Ohh, got it! – Many thanks! I added a host override in resolver for the static DNS entry (which worked). :)

My public ip is a vpn provider address and usually that is what ipleak.net detects. Recently that changed to opendns.  My systems have never been configured for opendns. It may have something to do with vpn provider. Anyways, I restarted unbound and things are back to normal.

Hi! Same here. I have 8.8.8.8 in DNS Servers on Dashboard although its not configured in the General Setup page. Any suggestions how I can get rid of it? Thanks!

The same MAC address can be listed multiple times: So that means it is just the leases status display that can be a bit confusing - the same MAC address can be listed twice in the table, for its dynamic IP from the pool and for the static entry that it has without an IP address. from: https://forum.pfsense.org/index.php?topic=89072.0 Read that thread and maybe it will have something relevant to your situation?

It's just doing what you've told it to do.  Reduce your subnet size if you don't want it that big (or at least the DHCP Server's pool).

@doktornotor: @Trel: So far this is the first case of legitimate domain failing to load for this reason that I've run into. It's either signed properly, or it ain't legit… Needs to be fixed by the domain owner. I figured, but now… osha**.gov**  Maybe it'll work in a few years.

Thank you sir! A great incentive to upgrade to 2.2. I have to convince the customer of that this is a good thing to do now. Currently running 2.1.5 with a couple of VLAN, site-to-site IPSEC and OpenVPN connections. Upgrade and at the same time take them from a /24-subnet to a /16. Internal address space is for the moment 10.200.100.0/24 and i don't see anything that's in the way for that to become /16. Brgs,

@jflsakfja: It's the only way to do this project, every other suggestion/idea is a disaster in the works. Not. You don't put separate houses/appartments/tents on the same subnet. EVER! Two reasons for that: 1) network isolation that depends on whether you are giving everyone a public and a firewall or, like OP wants, a wireless private network. 185 stations is not that many.  To do it with VLANs and public IPs you'd need a /22 and at least a /30 to every unit. If issuing privates, there is no reason not to use one subnet, DHCP, and private vlans to isolate the users from each other. Also, since we are talking about pfSense, you have a lot more flexibility for traffic shaping when you're dealing with one interface to the customers.  OP is going to need shaping, or at least limiting, guaranteed. and 2) broadcast traffic. Yes.  Though 185 still isn't that huge.  We're talking all gig.  With proper layer 2 isolation you're not dealing with broadcasts from all the clients - just the gateway and whatever other servers might be set to unprotected. Then, ideally, you could create 185 VLANs so you can control each condo separately (switch them off if they misbehave/shut down that part of your internet when the condo is empty config t int eth 2/1/34 disable Or put the port on a VLAN with a web redirect that goes to a page telling them who they need to call to get reactivated. /setup parental block lists per condo if they require so because of young kids, I would never, ever subject my employer to such liability. Each appartment should have its own /24 subnet. The reason for that is that you set it once and forget it. It's not like the building will get any sizable increase in the number of appartments. Each /24 has 253 usable addresses, more than enough for any appartment. Eliminating the wireless requirements, I'd give them all a wired public, lock it down (DHCP snooping, etc), and be done with it.  pfSense for shaping/limiting, NAT off.  And maybe develop a preconfigured consumer router to sell/rent/lease/recommend.  Or they can run their own pfSense if they want :).  Go all in and give everyone a /56 too.

Just enlightened while posted and added private/insecure part like: server: private-domain: "site_B_domain" domain-insecure: "site_B_domain" forward-zone:         name: "site_B_domain"         forward-addr: <central_vpn_ip></central_vpn_ip> And it worked. Though, is it right way of doing things?

@NOYB: If the clients are Windows, take a look at the NIC TCP advanced DNS properties. There are settings for appending the primary and connection specific DNS suffix and parent of primary.  As well as creating custom suffixes to append. Including the trailing dot (.) to the domain name should prevent appending any suffixes. Same exact setup because it's the same exact computer I'm testing in two different networks.

bump

@doktornotor: However, the idea to run OpenVPN on 53/UDP is something quite astonishing for me. It really does not attract unwanted traffic for you?  :o Don't think it'd attract anything. Those scanning the Internet for DNS servers won't get any response. It will make OpenVPN log spam "Authenticate/Decrypt packet error: packet HMAC authentication failed" when a DNS request is sent to its port, but it doesn't reply. Just looks like an IP with nothing listening to DNS scanners.

You need to have a WINS service running on your local server with an entry for the remote NAS device. Then you should be able to resolve \hostname and connect to it. Otherwise, you can just as easily use the FQDN (\hostname.example.com) if you want a quicker solution (assuming you've entered this address in your DNS settings, that is).

Problem Resolved i must add pfsense to the DHCP reservation 0.o Now its working. Thanks for help: )

Fix the subnet mask on the interface with 192.168.2.x. It's a cosmetic bug that it shows .2 through .0 but the root of the issue is you have an interface configured with a mask that has no other hosts available on the subnet and hence cannot run a DHCP server on it.

No idea if this is doable, but its nice to ask.  Maybe its super easy?  No idea. To me it sounds like a good idea if it helps lots of people.

Use reverse proxy. You certainly do NOT want to run any DNS server on WAN.