Got it fixed, Not sure exactly why it was doing this but I booted into slice 2 and that was working so I copied Slice 2 to Slice 1 and after that I never had the issue again.

@ghostshell:

No plex

I would beg to differ to be honest..

14:26:41.306997 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
    192.168.1.30.42027 > 192.168.1.255.32412: UDP, length 21
14:26:41.307097 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 49)
    192.168.1.30.56755 > 192.168.1.255.32414: UDP, length 21

Clearly 192.168.1.30 is broadcasting traffic on well known plex ports..

https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-
The following ports are also used for different services:

UDP: 1900 (for access to the Plex DLNA Server)
    UDP: 5353 (for older Bonjour/Avahi network discovery)
    UDP: 32410, 32412, 32413, 32414 (for current network discovery)
    TCP: 32469 (for access to the Plex DLNA Server)

While sure it could be something else - this is the only use of those ports that I am aware of.. Without seeing the actual sniff that can open in wireshark or something - that would be my guess to what the traffic is.

And again - this traffic has nothing to do with file transfers between 2 boxes on the 192.168.1.0/24 network - since pfsense would never even see that traffic.  This is just typical broadcast noise..

Yeah I would sniff to see exactly what the client is sending back if anything.

Under diag on pfsense just sniff on the lan interface for say port 67

You should then see the discover from the client, the offer from the server, the request from the client and then the ack from the server.

What exactly are you seeing in this transaction?

Hi Guys sorry for the late reply ….All VLAN are virtual interface i created on Pfsense..... and all the VLAN are tagged to the Lagg i created ...
i setup our HP switch in L2 Mode but it is not just acting as a layer 2 .... today i'm getting replacement from HP will update you the status...
oh and Hybrid is a port when we tagged multiple vlan ....
Thanks.... :-)

Yep, agreed - likely easier to just purge the data, start again (as there are thousands of lines in the table, don't really want to change each line …  ;)).

Thanks for all the help!

I purchased a TP-Link TD-8616 ADSL2+ Modem and setup my WAN with PPPoE instead of DHCP through the bridged modem. This seems to be working find, so it looks like I'll retire the Dlink DSL-2320B and call it done.

The DHCP server assigns based on the MAC address so you can have whatever you want as a name in pfSense and the local DNS regardless of what the client sends to the DHCP server in the way of a name.

I see this on several items of equipment where I have more than one and they all provide the same name. I never even considered it an issue until I discovered the Ubiquity Edge Router software had problems with it.

Awesome, I have allowed the IP address of the secondary server to do zone transfers and added a firewall rule allowing inbound 53 TCP. Thanks guys!

Thanks!

Its not that nslookup appends .home - it will append whatever domain your computer is in, or whatever your search suffix search is.  Which can be quite long depending how you set it up.

You can view this with ipconfig /all

example

C:>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : i5-w7
  Primary Dns Suffix  . . . . . . . : local.lan
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : local.lan

Notice domain is local.lan, if I just do a query via nslookup for just a host name it auto appends the search suffix - in my case .local.lan - sure if you setup network to use .home as your domain then it would append those to your searches..

So see attached sniff of when doing a nslookup for pfsense, the nslookup command fist does a PTR for the dns server in my case 192.168.1.253, you will then see it do query for A and AAAA both with .local.lan in the query even though I only did query for pfsense

now if I did a query for say whatever.something.com you notice it still appends in the first query .local.lan - it gets no response for this so walks up the tree and says lets try without the suffix, see the query without the .local.lan

If you don't want the query for your search suffix to be appended then you have tell nslookup hey this exactly what I want - don't add anything by putting . on the end.  3rd attachment notice it only does query for exactly what I asked for - no added suffix to the query.

query.png
query.png_thumb
otherquery.png
otherquery.png_thumb
endwithperiod.png
endwithperiod.png_thumb

very odd..  But sounds like your good to go then.

Again you did a query for a domain that doesn't even exist most likely

dnstest.mydomain.com**.home**

Is not

dnstest.mydomain.com

If setup tiny to be authoritative for mydomain.com, and created an A record for dnstest in that domain..  Doing a query for dnstest.mydomain.com**.home** tiny will tell you pretty much F off ;) if you didn't set it up for recursive.

As to what its authoritative for - it would only be authoritative for the zones you created on it..

WAN interface is configured as DHCP client so no dhcp server setup on WAN. DHCP server is running on a router and a static ip has been reserved for MAC address of pfsense wan to stop chatter on the line.

It looks like the issue was that we decommissioned workstations without removing them from Active Directory.

The DNS records of the old workstations stayed on the domain controller while the new workstations were joining, and I ended up with multiple DNS records pointing to a single IP address.

The DNS/ActiveDirectory forwarding is working fine with pfSense, I have a similar setups at other sites.

Thank you very much for the inputs, appreciate it.

Regards.

@johnpoz:

@HCJ:

@johnpoz:

So create a forward on your lan that says anything going to 53 tcp/udp redirect to whatever dns you want them to use IP address.

how would I do that?

Simple port forward, note its using LAN as the interface though.. See first image..  So I set my client to use 8.8.8.8 for dns - see googledns can not resolve my pfsense.local.lan fqdn - but once I put in the forward.  The clients query to 8.8.8.8 just gets redirected to pfsense dns that can resolve it.

thank you worked a treat

that doesn't give you host name unless their is a PTR record for the device.

-a            Resolve addresses to hostnames.

In windows your prob better off doing a nbtstat to the box for its hostname

C:>nbtstat -A 192.168.1.8

Local:
Node IpAddress: [192.168.1.100] Scope Id: []

NetBIOS Remote Machine Name Table

Name              Type        Status
    –-------------------------------------------
    STORAGE        <00>  UNIQUE      Registered
    LOCAL          <00>  GROUP      Registered
    STORAGE        <20>  UNIQUE      Registered
    LOCAL          <1E>  GROUP      Registered

MAC Address = 00-0C-29-55-4F-95

If it were me I'd put a blank VLAN on a managed switch between the two, and capture the traffic during DHCP and see what's going on.

You could run a packet capture on pfSense but I would rather have a mirror/monitor port doing it so you're positive you're not experiencing something on the wire that just isn't being picked up by the NIC and sent to tcpdump.