@wagonza:

Unbound backs off for certain period between 1 and 15minutes when it detects that servers are down. After 900s it should re-enable itself again. You can lower this timeout by adjusting the value for 'TTL for Host cache entries' in the advanced section. Otherwise you can also issue, from the command line, unbound-control flush_infra and service should resume.

You're kidding me! Let's entertain your idea for a moment:

T=00: WAN goes down
T=01: Client wants to resolve a DNS.
T=02: Ubound "detects that servers are down" and "backs off"
T=03: Resolution fails cause WAN is down.
T=22: WAN comes up
T=34: Client A does ICMP echo_request to 195.186.1.110
T=35: Client A receives ICMP echo_reply from 195.186.1.110
T=50: Client B wants to resolve a DNS.
T=53: Resolution fails due to ubound "taking a break"
T=55: Client C wants to resolve a DNS
T=57: Resolution fails due to ubound "taking a break"
….
T=900: Ubound decides the nap is over and comes back into operation  ???  ???

Uh yeah. Right. You're not going to need any high availability features with services built like that, hahaha...  ;D

Anyway. It doesn't seem to apply to what happened here, because one little difference: ubound didn't "re-enable" itself no more. Not after 900 secs. Not after 4 hours. Only after I manually restarted it, did it process DNS requests again.

If this is a "feature" then ubound must be a M$ product!

It means that your upstream DNS server (Whatever is under System > General) is giving back private IPs for those hostnames. So you may need to disable the DNS rebinding protection under System > Advanced to get those responses.

I have 3 internal interface on the pfSense. All 3 are bridged together, the DHCP runs on this bridge. I copied over the default rules to the LAN1-3 interfaces and the Bridge interface.

These rules are the Anti-lockout rule on LAN 1 and the Default allow LAN to any rule is on all interfaces.

edit:
Ah, it has been solved. The allow LAN to any rule was not on my Bridge interface. Sometimes it helps to have a second set of eyes. Thanks.

@wallabybob:

Which DNS server are you talking about? You have enabled pfSense DNS forwarder?

The build in one: dnsmasq DNS forwarder.

Did you reset firewall states after adding the rules? See Diagnostics -> States and click on the Reset States tab.

I've rebooted. But this way would be a lot shorter ;-)

The OPTx clients are configured to use the appropriate pfSense IP address for the DNS server?

Client?? Subnet. Or even better: Interface.

The DNS access attempts show up in the firewall log (Diagnostics -> System Logs, click on Firewall tab)

Hmmmmm.

WLAN:
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet XXX.XX.XX.199 netmask 0xfffffe00 broadcast XXX.XX.XX.255

LAN:
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.181.199 netmask 0xfffffe00 broadcast 192.168.181.255

OPT1:
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.218.2 netmask 0xffffff00 broadcast 192.168.218.255

OPT2:
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.220.2 netmask 0xffffff00 broadcast 192.168.220.255

OPT3:
em4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.222.0 netmask 0xffffff00 broadcast 192.168.222.255

OPT4:
em5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.224.0 netmask 0xffffff00 broadcast 192.168.224.255

OPT5:
em6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.226.0 netmask 0xffffff00 broadcast 192.168.226.255

OPT6:
em7: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
        inet 192.168.216.2 netmask 0xffffff00 broadcast 192.168.216.255

Now pinging the local interfaces:

LAN:
[2.0.1-RELEASE][root@fw.localdomain]/root(39): ping -c2 192.168.181.199
PING 192.168.181.199 (192.168.181.199): 56 data bytes
64 bytes from 192.168.181.199: icmp_seq=0 ttl=64 time=0.100 ms
64 bytes from 192.168.181.199: icmp_seq=1 ttl=64 time=0.074 ms

–- 192.168.181.199 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.074/0.087/0.100/0.013 ms

OPT6:
[2.0.1-RELEASE][root@fw.localdomain]/root(40): ping -c2 192.168.216.2
PING 192.168.216.2 (192.168.216.2): 56 data bytes
64 bytes from 192.168.216.2: icmp_seq=0 ttl=64 time=0.096 ms
64 bytes from 192.168.216.2: icmp_seq=1 ttl=64 time=0.053 ms

–- 192.168.216.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.053/0.074/0.096/0.022 ms

OPT1:
[2.0.1-RELEASE][root@fw.localdomain]/root(41): ping -c2 192.168.218.2
PING 192.168.218.2 (192.168.218.2): 56 data bytes
64 bytes from 192.168.218.2: icmp_seq=0 ttl=64 time=0.096 ms
64 bytes from 192.168.218.2: icmp_seq=1 ttl=64 time=0.063 ms

–- 192.168.218.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.063/0.080/0.096/0.016 ms

OPT2:
[2.0.1-RELEASE][root@fw.localdomain]/root(42): ping -c2 192.168.220.2
PING 192.168.220.2 (192.168.220.2): 56 data bytes
64 bytes from 192.168.220.2: icmp_seq=0 ttl=64 time=0.090 ms
64 bytes from 192.168.220.2: icmp_seq=1 ttl=64 time=0.073 ms

–- 192.168.220.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.073/0.081/0.090/0.009 ms

OPT3:
[2.0.1-RELEASE][root@fw.localdomain]/root(43): ping -c2 192.168.222.2
PING 192.168.222.2 (192.168.222.2): 56 data bytes

