Yeah see the above about WAN net.

That's an issue upstream of your box, given the WAN IP doesn't stop responding.

@johnpoz: And the problem with using a public domain locally, ie something with a public tld.  Should that only be resolved locally or should part of it be resolved locally and part of it public? If you want to register a domain on the public side so no one can use it that makes sense.  But to actually use it locally I don't see the point.  Many companies will for example register pretty much all the tlds or atleast back when it ws more viable .com, .net, .org and the countries they do business in, etc. like .us or .de sure. But if they are using .com on the public side its better to use .net locally, etc. So for example with the use of suffix searches if someone looks for hostname and suffix of local.lan gets added it and that is not found locally should the resolver try and resolve it on the public side  Or they look actually do server.local.lan but forget the trailing root . in their search and suffix search asks for server.local.lan.local.lan should that be sent upstream by your forwarder or resolver?  The resolver defaults to transparent which does do that.  I change it to static so it doesn't do that - so anything that I ask that ends in local.lan goes no farther than my local resolver unbound running on pfsense. So for a home network what is the best thing to do? I have a domain name and I am definitely going to point a subdomain to my house and use dynamic dns to ensure it stays there. I currently only need this for 2 things: the VPN running on the router and a single service running on one of the servers in my home. The root domain and other subdomains are used in the internet. It seems like the options discussed are: .lan .internal.lan .example.com .home.example.com My router gets here tomorrow! :)

Yep- total sense.  Thanks!

chpalmer Thank you for the reply to my question on the reserved DHCP addresses… glad to know that I don't have to use the static mapping list inside of PFSense.

The only DNS they have is PFsense When it happens "for the web app" They get the external ip that the fqdn points to.

Were you able to find some additional informations? Does it make a difference, if you leave this option empty?

I'm experiencing the exact same issue. I'm not wanting to restart the modem as the sync time (VDSL) will be an inconvenience to my users. I have disabled DNS Resolver in pfsense and enabled DNS Forwarder. I am observing the same web UI speed increase, as well as DNS now working flawlessly. Update: I'm wondering if I need to add an entry into Services > DNS Resolver > Access Lists

Yeah and see you have already put in a redmine on that it seems.  Great info.. Sure they get it sorted soon enough.. Back to my point that ipv6 not really ready for prime time if you ask me.. Few years yet to be honest.. Just so many moving parts on a global scale to get working..  It was not all that long ago that the dns roots were not even ipv6.. I do believe G and E are still only ipv4.. And the 2nd level for the tld are not fully ipv6 yet, quick check show that a and b.gtld-servers.net for .com are but the rest have no ipv6..

Sorry. Too much information. My goof was in creating the cert and did not change setting to type server.

Dude are you going to answer the question?  Does not matter if you have 10 or 1000 or 10, 000 or 100,000 what do you want to do forward or resolve? To setup bind to be a caching forwarder takes all of 1 minute of config.  Maybe even don't have to config if you just install the bind package on pretty much any linux distro it comes up as forwarding cache. here is a step by step tutorial on setting up bind as caching forwarder.. https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04

"Two things can happen: sometimes you will get moved to a different subnet on their network" "or they will deny ICMP (ping traffic) and your Pfsense system will think the gateway is down.) " I have been with comcast for shit will over 10 years.. I was with them through 3 different name changes in this area..  And neither of those have ever happened.  I have had the same IP now going on years.. Lease renews, mac never changes so why would my IP change?  I can recall maybe in the last 6 or 7 years it changing once.  And that was due to them doing some upgrade when they really upped the speeds I do believe. Not saying these things can not happen, but I don't think using some other IP other than your gateway is warranted because of those reasons.  Googledns could decide to stop answering icmp next week as well. I have never had any issues with getting an IP or renewing of ipv4.. Their ipv6 in my area has not been anything to write home about, it works - but the prefix can change on the wind changing direction and being chicago area that happens a lot ;)  I just use a HE tunnel.. stable pretty close to same speeds and don't have to worry about any prefix changes I have my /48 and that doesn't change.. Have never seen need to block the 192.168.100, while I have seen pfsense get that from my modem when connection down..  The lease is short and fixes it self once connection comes back, or if connection comes back and I notice before can just renew.  Have never seen need to reject that IP.. I would hanker a bet that many of these issues with getting an IP is just lack of resetting their cable modem on change of device connect to it.  Not saying its everyone's issue - but prob some of the people having issues with getting an IP are in that boat.

There you go, so the population of hosts seems to just be left over from the forwarder mode days, and seems could be stopped going forward.. But I think it serves one function still, it allows pfsense to resolve stuff if unbound crashes..  So that function could still be of use I guess.

You're welcome. This is probably why the error when using the option-61 designation. Options which are not listed by name may be defined by the name option-nnn, where nnn is the     decimal number of the option code. In my original work for impersonating the Actiontec router option-125 designation worked because it is not one that is "listed by name" (defined). See the REFERENCE: OPTION STATEMENTS section here. https://www.freebsd.org/cgi/man.cgi?query=dhcp-options&sektion=5&apropos=0&manpath=FreeBSD+10.3-RELEASE+and+Ports The reason an address was being obtained anyway was that dhclient was probably defaulting to sending hardware address or nothing at all.

I have heard of similar issues when users have a Cable modem only (not a business gateway.  the root cause ended up being that Cable Modems seems to bind themselves to the first Layer 2 device that connects to them on boot up.  Depending on how you configured the VM network that could be a Switch or another device and not the NIC card that you need it to be associated with.

Your right, sorry for my explanations, yes, they do use multiples DHCP servers, that's why I was saying it changes, because of course, I don't always get an IP Address from the same server. I've tried the advanced WAN DHCP configurations, but it doesn't allowed me to overwrite my ISP rules [The logs indicate the WAN interface Re-negociate the lease every 12 hours anyway] When you think about it, that's totally normal. I also think it's wise for them to configure their leases to 12 hours, for security reasons [Mail Servers, VPN Site-to-Site …. for non commercial clients],  [Most of times, even if you don't have an Enterprise account with a static IP, my friend's WAN IP don't change much over time, always get renewed] So i guess the only work around is to renew or reboot the firewall, or there's something else i've didn't saw. I'll try your suggestion again, and analyse furthur more for a couple of days, i'll get back with the results. Thanks.

Definition of DHCP: "Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway." DHCP allocates IP addresses by design. If I understand what you're asking, you can't have a DHCP server which simply binds the hostname to the MAC address. The hostname must resolve to an IP in order for networking on the DHCP guest to function. However, you can assign a static reservation (IP) via DHCP to a specific host and then create a DNS entry (A-Record) which maps the hostname to that same IP.

What is the IP you set on pfsense?  When your mask of /22 and what is a dhcp client getting? On a side note 1000 users all on the same broadcast domain is a lot of broadcasting.. Can you not just have different networks in different areas..  But sure /22 would work so if not you got something wrong… So please post up your interface config, can you ping this from any machine ie not wireless? What are you firewall rules?  Did you have them hard coded to your previous network and didn't expand it?  Or is it set with say lan network or whatever interface you have your wifi connected too?

Out of no where this started working. It might have started after one of the server reboots occurred, I'm not sure.

Here is the screenshot: (I have blocked out the last 3 pairs in the MAC address and the name of the iPhone - the other blanks are as they appear in the list in pfSense)