now that it seems to work i used a script to convert a list to the correct format. gunzip | awk '/^127./{         print "local-zone: "" $2 "" redirect"         print "local-data: "" $2 " A 127.0.0.1"" }' > adservers.conf it makes a file with all entries in it. local-zone: "googleadservices.com" redirect local-data: "googleadservices.com A 127.0.0.1" local-zone: "googlesyndication.com" redirect local-data: "googlesyndication.com A 127.0.0.1" local-zone: "gostats.com" redirect local-data: "gostats.com A 127.0.0.1" which looks good to me but when i add the file to advanced via server: include: /var/unbound/custom/adservers.conf unbound just stops working and i have to remove it from advance again then the service starts again. is it possible the list is too big? edit: when i remove all local-zone: "url" redirect it wont stop working and redirect/block does work but it wont work for subdomains as was my initial problem. when i check the log it says this. php-fpm[49463]: /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/custom/adblocks.conf:5: error: unknown keyword 'redirect' read /var/unbound/unbound.conf failed: 1 errors in configuration file [1441217056] unbound[61819:0] fatal error: Could not read config file: /var/unbound/unbound.conf'

woo thats it…, turning off (unchecked) the "Enable Forwarding Mode" did the trick. thank you very much. thanks

"Can you ping the WAP from the pfsense interface on that segment?  - No." Well that tells me something wrong with network to the wap or the wap themselves.  Do they maybe loose their lease and not renew.. You say if you bounce them then everything works?

Yeah if you setup wan as static there wouldn't be any dhcp client doing anything for that interface.

'A picture is worth a thousand words', as the old saying goes. So screenshots would be very helpful too.

Probably because of the mess of routing you have there. Some devices on a /23 subnet, some on a /24. Not a big deal if you're purely routing, but throw a stateful firewall into the mix with some traffic only going in one direction through the firewall, and you have a mess. Ideally, fix it so the masks of everything actually match. Everything on a /23 probably best if it's really just a flat network. Otherwise everything on /24 so the routing happens properly. The "Bypass firewall rules for traffic on the same interface" option under System>Advanced, Firewall/NAT might suffice in the mean time. But likely only if you can ping across. If you can't ping, there's a more fundamental network issue at hand. The asymmetric routing will only impact TCP in most configs.

@BBcan177: You can't add to the conf file directly… You will need to enter that Server: Include: line in the "Adv." Settings Box in the Unbound GUI. ah GREAT that works :) Thx

if using resolver (unbound) then it resolves using roots and authoritative servers it does not out of the box forward to anything it is a resolver, not a forwarder.  It uses root.hints and then walks the tree asking the authoritative servers for whatever your looking for. why do you need to setup different dns for hosts?  Why can not all machines/devices on your network just point to pfsense?  This would be handed out via dhcp by default.  Then you setup pfsense to either forward or resolve for you. if you need to resolve something local then you use a over ride so you can point anything you want to specific IP via over ride.

@muswellhillbilly: What the doktor said. Though you are sure you don't need to send or receive any external emails? Because with the setup you have - given the information you've provided - you probably won't be able to at some point or another. Yes, the internal email is for internal private email. The external email is accessible via other entries within the clients email program. If a user does attempt to send an email externally and the smtp server has been set to the internal server, then it will not work, that is what is expected. Aimee

Yeah, it's extremely well hidden in the DNS Resolver or DNS Forwarder GUI (Host Overrides)…  ::)

Set your DNS in System - General - DNS Servers by supplying your ISP DNS as well as 3rd-party like Google, Level3, etc.  Uncheck Do not use the DNS Forwarder or Resolver as a DNS server for the firewall.  Enable the Forwarder.  Disable the Resolver.  Forwarder interface should be Localhost.  That should do it.

Perhaps take a look at the default lockout rule under the firewall rules?

I am with you derelict.. Dig is a tool I use every single day.. He doesn't have to get anything quite sure his OS comes with a way to query dns from a cmd line.. Pretty sure nslookup no matter how bad it is in windows can still just do a simple query. sdp0024.. Please do a query for what you feel is not working, as per my examples.  If something is not working, have you cleared your local cache?

I'd like to see this too!

Hi, Understood - and agreed! The problem is that ::1 has broken a service on my machine (NextPVR) … :(. I hacked the registry, and forced IPv4 preference over IPv6, and that allowed me to get the service working again. This didn't happen on Windows 8, just started with Windows 10. But FYI, nslookup is definitely quering pfSense - it even says that in the response ... ;). Not saying the response is wrong, agree with you there. Thanks!

A domain using shitty DNS servers is not pfSense issue… Not exactly sure what solution you are searching for here - their DNS servers take seconds to respond -> broken crap.

I have tried to get them to deal with a tagged management VLAN and they reverted back to untagged for some reason.  Might have just been that code level but it left a bad taste in my mouth.

See: https://doc.pfsense.org/index.php/Dynamic_DNS I personally like to use Namecheap, but I haven't tried it in pfSense yet.

either or.. They both do the same thing..  Unbound is the newer addition to pfsense, at some point dnsmasq might be removed but I doubt it and would be multiple releases down the road if ever. I would suggest you use the "forwarder" dnsmasq just for the fact its actually called that in the menus and has no option to be resolver.  Unbound has way more configuration options and more likely for user to mess up or not actually have forwarder mode enabled. Also unbound forwarder I do not believe forwards to all in the list like dnsmasq does unless you enable seq mode. Go with dnsmasq forwarder.. Curious why not use unbound as resolver. This  way your sure you get answer direct from horses mouth and has support for dnssec, etc.