–- 192.168.222.2 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

OPT4:
[2.0.1-RELEASE][root@fw.localdomain]/root(44): ping -c2 192.168.224.2
PING 192.168.224.2 (192.168.224.2): 56 data bytes

–- 192.168.224.2 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

OPT5:
[2.0.1-RELEASE][root@fw.localdomain]/root(45): ping -c2 192.168.226.2
PING 192.168.226.2 (192.168.226.2): 56 data bytes

–- 192.168.226.2 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Only LAN, OPT6, OPT1 are working. OPT2, OPT3, OPT4, OPT5 are dead, even if defined??
Since this is complete local (pinging it's own IP) it is expected to work!
Shall I suppose it to be a bug?</up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast></up,broadcast,running,simplex,multicast>

Hello

I'm using a Telenet Fibernet with pfSense2.0 and I am experiencing the same issue. Anyone found a solution for this one?

it was and the dhcp is now working my first problem was DHCPD was not working as the service kept dying. and not starting up.
so yes thank you for your help on this and even with my isp line plugged in i still don't get internet on any of the interfaces. so now i'm trying to get the internet interface working ultimately what i want to do is this

RE0  =  isp ip 123.123.123.122  =  RE1 and RE2
RE0  =  isp ip 123.123.123.123    =  Bridge1

as i have two static ip's from my ISP  and route my 122 address to my domain firewall and create a DMZ for my firewall using pfsense to do the prefiltering for  my exchange server. and use the 123 address for my game lan.
segragating  both my networks but giving the speed for my online gaming.
i hope this clears things up a bit more.

I'll look through that chapter and post when I've found a solution.
Thanks.

Thanks guys. It was an AP.

@PhilJ:

Hi

Apologies if this isn't the correct section but I wasn't sure where to post my question.

If I have a web server running on my home network (that won't be accessed from outside) is there any way to give an internal website a URL instead of an IP address, using pfSense? For example, http://servername will go to 192.168.1.10.

Thanks

Go to System- Advanced- Firewall/NAT    uncheck "Disable NAT Reflection for port forwards"    Give that a try…

Guys, Guys, Guys..

I know how to do it using other cheap providers, but there are situations where we WANT to use static providers and yet want to dynamically change DNS servers.

While it's an idea, using the CNAME option may violate security policies for some organizations.
My idea would not cause that issue.

I want a discussion on techniques on how to do this and make it a pfSense pachage that does this automatically.

I have done it using scripts. but I dont know how to make packages, etc, and need to explore ways to code this right.

For those interested, I ended up resetting everything to defaults. Then I reconfigured all the static leases, NAT port forwards, DNS settings, etc… Everything is working correctly now.

It's probably just this:

http://redmine.pfsense.org/issues/2212

Safe to ignore, but if you don't have any interfaces that get their IP from DHCP, you can just: killall -9 dhclient

The best you can do at the firewall level there is to require static ARP, which requires configuring DHCP reservations for every host. Not possible on a public hotspot. Even at that though, you're doing nothing to prevent hosts from causing problems by using static IPs. They'll create an IP conflict without touching the firewall and there's nothing the firewall can do about it.

My suggestion of bind was just to look up how to integrate it with AD, since there is lots and lots of documentation on that.

You most likely could do the same thing with unbound on pfsense just need to create the required records, or for that matter just run bind on pfsense.  No gui for it like you get with unbound - but you can run anything that will run on freebsd on the pfsense installs.  Just might need to add some missing stuff, etc.

I for for one can not stand openntp – so I run full blown ntp on my pfsense.

The pfSense GUI allows the same IP address to be assigned to different MAC addresses. In pfSense you could bridge your wireless LAN and wired LAN (then your laptop wired interface and wireless interface will be in the same subnet and can be assigned the same IP address). You might have good reasons for not wanting to bridge the interfaces.

You haven't said that 192.168.1.100 and 192.168.3.100 are in different subnets - I assumed that. What is the network mask associated with those IP addresses?

In summary, what you could do is (in DHCP) assign the same IP address to the wired MAC address and wireless MAC address of the laptop and (in DNS forwarder) assign names thinkpad, lenovo and laptop to that IP address. What the GUI interface to DNS forwarder doesn't allow is assigning the same name to two different IP addresses.

I have a virtual machine running that does radius/mysql/php as a payment management, PFSense is being used as an access controller.

I would expect better uptime in the cloud for my "Management" virtual machine, then my single point of failure it is now.  If the internet goes down, then I don't care that I can't access the cloud because nothing can. Plus, if I where to mange several PFSense boxes being used as access controllers, the cloud should be better for what I want.

I had not thought about my own package until I wrote up the post, so I do like that approach.  It should make debugging easier rather then changing the base system (only have my package to debug). Running the PFSense access controller stock with my DHCP package should be the easiest to accomplish what I want.

wallabybob, thanks for the feedback.

@nutt318:

when i ping my subdomain.domain.com its my public ip of my pfsense box

That suggests the system doing the ping is NOT using the pfSense DNS forwarder OR you haven't configured the DNS override entry in pfSense DNS forwarder correctly.

What DNS is used by the system doing the ping?

The DNS override entries can take two or three parameters and there are two types (host override and domain override). You provided only two parameters and didn't specify the type, hence my request for clarification of what you had specified in the DNS forwarder entry.