@cmb: The problem is on your network, not the firewall. It's answering the clients' requests, and it appears those don't get back to the client. It also appears there is something else odd going on. There are multiple requests per second from one host 172.16.17.105. No normally functioning DHCP client is going to send more than one request a second. Something inside your network duplicating packets possibly. any idea what it would be… i am unable to figure out

It depends on what it's doing. If the query was not in the cache and it has to do DNSSEC validation, it can take longer. If the query comes from the cache it would be faster. Try the same exact query a few times in a row.

BBcan177 you are a genius! I don't know why I never checked that but sure enough it was pfblocker that was causing it. Once I added it to the exception list everything is working perfect again. Thank you!!!!!!

So I have tried that but I'm unable to ping the IP from an external address, or even traceroute to it (ICMP is enabled in firewall rules through that interface). This seems like such a unique situation. This is an example of how the existing router (Zyxel) through cincinnati bell basically works: 216.48.63.146 = dynamic 216.4.5.54 = static -the ONT is acting only as a L2 bridge -the Zyxel grabs 216.48.63.146 via DHCP -The Zyxel then sends a GARP request for the IP configured as "private LAN" -The Zyxel configures a second IP on its LAN to be the gateway for the private LAN address -Upstream, the magician in the sky sets up a route to the private LAN IP gw 216.48.63.146 -Static IP works! we end up with: Zyxel WAN: 216.48.63.146 Zyxel LAN1: 192.168.200.1 Zyxel LAN2: 216.4.5.53 (gw) CPE static: 216.4.5.54 (with .55 bcast and .52net) So in essence the dynamic IP is the next "hop" from the static IP (confirmed through a traceroute when using the zyxel modem). I feel like I'll eventually need to set up something in routing vs. being able to do NAT 1:1 or an Alias IP, but I'm pretty new at this.

He should be be able to do this if he knows the MAC addresses of the Devices he needs in the secondary pool, no? Blacklist those MACs from the primary pool, and make a secondary pool with the option set and which whitelists the same MACs? Is there a reason that wouldn't work? (Provided he's not using a /24, but rather a /16) (It wouldn't be ideal by a long shot, but possible?)

Because that is not how it works with this version of dhcpd.. If you don't like it get with ISC, if you want a static that sits inside your pool range, then create a pool, create your stated then create another pool on the other side of that number.. .100 - .110 pool, .111 reservation, .112-120 pool

ok, thanks cmb. As long as everything is working as it should, that's all that matters. Can you please mark this thread as solved

Exactly what I was saying, that is a LONG list of domains your forwarding, ie overrides..

I may have asked this question before in another thread (sorry if it has already been answered – I am an old man!) but what are the ramifications if any of doing this? It seems that setting Unbound's outgoing interface to LAN just fixes everything up in most cases, I am wondering why the default behavior is to set it to "ALL".

Ok, so all i have to do is install bind or nsd and set dhcpv6 rfc2136 dyndns.

@cmb: It restarts upon DHCP hostname changes when you're registering those names. https://redmine.pfsense.org/issues/5413 So is it best practice then to NOT enable that option? (register DHCP leases in DNS) It would seem that all that stopping/reloading of Unbound is "bound" to cause some problems especially on a busy network…

very true you have a very extensive listing…  Now that I moved to 2.3 maybe I will give the package another look see ;)

@mtriber: I have several machines with static IP's on my network. The pc's are windows based. I can't resolve the pc names. How do I register them in the Pfsense automatically? I have a chromebook that won't resolve the netbios name. Is there something I need to enable? If you're running a Windows AD environment, then let your Windows server handle DNS/DHCP and set your PFS as forwarder, using the PDC as it's target. Otherwise, if you only have a few Windows standalone machines with static addresses, what's the issue with just populating your PFS DNS with the PC names and corresponding addresses? If they don't change and you're just talking about a few machines it shouldn't take long to do.

Ok - fair enough..  I can tell you I point to windows DNS with an domain override just fine and have no issues. Let me vpn in and will post some examples edit:  Ok took me a bit longer than I thought, freaking real work getting in way of my helping people on the forums ;) heheh Anyhoo – so see I created a mydomain.com domain on my Windows 2k8r2 box... And as you can see when I query pfsense at first the .253 address he doesn't find anything and returns SOA since he was asking the internet for that domain. I ask my windows box at .19 and he says sure here you go I have a A record for host as 192.168.42.42, I then created a domain override and ask pfsense again at .253 and boom get the answer.. If I had to guess why your getting servfail is you are not allowing unbound to query on the interface to get to your AD box?  See where I added the LAN interface in my outgoing interfaces so that pfsense can query the 192.168.9.19 address I pointed that mydomain.com too.  If I uncheck that and then ask pfsense I get servfail like you.  So check what interfaces your allowing unbound to query out from.. BTW the long query times, I am having problems with the network here, and running off hotspot on my phone currently, with a vpn to my work, and then vpn off a proxy in my work network in tx, from memphis to my home in schaumburg ;)  Working latency is a bit high... [image: domainoverride.png] [image: domainoverride.png_thumb]

it seems dns resolver is causing the problem. can someone kindly explain for a fix. ive only noticed this since pfsense changed from forwarder to resolver that this functionality is broken now or requires different workaround many thanks Update: again i have manged to resolve this. Due to how dns resolver works, opendns and other dns server will no longer work. in order to fix this go to services–> dns resolver---> disable DNSSEC( as opendns does not support it) check dns forwarder it working now i checked http://opendns.com/welcome/ ,however filtering does not work , i just tried to block a domain via the dashboard on opendns and it still allows me to browse to the site. any suggestions ?

I have managed to solve it. On the cloudflare panel set the DNS A record to grey cloud, which bypasses cloudflare and on the cname of subdomain for example www (you need to set that to orange which routes all traffic through cloudflare and masks ip)

this isn't the right place to put this in. someone will/should/might move this. what kind of error are you getting in logs when dhcpd stops working?