Not sure if this applies but when I disabled Dns resolver and enabled Dns forwarder all my multi-wan Dns issues went away!

And how do you know this.. Did you reboot it and still have issues with finding updates via gui? Why was it not finding if there was an update?  Was it saying you were on latest, or was it saying could not check?  Could not check is a dns or network related issue. How many packages do you have installed? Snort can be finicky!!

Is it possible to force it to retry sooner? 92553 seconds is over a day. I'm having a similar problem, and while we can blame the provider all we like, it's not going to help anything. If we can force it to retry sooner, regardless of the current lease timeout, it would likely fix it. Since a release/renew works, forcing dhclient to retry would likely get a lease from the DHCP server and everything would work fine again. I could likely hack it up with a cron job, but there should be a better way than that.

found it.. i have to add the option as "text".. not IP..

@Seeking: Hello. Please forgive me in advance for this newbie question. I am interested in setting up a pfsense box that will prevent unknown/unauthorized clients from accessing the network. The network will contain a mixture of clients as well as a couple of low traffic web and mail servers. Access to the network will be via wired and wireless ap. I do not require guest network. Internet <–----> pfSense <-------> switch  < ---------------> web server                                                                 <---------------> mail server                                                                 <---------------> desktop 1                                                                 <---------------> desktop 2                                                                 <--------------->  wireless ap  <---------------> phone                                                                                                             <---------------> tablet                                                                                                             <---------------> laptop                                                                                                             <---------------> streaming device Thanks in advance. Your best solution for wireless access that is, might be using WPA2-Enterprise Mode so that any wireless clients need extra authentication methods to verify their authorization. I accomplish this through a web-hosted RADIUS server solution.  Some are free and worth a try, so if you find that you don't like it then it is easy to just access your router webGUI via ethernet or serial to remove the RADIUS settings and revert your wireless client devices.

nat reflection.  But its not really the correct solution.  If your server is behind pfsense, same place the client is why should use you go through pfsense just to get reflected back in.  As to internal dns, pfsense can be dns.  What are you using your isp or google/opendns directly on each client?

so once the information is given for a lease, you would have to make sure you clear that old lease - delete it.  Or yeah the same client could keep getting the wrong info because it keeps just getting the renewal of its old lease.

It seems that I've been using it incorrectly. I had to add aliases instead of separate host overrides, then it won't create ptr records to aliases. See attached working setup. Thanks for the help! [image: host-overrides-fixed.png] [image: host-overrides-fixed.png_thumb]

I reported a bug for the DHCP6 lease time. However, contrary to what I said previously, there is no issue with DHCP4. The UTC/local flag is there. I just missed it in the settings.

I was actually using host overrides until recently. But it became too much of a hassle to add a new one for every subdomain. The whole publicdomain.tld is supposed to resolve to this particular host, so a wildcard was the easiest solution. Also I kept forgetting to add a new override and would wonder why one subdomain would not work. Is it still possible to add host overrides within a wildcard domain? I might some day have a subdomain that's not supposed to resolve to my local server.

@paftdunk: Your question made me realize there's actually a much better way to do this: NAT Port Forwarding. I set up a port forward rule to redirect all LAN originated traffic for :53 to my firewall ip. As soon as I created it, I started seeing the actual lookups my ooma was directing to their own servers. $ dig @8.8.8.8 blog.pfsense.org ;; reply from unexpected source: 10.100.100.1#53, expected 8.8.8.8#53 Can you please share a screen capture (or at least be a bit more specific…. I'm not clear about how you did this.  Thanks.

Thanks for the feedback, I really appreciate you took the time to explain ! And I'm glad you pointed out the bad setup, this is the kind of answers I was looking forward to. What I will do is keep playing with the Windows DNS server and see how far I can get. I now understand it's pointless to have both pfsense and win dns listed as DNS servers.

Not sure if original poster got issue resolved but big thanks as adding the line from the original post below under DNS Resolver -> General Settings -> Custom Options fixed my issue with logging in https://app.plex.tv/web/app: server: private-domain: "plex.direct" Thank-you!  :D Edit: For reference for those others who run in to it, after the fact I found this under Modem/Router Settings header towards bottom page: https://support.plex.tv/hc/en-us/articles/206225077

Thank you for youre detailed answer. I'll consider it one more time :)

Pretty sure the rules in place that are hidden that allow dhcp are evaluated before the bogon or rfc1918 blocks on wan interface ;)  Or there would be many a people screaming that dhcp on the wan doesn't work.  Its very common for isp to use rfc1918 space for their dhcp servers. Keep in mind while those rules are common practice, they are really not all that meaningful in the big picture.  Keep in mind out of the box all unsolicited traffic is blocked.  Doesn't matter what IP it comes from ;)  Be it normal public, bogon or rfc1918 they are all blocked unless its in some answer to traffic you initiated.. So those rules only would be of any use at all if you created a port forward.  So lets say you forwarded something to game server or http server behind pfsense.  Now while all the public internet would be allowed to talk to your port forward.  Those rules would keep bogon and rfc1918 from talking to your port forward that you opened to the public internet on purpose. So those rules block access to your port forwards from IPs that don't actually route on the public internet anyway.  So where would they be coming from?  The only place they you might be able to talk back to them would be from your ISP layer 2 network your connected too.  How many clients do you think that might be?  And what would they be doing that would be of any real issue, since you opened up those ports to the planet anyway.. While they are common practice to block such traffic out of principle more than anything.. When it comes to real world they are pretty useless..  If you ask me they cause way more problems than any actual increase in security.  There are many users of pfsense that use rfc1918 on the wan side of pfsense vs actual public.  And the bogon list has its own issues of that is actually in there causing problems.  And to be honest as usable ipv4 space becomes less and less, they are freeing up those bogon's that use to not be viable and giving them out to be used on the public internet.

Just wanted to report back, been running that patch with no ill effects for just about a week now. Has been working fine. edit: Been well over a month now, running those patches and they are not causing any problems at all for me. Not sure how far off 2.4 is but it would definitely be nice to see these committed for 2.3.3.