@reynold
I've just blocked it with a floating rule for all internal interfaces.

@1-21Gigawatts
This is policy routing then. Such rules direct all matching traffic to the stated gateway. Hence it is not convenient to allow access to internal destinations.

If you want to do policy routing you have create separate rules for destinations inside your network.

@coreybrett said in Translate network address for responses:

just looking for a way to translate the DNS as well

I try and keep up with all the latest tricks with dns, etc. and while you can do some pretty slick things with response zones in unbound.. I am not aware of such a transformation..

While it might be painful - to be honest changing one of the networks to a new range is prob the best solution. If your clients are dhcp - its really clicky clicky sort of thing.. Its not as hard as people think it is.. Now if you had 254 static settings where you had to go and touch 250 devices by hand - well yeah pita for sure. But if the most of the scope is dynamic - its a click and they reboot. Or even simpler just run a both networks for a bit, setting up a vip on the pfsense IP and just let clients move over as they update their lease..

Sure it takes a little planning.. But it is best solution to such a problem.

@JohnDow

Can you open up a console, or better, a SSH session, use option 8 ( Shell ) and use this command :

tail -f /var/log/resolver.log

and tell, show us, what you saw ?

This may be a similar issue

I support several Netgate appliances with my work. One of the main regional offices hosts a Netgate 8200MAX unit with multiple VLAN's, active DHCP services with many leased IPv4 addresses assigned on each VLAN. The office also hosts many servers / services behind the firewall.

I have attempted to change the DHCP service from ISC DHCP to KEA DHCP however when making the change, the DHCP IPv4 service stops and will not start.

DHCP IPv6 (which is not being used but is enabled) shows the service as working. I have reverted the change back to ISC DHCP and immediately the DHCP IPv4 starts working again.

I will attempt to change the DHCP service from ISC to KEA again soon and will capture logs to see whether the issue can be identified.

Appliance: Netgate 8200MAX
version: 23.09-RELEASE (amd64)
Services:

apcupds ISC dhcpd dpinger haproxy (disabled) iperf (disabled) ntpd nut openvpn radvd sshd syslogd tailscale (disabled) unbound

(admin, please move this post to it's own thread if suitable)

@IBP You can isolate ports to create different networks:
https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html

@johnpoz said in KEA DHCP Dont resolve a.ntp.br:

prob even wager my left nut ;) hahah

oh man dont do that

(Already made a separate thread, when I saw this thread, just to be complete adding my crash here also)

With 2.7.1. release I have switched to KEA DHCP and today it it crashed. The only thing I can trace back (logs have 500 max entries) that service watchdog detected service kea-dhcp4 stopped. Restarting kea-dhcp4 (KEAS DHCP server) and this is repeated so many times that it clogged the logs, until I did a reboot of pfSense.

@JustAnotherUser talking about the arp table on pfsense - the router.. did you notice the different IPs for what came back from my snmpwalk.. And that is just the small section of it.

@ndemarco Uh, this is resolved.

I had chosen, for the DDNS provider CloudFlare v6 not realizing the fairly obvious fact that "v6" portion wasn't the version of CloudFlare DDNS protocol. It is a short reference to IPv6.

After selecting the correct CloudFlare for IPv4, all my problems are in the past 😁.

Now, to impement IPv6 on my internal network...

I've followed all recommendations from @Gertjan and @johnpoz, but unfortunately I'm also still facing the issue of Unbound not completing a restart once every two weeks or so. Same behavior since updating to 2.7.1

I have no idea how to pinpoint the issue, besides this being an issue I'm facing since 2.7

@vinny147 said in Local DNS Issue: DNS_PROBE_FINISHED_NXDOMAIN:

reading release notes? huh? ;)

Exactly

https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#rn-23-09-kea

kea.jpg

Ahem...
I read the instructions.

Services >> Router Advertisement >> pick correct item .... leases show up....and traffic works...

@nasheayahu, Don't use KEA DHCP. KEA is not production ready. The pfSense team should have never provided it in stable for 2.7.1. KEA should have been provided in a development branch until it is ready for stable.

And ignore the warning pfSense is displaying to you about ISC DHCP. As you know, KEA is not ready for production, so you can't move away from ISC DHCP.

@cribbageSTARSHIP said in Pfsense + HAProxy + Cloudflare: getting 522&503 errors and DNS host override not working:

I'm pulling out my hair here. If I set my SSL/TLS encryption mode on cloudflare to Flexible and go to my https dot com I get a "Connection timed out Error code 522". If I set the SSL/TLS encryption mode on cloudflare to Full it says "503 Service Unavailable. No server is available to handle this request."

If these settings have any impact on the connection, I assume that it still goes over Cloudflare.

Consider the DNS cache.

@mathiasringhof
https://redmine.pfsense.org/issues/15011#note-14
"The fix will be included in 23.09/2.7.1 in the next ports build, after which running pfSense-repoc; pkg upgrade will pick it up."

Sounds like it will be slipstreamed in for those who haven't upgraded yet...?

@t0m77 I have been using unbound on pfsense since it when it was just a package, before it got fully integrated. And I don't recall any such issues.. It has been rock solid to be honest..

Did you upgrade to the 1.18.0_1 ? CE 2.7.1 has this - but you can update it in 23.09 as well

https://forum.netgate.com/post/1137464