Ok, here's an example of what I wrote about earlier and also what I've seen on earlier versions of pfS too.

I have edited and only pressed 'save' on the top three entries and all of them picks up the correct IP and shows it in list, two are Loopia and one DYN, doesn't seem to be the issue what type of account it is.

141030-pfsense-dyndns-buggy-behavior-after-new-host_reediting.png
141030-pfsense-dyndns-buggy-behavior-after-new-host_reediting.png_thumb

Well for starts the only box that can talk to 127.0.0.1/loopback is that box itself.. So nobody can query that other than the pfsense running tinydns

Why do you need to run tinydns to have a few names resolve - the dns forwarder that is built part of pfsense can resolve pretty much any host name you want to any IP you want, just create an over ride in dns forwarder or have it register dhcp clients if you want, etc.

Running tinydns to resolve a few names is overkill.

IMHO they have finally fixed a broken setup then.  You should not have reservations for same hostname, mac or IP on in your dhcp server.  MAC to IP should be a unique combination when setting reservations - your run into a possible problem of duplicate.

To be honest your wireless network shouldn't even be on the same segment as wired devices for security reasons ;)

If you want make your wired interface 192.168.1.42, and 192.168.2.42 on wireless for example.  You could use the same fqdn if you wanted too.

Here is the thing with wireless clients - they fairly often never actually release the lease and just disappear off the network - how does the dhcp server know if he should give that IP to wired mac that asks for it when he doesn't know for sure if wireless gave gave it up, etc.

For a little change like that, online-editing in GitHub is easy. You can easily select the file in master and press the pencil to edit, save and pull request. Then repeat for 2.1.x by browsing RELENG_2_1 branch.

@johnpoz:

You would only select those if you needed a specific gateway to get to those dns servers - normal setup pfsense would use its default route, or routing tables to get to those servers.

thank you John.

And where is this windows dhcp server?  what network?

I know you can not enable dhcp relay while dhcp server is enabled.  I don't know if you can run say pfsense dhcp server on lan, and dhcp relay on wlan?

what dns server - you host your own name servers?  What domain?  PM it if you don't want a public website to be known public for some reason ;)

So you created port forwards for your website and dns to get to your name server?  Public facing dns should always have 2 name servers at min.. Any decent registrar would require that anyway.  So where is your secondary name server?

it is really hard to troubleshoot dns related problems of this nature without actually knowing and being able to query the nameserver to tell you what its doing wrong or right, etc.  Off the cuff, pretty much anyone hosting their own dns to the public is most likely doing it wrong ;)  let a company host your dns that does that for their bread and butter, etc…  Hosting dns on global infrastructure can be had for less than it costs to power the box hosting your dns ;)  Why would you not enjoy a global dns setup with anycast, failover, etc. etc.. for $30 a year for 5 million queries a month, etc. etc..

It almost never makes sense to host your own dns that is public facing..  But sure lets get you working ;)

I had to turn the dns server off as it was crippling the internet speed dramatically.

I still would like to get this properly set up but so far no luck.

He did indeed - I was as I said chasing a ghost, I'd already spotted it - BUT

I only put the URL into an alias because it was getting reported by 'something', at the time I didn't have 'log_queries' enabled so I didn't know where from. I don't tolerate 'unknown' behaviour within my network so my first response was to add the URL as an entry in a block table - I have a bad boy table that I use to block 'bad behaviour' sources and targets - spammers that aren't in another blocklist, multiple chinese sites, people that try to log into my mailserver multiple times with multiple users from same IP etc etc.

When I saw the constant 'dns rebinding' the first thing I did was to put it into this 'block table' - while I searched for the culprit, the culprit has not been found on my local LAN despite 18 hours of packet capturing, I am still running wireshark with the url as a filter - but on the DNS / DHCP server that I created where it isn't such a pain to 'start capture, stop capture, download - - yada yada'.

I also completely rebuilt pFSense in case it had been compromised, and so far this URL doesn't appear anywhere so I have kind of fixed the issue but not in the preferred manner, it would have been nice to know who was originating the request that prompted me to 'block it' in the first place.

