway.                      IN      A ;; ANSWER SECTION: gateway.                1      IN      A      192.168.10.254 ;; Query time: 56 msec ;; SERVER: 192.168.10.241#53(192.168.10.241) ;; WHEN: Wed Aug 03 13:36:41 2016 ;; MSG SIZE  rcvd: 52 I can see the states in the diagnostics/states page; the query that goes to .241 results in two states, one on the ovpns2 interface and one on the LAN. The query to .254 results only in the ovpns2 interface state.

I ran into the same issue but no matter if I had different Dns addresses I still could not connect on secondary wan of failover.  Disabling Dns resolver and enabling Dns forwarder solved the problem for me.