It was never called rebounder ;) The resolver walks down from roots and talks to each name server down the tree until it actually queries the authoritative server for the domain your wanting to query a specific record, etc. So depending what your isp does, or what your blocking say in front of pfsense if you can not talk directly to name servers then yeah resolver is never going to work. From your stats there doesn't seem like your even seeing any queries to it.. Are your clients able to talk to pfsense on 53 udp?  You notice for example mine May 22 06:51:21 unbound 21699:0 info: server stats for thread 1: 5006 queries, 1763 answers from cache, 3243 recursions, 154 prefetch Curious why you have dpinger off?  And depending how your using pfblocker it not running could cause you dns troubles. Have you edited your default lan rules?  Common mistake is only allow tcp, when dns requires UDP.  Can you query pfsense IP for something that should be local, like its own name.. Use your fav dns query tool, nslookup, dig, drill, host, etc.  shoot even a simple ping for pfsense host name should return its ip. user@ubuntu:~$ dig pfsense.local.lan ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> pfsense.local.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55046 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.local.lan.            IN      A ;; ANSWER SECTION: pfsense.local.lan.      3600    IN      A      192.168.9.253 ;; Query time: 3 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue May 24 08:01:01 CDT 2016 ;; MSG SIZE  rcvd: 62 user@ubuntu:~$

Tried from a Windows client, looks good to me :) [image: all_good.png] [image: all_good.png_thumb]

@FreeMinded: … The dyndns actually works and I can access the device from remote even thought the page Services: Dynamic DNS clients shows cached IP 0.0.0.0 in red which I assume should show the public IP. I found the solution to this problem. The field result match in the Dynamic DNS configuration should contain good %IP%|nochg %IP% With that the correct IP is displayed.

You do understand that vcenter can just have a static IP you set on it right..  Just like any other machine or vm on your network.  You don't have to use dhcp. That being said, make sure your using the correct mac for the vcenter nic.. Its not going to be your physical nic mac, but the vmnic in the vm mac.

yeah go right ahead, there is nothing saying you have to run dhcp on pfsense or anywhere else in your network be it wan or lan.

Thanks for the helpful update. I have it set not to forward. What would you recommend?

you have to update dnscrypt to latest version (use 18 version) https://forum.pfsense.org/index.php?topic=111895.0

Thanks for the advice, I tried it. It only works once, after that I need to use IPs again.  :-\

^ hehe that is funny.. But your right that is how he wrote it "after i executed this commands ipconfig /renew  and ipconfig /release" Nope that sure wouldn't work..

"WAN [SAT]"  So you mean satellite here, its quite possible on a sat connection your latency is so high that trying to actually resolve would be very problematic.  Resolving means walk the tree to get to the authoritative server for the domain.  So say you wanted to look up www.domain.com.  You would first ask roots, hey roots who do I ask for .com, they would point you to those nameservers, you would go ask them hey who do I ask for domain.com, they would give you the ns for that domain, you would then go directly ask one of those ns for the www record. Depending on the domain that NS for that domain might be shitty, or long way away anyway.  Having high latency network could cause problems with that.  While when you forward, your just asking a specific name server hey what is IP for www.domain.com, he most likely has it cached and just gives that IP to you directly. Its also possible that your ISP blocks access to dns to anything other than their nameservers, this also breaks resolving.

You can come up with all the excuses you want..  Sorry but running multiple layer 3 on the same layer 2 is just plain Broken no matter how many excuses you come up with to try and justify it plain and simple. http://community.ubnt.com/t5/UniFi-Wireless/UAP-PRO-and-DFS-Channels/td-p/1502217 Just to confirm that updating the controller to 4.9.1 and the firmware on the radios, DFS channels are working flawlessly on AC-LITE. I can not actually confirm this since in the US with US hardware, etc.  But there are many a post of DFS working in different countries in the EU..  Might be some problems for like Switzerland??  Pretty sure seen confirmation from UK and DE, etc that they have it working. I would for sure grab yourself one and give it a test run. If not working for your part of the EU, it should be very soon..  US and CA seem to be the unwanted step children in this rollout.. As to the old versions not supporting stuff.  Yeah sometimes that happens, I wasn't too happy about a $300 ACv2 I bought not doing ATF and band steering, etc.. not sure will ever be?  So I sold it to someone here on pfsense for $75.. I believe it was good deal for both of us.  It offset cost of new AC pro to go along with my LR and Lite.  Which the purchase and use and discussion about on the forum got me on the testing list of the new AC line and they sent me free LR and Lite..  So taking that into account, and then the 75$ back, and the use of it while I had it, etc.  Still pretty happy with the unifi stuff..  And while they do quite often state features that are note quite prime time ready yet, etc.  Overall I think for the pricepoint and actual quality of the products I am very happy with them..  The for sure blow away any sort of soho wifi router used as a AP ;)

@gyNejNpp82XB: I've updated to 2.3_1 but the @ character is still not accepted. 2.3_1 is not 2.3.1. 2.3_1 is really 2.3.0_1, it was a minor NTP update. 2.3.1 is not yet released, but will be in the next day or so (unless we find any problems)

@gjaltemba: This is off topic but I would like to highlight the firewall rules for the LAN interface in the PIA tutorial The proposed changes to the default LAN firewall rules are only necessary with more advanced firewall configurations. https://forum.pfsense.org/index.php?topic=76015.0 For my setup I required the defined gateway on my lan but not on the my vpn interface. (I had defined both gateways which blocked me from accessing my LAN from the VPN) Thank you so much!

I was not even aware that there were any videos but I have to say that it was precisely the level of information I wanted It confirmed that the setting changes I made to date were good and added good guidance of what I should be doing next So, a big thank you from me for this link and source of enlightenment….. So much easier than trying to make sense of the 4-5? year old pfsense manual I have here. Things have moved on a lot since then

I knew that… But I also know it is not hard enforced in the software, nor does MS even look at this during audits I've directly participated it. So while technically correct, I've never seen it come into play in 15+ years of MS licensing admin...

So your now only using resolver, in resolver mode? Has that made your dns issues go away.  Since resolver walks down from roots and doesn't ask any other recursive servers for anything.. Just roots to authoritative servers for the domain you have a record your looking for. Pfsense has no need for anything other than pointing to itself to resolve anything.

Great hackersoft ! You made my day. I was googleing for a while for a way to authenticate AD sessions over an IPsec VPN with NAT-T, on a site without an AD DC. Added the DNS lines in the Unbound DNS Resolver Advanced options as you described, and a Host Override for each of my DCs on their NATed IP address and it finally works ! My computers can now authenticate on a DC controller on the other side of my Ipsec tunnel… Also tried to add a new computer to the domain, and it's working too. Perhaps there's another way to perform that... but this way works great for me. Why am I not fallen on it earlier ? :) Many thanks for this sharing !