I would expect that where a URL does resolve to a private IP that the bogon filters should deal with it, where an IP generates such an event the system shouldn't keep re-trying but should put it into some 'holding place' for investigation - and should provide sufficient information to give the investigation a place to start - i.e. source Network, source IP, source MAC, date, time.

Every one gets retarded about stuff getting in - 80% of security breaches are caused 'internally' by users - so events noted by things trying to get out must carry even more weight / priority.

sigh

I can't believe I missed that in the help page linked to from the DNS Forwarder page in the dashboard. I tried the second method, worked on the first try. Thank you.

Looking at it again, you don't have the block all dest local_nets_v4 like I do so your final pass rules should catch DNS and pings.

Please let us know what the dns configuration is.

You're getting the IP your ISP assigns you. Your firewall has no control over what IP it receives, it uses what the ISP tells it to use. If you change your WAN NIC's MAC, you might get a new IP, or you might lock yourself out entirely and have to revert that change and reboot to get your original MAC back, if your ISP or modem restricts you to a specific single MAC.

Hi guys.
read my response in: https://forum.pfsense.org/index.php?topic=80478.0

@itsol:

Hi all!

I have PfSense 2.14 setup fine behind a Cisco 3212 Cable Modem.  It's a real Modem. ;-)

When the Modem is rebooted, PfSense doesn't get the new WAN IP-Adress from the Provider (Unitymedia Germany) via DHCP.

If I reboot PfSense afterwards the WAN IP is renewed and everything is working again.

Same thing happens from time to time. (When the Provider resets the connection? I don't know.)

The IP is regulary renewed when the Leasetime expires. (Entries like "New IP detected" and then same IP given)

To me it looks like PfSense is not asking for a new IP through the Modem as long as the Lease is still valid.

Is there any way to make PfSense establish a new connection without rebooting?

Suggestions?

El Buco

Just saw, it's nearly the same question as here: https://forum.pfsense.org/index.php?topic=80477.0

Seems to be a feature, not a bug. ;-)

Olá Itsol.

Was searching for some solution to this poblema. Almost no one suffers from this evil DHCP WAN.

It was when I came across your doubts and the solution that was given. I had to disagree with the "Derelict" also. Ai continued my search and found this post: https://forum.pfsense.org/index.php?topic=57258.0

I have not read everything, went straight to the last page and read something talking ta communication rate of the network interface where the individual arrow interface to communicate to 100BaseT. Well, it cost not try, I changed my settings to "Full-Dublex 100BaseT." I did my tests and it worked oa _ || _: D

my system: "2.1.5-RELEASE (i386) built on Mon Aug 25 07:44:26 EDT 2014 " Interface: Realtek 10/100.

Well, there is a hint.
Good look.

If you're not using layer 3 functions of your switch, it's not a layer 3 switch.  If you are, then you need to do all sorts of things differently.  If you are not configuring virtual interfaces and assigning interface IP addresses in the switch, it's just layer 2.

what did you put for the domain on the host, what are you doing the query for - does you machine use search suffixes. Is the forwarder working for looking up say www.google.com.  Are you SURE you pointing to your forwarder.  Do you have pfsense using the forwarder via 127.0.0.1

How about you show us your host over rides, and then simple query.

C:>dig i5-w7.local.lan

; <<>> DiG 9.10-P2 <<>> i5-w7.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;i5-w7.local.lan.              IN      A

;; ANSWER SECTION:
i5-w7.local.lan.        86400  IN      A      192.168.1.100

;; Query time: 3 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue Oct 07 06:32:35 Central Daylight Time 2014
;; MSG SIZE  rcvd: 60

C:>dig -x 192.168.1.100

; <<>> DiG 9.10-P2 <<>> -x 192.168.1.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.1.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
100.1.168.192.in-addr.arpa. 86400 IN    PTR    i5-w7.local.lan.

;; Query time: 2 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue Oct 07 06:32:46 Central Daylight Time 2014
;; MSG SIZE  rcvd: 84

C:>