Never mind and thanks for looking. I went through all the settings in the tl-wa901n and the "gateway" wasn't set to anyting. I set it to the address of the router and can connect by wifi now.

What I don't understand about that is that I thought the gateway info was supplied to the clients by the DHCP server.

@SteveITS Thank you very much! Done.

@ahking19 There are 7 VLANS that I'd like to be use pihole, but I don't want to expose the pihole directly on every VLAN. Using the netgate as the the DHCP and DNS would just be easier. I don't care about the reporting of pihole.

@SteveITS said in Domain Override not working from workstations:

after the upgrade I found I had to restart the DNS Resolver service

Turns out, the first restart didn't completely fix it as random lookups for the AD domain were failing during the day. I enabled forwarding (and turned off DNSSEC accordingly) which restarted unbound, and after that it's been fine since yesterday afternoon.

We usually forward to Quad9 but for some reason it wasn't enabled on this router. I suspect something started IPv6 DNS lookups going to pfSense but I'm not sure why it wasn't a problem in the prior few years, since that would be expected.

After switching from NordVPN to AirVPN the issue is gone. I had to disable monitoring the VPN interfaces because AirVPN seems not to like that. But besides that everything works now flawlessly.

After talking to NordVPN they said that they are aware of that and working on that issue. But I don’t want to wait for them to work on that issue.

I resolved the issue by formatting it the following way:

server:
private-domain: "plex.direct"
access-control-view: 192.168.30.16/32 blockYT
access-control-view: 192.168.40.0/24 blockRBLX

view:
name:"blockYT"
local-zone: "youtube.com" static

view:
name:"blockRBLX"
local-zone: "rbxcdn.com" static
local-zone: "roblox.com" static
local-zone: "minecraftskins.com" static

include: /var/unbound/pfb_dnsbl.*conf

This configuration above was accepted without error.

Reference:
https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/

@forumate
There is a punch of nice tools to investigate network issues.

Your Ubuntu machine might have dig on board, a tool to resolve host names.
So you can run e.g.

This tries to resolve 'google.com' using the DNS server 1.1.1.1, which is Cloudflare.
Ensure that you have allowed any on pfSense on the LAN interface, where the VM is connected to.

Here you can find a list of DNS Root Servers, which are used by the Resolver.
You can also try one of these, however, they only resolve the TLD. But you get an idea if you can reach them.

You can also run this command in pfSense.

If your ISP really blocks DNS requests to any other servers, you will have no other option than use the ISP's DNS.
You can also switch the Resolver into the forwarding mode to use the DNS servers given by DHCP or which you stated on the General settings page.

@SteveITS

One more Great Thanks!
You directed me in a right way of solving the problem!

after manual configuring from scratch actual version of pfSense troubles are went away like a nightmare,
pfSense is working fine as usual

@Rockyuk said in So many Issues with Kea DHCP:

After reading some posts in here and from my own experiences trying to use Kea DHCP this is not production ready at all. I tried using it with a fresh install of pfSense and while streaming and gaming it just shutdown and stopped providing traffic to my VLAN's. After reviewing the logs it kept restarting constantly which stopped all traffic. I switched back to ISC DHCP (Deprecated). Which was stable and have had no issues since.

If developers are reading these posts please do not stop ISC DHCP (Deprecated) until Kea DHCP is just as stable. At the moment it seems a long way off.

Kea DHCP is having some issues right now. It's best to use ISC DHCP, which works well until Kea gets better and is as stable as ISC.

@Gertjan said in KEA DHCP issue with PXE boot using FOG:

My estimation : 2028 ? Or 2029 ... I'm not sure.

This is good enough. Hopefully, Kea will be ready by this time.

@JKnott No, I have a basic NETGEAR POE four port switch. Although, my Ruckus APs support VLAN.

@SteveITS said in Modify unbound rebind protection:

Might be the first time I’ve seen it used.

