as it was resloved in http://forum.pfsense.org/index.php/topic,42913.0.html dnsmasq thought it's attack " dnsmasq[5522]: possible DNS-rebind attack detected: free.anport.ru"
I added an option "rebind-domain-ok=free.anport.ru" to DNSmasq advanced config and it's all right now.

Did that, made no difference. Same issue with both NIC's. Also hooked it up with a short cable to the cablemodem, also no difference.

edit: I'm back in business. Couldn't get Debian to cooperate (guess I'll have to learn more about Debian before I try that again), but IPFire was willing to cooperate, I'm back online :) , now hoping it keeps working.

But I've still no clue what happened this morning with pfSense.

That happens most often when your domain has wildcard DNS active.

The way DNS works, as laid out above, your search domain is appended before it queries farther up. Because you have wildcard DNS on, that returns a valid response.

Without wildcard DNS, the entry does not exist, and it moves on to trying a higher level.

@djroketboy:

Thanks, but I guess i'm just not seeing anything there to change. I am running 2.0, if that makes a difference. Also, I just found the FAQ (http://doc.pfsense.org/index.php/Why_can't_I_have_static_mappings_inside_my_DHCP_range%3F), and it really just put a bad taste in my mouth. I have never heard of such a limitation. In fact I have yet to find anything that backs up the FAQ anywhere including ISC, Redhat, BSD. So right now to me its just a silly pfsense limitation.

You're wrong. Don't believe me? Easy way to prove it - setup a DHCP scope with one IP, take out the input errors line in services_dhcp_edit.php that prevents you from adding such an entry and add a static mapping for that one IP that's in your scope. Plug something into that network that isn't your statically mapped host, and look, dhcpd just assigned it your "static" mapping except to the wrong host. That's just one quick way to illustrate what will happen to such configurations.

Why? Ask ISC, I agree it's silly, but you're barking up the wrong tree. If you enter a static mapping you want to ensure it's truly static, not just preferred, which is why that restriction exists. If your host is the first to grab that particular lease, and never gives it up, sure that will work as desired. But we do that for good reason, having it outside the pool is the only way to ensure that IP is never assigned to anything else, which is what you would expect for such functionality. Your other networks aren't doing what you think they are, they function by coincidence only.

You'll need to use proper layer 2 segregation, so VLANs or a separate interface and switch. No way around that if you want to use CP on one network and not the other, and run DHCP normally for both too (it's not possible to run two normal DHCP servers on the same subnet, no way to tell which subnet to assign IPs from).

For future use it would be great if you could type down the solution for us to view.

Tanks for this link. I already read it when I try to setup an ipsec connection for Iphones/Ipads devices. Setting up vpn is not the problem and as suggested in the trouble shotting section :

Supplying a local/public DNS server will work around that.

That's what I'm trying to do but it don't works. Dns request recieved responses only if the requests come from a machine on the same network. Dnsmasq do not respond to request form an other network (routing is ok and it's also a private network).
Thanks again.

It looks lie another issue caused this and fixing the other issue fixed this one…

thread here

http://forum.pfsense.org/index.php/topic,42698.0.html

yes, I had a static config, then I went to pppoe, then simply rebooting fixed the problem, I think :)

Anyhow it is gone now…

Thank you

@wallabybob:

@Piplfox:

I red somewhere that the problem is with username with @ character but on opendns doesn’t allow anything else except email as username.

I login to OpenDNS and DNS-O-Matic with a username (all alphabetic characters, no "@"). I update my dynamic IP registrations from pfSense through DNS-O-Matic. The pfSense configuration specifies a username, not an email address.

Account creation at http://www.dnsomatic.com asks for username, email and password. Perhaps it is necessary to create a DNS-O-Matic account so you can give a username (not an email address) to the pfSense dynamic DNS updater.

You are right. thx.

Yes, when it's used by the system itself that's what it uses. The DNS Forwarder listens on every IP on the system though, so it could be any IP, but localhost is always there and never changes, so that's the safest to use from the firewall itself.

checked on pfsense console,
ps -A | grep dns

found following
/usr/local/sbin/dnsmasq –local-ttl 1 --all-servers --rebind-localhost-ok --stop-dns-rebind --dns-forward-max=5000 --cache-size=10000

seems current cache max is 10000

Hi,
i'm using captive portal.

is the captive portal buging the packet of dhcp?

thanks.

Odd that the kindle wifi mac is listed as PRIVATE??

Normally you can just look up the mac and get the maker, which can help you trouble shoot the issue.

Glad you figured out what it was by accident, but if you would of sniffed you would of seen it talking to where it talks to, etc  And that should of pointed you to what device it was.

I have a cheapo netgear switch, and its "smart" and I can view mac addresses and such, just because its cheap does not mean it can not be loaded with features.  I had picked up my GS108T for like $79, does vlans, mirror port, igmp snooping, lagg, qos, rate limiting, etc. etc.

Next time your in the market for a switch you might want to look for a smart one, normally only a few dollars more.

Did you fill in those DNS servers on Services > DHCP Server?

By default the clients will get the IP of the firewall if the DNS forwarder is enabled.
If the DNS Forwarder is off, it would send the DNS IPs from System > General
If you set IPs explicitly on the DHCP server page, it always sends those.

However, if you change the DNS Servers on System > General when the DNS forwarder is disabled, it probably doesn't automatically re-write the DHCP config, so you may just need to edit/save the DHCP server config under Services > DHCP Server.

That would be done in DNS - setup a CNAME for www.mysite.com that points it to your dyndns hostname.

So a client looks for www.mysite.com, gets CNAME somewhere.dyndns.org, then looks up somewhere.dyndns.org and gets back your real IP.

Ok. Thanks for answering. Unfortunately I do not have the skills to accomplish such an operation:(

Regards Anders

Check this:

http://forum.pfsense.org/index.php/topic,39770.0.html

http://forum.pfsense.org/index.php/topic,40281.0.html