The only time a frame is tagged or untagged is when it is coming in from or going out on the wire. Referring to tagged/untagged anywhere else is confusing. When it's inside the switch it's on a particular VLAN without regard to the terms tagged or untagged.

BUMP I have almost the exact same set-up. (pfsense 2.2.3 now) I use policy-based routing and gateway groups to make my LAN use the VPN for internet and fall back to WAN when the VPN goes down. I, too, would like a way to do the same thing with my DNS in pfsense. I find that my DNS goes out either through VPN2 or both VPN1 and WAN (unless I specify something else manually) I would like to have my DNS use VPN1 only, and fall back to WAN only when VPN1 becomes unavailable. (just like my internet connection does) Having Unbound use WAN for DNS when the VPN is working is not an option as it exposes my public IP. On the other hand, having it use the VPN will stop name-resolution from happening if the VPN goes down. If I select both, the leaks both public IPs. It would be possible to achieve what I want with a separate DNS resolver on my LAN, but that means more equipment, more cost, more administrative effort. Does anyone know of a way to achieve this within pfSense?

What interface are your WAN connection? I have a similar problem usign 2.2.4 on a x750e where if I use the one of the msk interfaceses then i'm able to ping any public ip e.g. 8.8.8.8 but I'm unable to do any dns resolving. But if I use one of the sk interfaceses everyting is allright.

That is what I was looking for. Thanks for the info. I'm going to run with just one internal vlan for now until I can get a level 3 switch on in my budget. I appreciate your quick replay.

I think you misunderstand my issue here. I NEED dhclient to log more info to syslog as I am troubleshooting dhcp issues with my ISP. How can I get dhclient to, consistently log, all these DHCPREQUESTS and ACKS ?

@tim.mcmanus - We have two options: static IP and dynamic on a LAN behind a firewall. Those who need a static IP are usually self helped and know the basic about network. They usually gives no hassle at all. The rest that do not ask for a static IP are all places behind the firewall (pfsense) that provide DHCP on a LAN. We have just seen a great increase in users that attach Apple routers that go into bridge mode. There are several reasons why we do not want that. I only see one solution: That is to tell all switches only to allow one MAC and then prepare helpdesk for all the calls from Apple users that suddenly only can have one pieec of equipment on there wifi at the time. We will have to help them one at the time to setup there routers as DHCP routers instead of bridge mode (access point)

Problem solved! After some testing I found that the GS108T had to be the weak point. So I did a check in the configuration and found that it had DHCP filter enabled, but not configured. So I turned it off and all of a sudden things start to work as it should. Thanks again!

yes if you enable dnssec in unbound it does it whenever possible - not just to roots, but if the end domain has it setup, then it uses it then too..

@johnpoz: What..  And how would ping resolve minisrv1 ??  It either queried dns, wins or it broadcasted for it..  Or you have it in a host file on the box.  Why are you not using FQDN? Here see I ping pfsense, my box adds the suffix local.lan which is how I have it setup..  Clearly a sniff this as I said would JUMP OUT AT YOU!!! This ended up being incredibly strange problem, with many Murphy's Laws involved. The reason that strange network ended in ping response seems to be due to one of two HP switches being reset back to factory settings somehow, which gives them the 192.168.2.x network. Somewhere in there it seems to have "acquired" the MAC address of one of the servers and thus confusing the crap out of this workstation, whereby ping tried that completely unrelated IP address (this is what I meant by ping not using DNS if it can find the address by other means). Rebooting every piece of the network, setting up one of the switches again, and clearing all caches has now resolved all the problems.

Thank you, Thats what I do in OS X Server, I will do this in pfsense as well. Its just in Windows server DHCP you can have exclusion range or single IPs inside the one scope. Best regards Kostas

Yeah, so use the domain overrides.

Yeah that's correct.

static or reservations should always be outside the scope.  I will have to look if there is a requirement for scope if dhcp is on for static reservations. edit:  I see your point if I have dhcp enabled because I want use statics. And deny unknown you have to have a scope - even if only 1 ip.  This would make it possible for a known client from different interface to move over to that segment and get that IP. for this sort of setup there should be a way to not have a scope defined I guess.