I was completely clueless and it hadn't affected any other incoming mail as far as I am aware. So I guess it is an infrequently used SPF mechanism. Thanks for the help here and elsewhere.

@N8LBV In the default config DNS Resolver goes straight to the root servers and looks up the hostname (name server for .com, then name server for example.com, then www.example.com). Since the root servers don't know about your internal domain they would presumably return that it doesn't exist.

If you enable forwarding then it contacts the configured DNS server(s) only. In your case since that server knows about your internal domain it can answer.

I misunderstood this was an internal/second-level (whatever the name) router I think. a Domain Override would apply in a situation like a Windows Server domain and pfSense has "local.lan" pointing to the Windows Server IP for DNS.

@Gertjan said in No Internet access to LAN2:

So, set up pi-hole that it should consider both 192.168.1.0/24 and 192.168.100.0/24 as 'local'

+++need set local CIDR!
200df62e-13a8-406b-8177-beaf45964f69-image.png

Unfortunately, the PHP warnings were a red herring. The Kea server still doesn't run after fixing PHP. I don't see any messages in the /var/log files from kea.

In case others are having the same PHP issue, here's how I fixed it:
It looks like the PHP issue was a problem updating icu during the upgrade from 23.09 to 24.03.

I resolved the PHP warnings by reinstalling icu from the terminal.

pkg unlock icu
pkg delete -f icu
pkg install -yf icu

During the uninstall, it became clear that version icu-73 was still installed. Once reinstalled, I had the proper icu-74 version.

@Gertjan i resolv with change dns resolver trasparent in static

Thanks both. That has been the pointer I needed! Looking back in my pcaps, I do see that there is a "Client ID" set in all of the discovers and that it's the same in every one!

These VMs are not clones, they are unique OVA deploys. However, some further digging has unearthed that this OVA is based on Ubuntu which generates it's DHCP Client ID from /etc/machine-id which has mistakenly not been blanked in the OVA disk image! Easy enough bug to fix as it's an OVA we build.

@saxandl I found the bug!
This option this option only works in ISC DHCP - mode, NOT in new Kea DHCPBildschirmfoto 2024-04-11 um 13.10.12.png

@talm said in Unable to see clients DHCP leases:

Currently I can't see the DHCP leases of the wireless clients on the pfSense Status -> DHCP leases tab

Get a device, disconnect the wifi, and re connect the wifi.
While doing this, look at the place where you can find the answers : Status > System Logs > DHCP

Example : I connect my phone, and refresh the DHCP log page :

16741ac7-5e42-4785-934e-1ee6146b615d-image.png
The MAC of my phone is shown, and the IP my phone obtained.

Btw : if you see nothing of all this, then that's also a valid answer.
It means that the DHCP request never reached pfSense,, and that some other DHCP server handled the request. This is typically not what you want of course. Have a talk with the admin of the aruba device ^^

@talm said in Unable to see clients DHCP leases:

switch are not shown as up/active

This info isn't showing if the device is using it's IP - is active - but more if pfSense has the IP in its active ARP cache. See : Diagnostics > ARP Table

@Gertjan

Yes, the PC is connected to the WAN, not NordVPN. My public IP address is the real one. However, DNS queries are sent to NordVPN's DNS servers via the NordVPN gateway per the DNS resolver. Below is the results of DNS leak test for this PC.

sidekick_hQxrTO3Od3.png

When I ran this DNS leak test on the PC that is connected to the NordVPN gateway, I got the same results.

Anyhow, for whatever reason, Evernote won't load on my PC (connected to the WAN interface). However, if I turn on the NordVPN desktop app, which is set to split tunnel and only the Evernote app is routed through the VPN, it starts to work.

This makes no sense to me, since I assume the NordVPN desktop app will use the NordVPN DNS servers once it connects to the VPN.

FYI, I went into the DHCP static settings for my echo devices and set the DNS servers to Google, and they are all up and running now.

I can only assume that these are lingering issues with NordVPN per the link you previously provided.