And where is this windows dhcp server?  what network?

I know you can not enable dhcp relay while dhcp server is enabled.  I don't know if you can run say pfsense dhcp server on lan, and dhcp relay on wlan?

what dns server - you host your own name servers?  What domain?  PM it if you don't want a public website to be known public for some reason ;)

So you created port forwards for your website and dns to get to your name server?  Public facing dns should always have 2 name servers at min.. Any decent registrar would require that anyway.  So where is your secondary name server?

it is really hard to troubleshoot dns related problems of this nature without actually knowing and being able to query the nameserver to tell you what its doing wrong or right, etc.  Off the cuff, pretty much anyone hosting their own dns to the public is most likely doing it wrong ;)  let a company host your dns that does that for their bread and butter, etc…  Hosting dns on global infrastructure can be had for less than it costs to power the box hosting your dns ;)  Why would you not enjoy a global dns setup with anycast, failover, etc. etc.. for $30 a year for 5 million queries a month, etc. etc..

It almost never makes sense to host your own dns that is public facing..  But sure lets get you working ;)

I had to turn the dns server off as it was crippling the internet speed dramatically.

I still would like to get this properly set up but so far no luck.

He did indeed - I was as I said chasing a ghost, I'd already spotted it - BUT

I only put the URL into an alias because it was getting reported by 'something', at the time I didn't have 'log_queries' enabled so I didn't know where from. I don't tolerate 'unknown' behaviour within my network so my first response was to add the URL as an entry in a block table - I have a bad boy table that I use to block 'bad behaviour' sources and targets - spammers that aren't in another blocklist, multiple chinese sites, people that try to log into my mailserver multiple times with multiple users from same IP etc etc.

When I saw the constant 'dns rebinding' the first thing I did was to put it into this 'block table' - while I searched for the culprit, the culprit has not been found on my local LAN despite 18 hours of packet capturing, I am still running wireshark with the url as a filter - but on the DNS / DHCP server that I created where it isn't such a pain to 'start capture, stop capture, download - - yada yada'.

I also completely rebuilt pFSense in case it had been compromised, and so far this URL doesn't appear anywhere so I have kind of fixed the issue but not in the preferred manner, it would have been nice to know who was originating the request that prompted me to 'block it' in the first place.

I would expect that where a URL does resolve to a private IP that the bogon filters should deal with it, where an IP generates such an event the system shouldn't keep re-trying but should put it into some 'holding place' for investigation - and should provide sufficient information to give the investigation a place to start - i.e. source Network, source IP, source MAC, date, time.

Every one gets retarded about stuff getting in - 80% of security breaches are caused 'internally' by users - so events noted by things trying to get out must carry even more weight / priority.

sigh

I can't believe I missed that in the help page linked to from the DNS Forwarder page in the dashboard. I tried the second method, worked on the first try. Thank you.

Looking at it again, you don't have the block all dest local_nets_v4 like I do so your final pass rules should catch DNS and pings.

Please let us know what the dns configuration is.

You're getting the IP your ISP assigns you. Your firewall has no control over what IP it receives, it uses what the ISP tells it to use. If you change your WAN NIC's MAC, you might get a new IP, or you might lock yourself out entirely and have to revert that change and reboot to get your original MAC back, if your ISP or modem restricts you to a specific single MAC.

Hi guys.
read my response in: https://forum.pfsense.org/index.php?topic=80478.0

@itsol:

Hi all!

I have PfSense 2.14 setup fine behind a Cisco 3212 Cable Modem.  It's a real Modem. ;-)

When the Modem is rebooted, PfSense doesn't get the new WAN IP-Adress from the Provider (Unitymedia Germany) via DHCP.

If I reboot PfSense afterwards the WAN IP is renewed and everything is working again.

Same thing happens from time to time. (When the Provider resets the connection? I don't know.)

The IP is regulary renewed when the Leasetime expires. (Entries like "New IP detected" and then same IP given)

To me it looks like PfSense is not asking for a new IP through the Modem as long as the Lease is still valid.

Is there any way to make PfSense establish a new connection without rebooting?

Suggestions?

El Buco

Just saw, it's nearly the same question as here: https://forum.pfsense.org/index.php?topic=80477.0

Seems to be a feature, not a bug. ;-)

Olá Itsol.

Was searching for some solution to this poblema. Almost no one suffers from this evil DHCP WAN.

It was when I came across your doubts and the solution that was given. I had to disagree with the "Derelict" also. Ai continued my search and found this post: https://forum.pfsense.org/index.php?topic=57258.0

I have not read everything, went straight to the last page and read something talking ta communication rate of the network interface where the individual arrow interface to communicate to 100BaseT. Well, it cost not try, I changed my settings to "Full-Dublex 100BaseT." I did my tests and it worked oa _ || _: D

my system: "2.1.5-RELEASE (i386) built on Mon Aug 25 07:44:26 EDT 2014 " Interface: Realtek 10/100.

Well, there is a hint.
Good look.

If you're not using layer 3 functions of your switch, it's not a layer 3 switch.  If you are, then you need to do all sorts of things differently.  If you are not configuring virtual interfaces and assigning interface IP addresses in the switch, it's just layer 2.

what did you put for the domain on the host, what are you doing the query for - does you machine use search suffixes. Is the forwarder working for looking up say www.google.com.  Are you SURE you pointing to your forwarder.  Do you have pfsense using the forwarder via 127.0.0.1

How about you show us your host over rides, and then simple query.

C:>dig i5-w7.local.lan

; <<>> DiG 9.10-P2 <<>> i5-w7.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;i5-w7.local.lan.              IN      A

;; ANSWER SECTION:
i5-w7.local.lan.        86400  IN      A      192.168.1.100

;; Query time: 3 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue Oct 07 06:32:35 Central Daylight Time 2014
;; MSG SIZE  rcvd: 60

C:>dig -x 192.168.1.100

; <<>> DiG 9.10-P2 <<>> -x 192.168.1.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.1.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
100.1.168.192.in-addr.arpa. 86400 IN    PTR    i5-w7.local.lan.

;; Query time: 2 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue Oct 07 06:32:46 Central Daylight Time 2014
;; MSG SIZE  rcvd: 84

C:>

There is no underlying reason - DHCP can hand out an unspecified length list of DNS Server addresses.
System->General Setup supports 4, and will hand those out with DHCP if the forwarder is not enabled in pfSense.
You could conceivably use the "Additional BOOTP/DHCP Options" field to specify the details, but that would be really difficult to get the right 4-octet binary values in a list there, and in any case the wway the pfSense code is built it is also going to give out something itself that will mess up what you tried to specify.
The easiest would be to expand the GUI to accept 4 DNS servers, matching the number supported in System->General Setup - I wonder why that was never done in the first place?

How many places you going to post the same question??  Don't crosspost!!

https://forum.pfsense.org/index.php?topic=82359.0

Thanks!
I'll look into this.

maybe this will help?

https://forum.pfsense.org/index.php?topic=81747.msg446989#msg446989

According to unbound documentation, if no root hints file is provided, it will use some "reasonable defaults".  Not sure what those are, but they're enough to get it working, but not very clean or reliable.