Now testing the SG-2100 with 23.05.1 for the similar setup but with multiple Wireguards instead of multiple OpenVPNs.
Unbound starts correctly.
I am guessing that Wireguard is faster than OpenVPN starting at boot.
Thanks again.

@Amodin said in WAN interface fails when cable modem restarts:

What NIC are you using for pfsense?

Intel Pro/1000 PT PCI-E 39Y6138 Quad Port Server Adapter

@Bob-Dig said in Subnets/VLAN DNS not working:

@NeVaR said in Subnets/VLAN DNS not working:

Can you explain which rules that only allow external DNS server and how I can allow dns internal server?

On your first screenshot there is no dns-rule. There is one rule that allows anything as destination but it has an internet gateway set, so it will route anything right out to the internet, so no chance to talk to a local dns server.

Take a look here how you create proper (dns-)rules.

Thanks I will take look that closely tonight.

@Gertjan Ok, all resolved. deleted all 4 files (unbound_control.pem/key and unbound_server.pem/key) and rebooted. All 4 files are created anew and service is up and running.

Thank you for the help on this. I believe I am all set.

Make sure all the tunnels you want are included in Unbound outgoing interfaces. Assign higher priority to vpn tunnels in your gateway group but include your default wan at a lower priority. Create a firewall rule on your LAN interface filtering DNS and under advanced options select your VPN group (which also includes default WAN at a lower priority). If you want add a tag like "dns" and in your default_out_WAN rule (which should be below your dns rule) under advance options select the !dns tag.

I think that should work, you will send your dns traffic over vpn tunnels but if they ALL go down you won't lose dns.

@thebear said in Unbound not using IPv6 DNS upstream servers:

ISP KPN (I think we live in the same country)

No KPN where I live.
I moved in the eighties to France.
Its called Orange here.

I've edited my post to put in some beef.

Problem solved.
Netgear switches have a bug. If you add a new VLAN they block (maybe broadcast traffic??) DHCP on the VLAN until a reboot. Rebooted both switched and it immediately worked.
I remember running into this 2 years ago now on another VLAN setup. This is a long running bug (or undocumented safety feature???).

@johnpoz
I can reach those fqdn with traceroute on pfsense.

My specific issue is when using tailscale as an exit node (on the pfsense router), when accessing the internet with my laptop i get 0Mbps download speed and a weird 5-7Mbps upload speed. Everytime i am unable to load a website tailscale is using a direct connection over ipv6. I have tried to block ipv6 to force tailscale to go over ipv4 but this just breaks the connection over the tailscale interface.

I have tested using tailscale on a ubuntu VM that is under the pfsense router as an exit node and got better results while blocking the ipv6 protocol.

My main confusion is why the tailscale package on pfsense doesn't seem to utilize ipv4 connectivity or DERP servers in the event ipv6 direct connections do not go through.

@Bob-Dig right, what I mean is I didn't really create a new VLAN now. I just happen to have other VLANs when you had me test that idea earlier. But yes, I will be revamping my home lab setup pretty soon anyway. I will create a separate server and client VLANs and put the AGH server in the server VLAN. I won't need to create a redirect for the server VLAN anyway since servers don't really use "any other DNS" and respect what's configured in their settings. I guess this is the best solution overall.

@lemonsieur said in Enable EDNS Client Subnet (ECS) module for Unbound:

Is it possible to have the ECS module built within Unbound? I'm asking because I have Pi-hole as an upstream DNS server, and I saw that is now able to take advantage of ECS to show the IP address of clients behind NAT.

This is needed [still]. Specifically for Netflix now it seems. It's always been an issue but it made me waste several hours of my life discovering why I couldn't connect to Netflix. And even more specifically...only on Android devices. It is absolutely because of ECS.

@GrumpyDave unbound only does that when you register dhcp, not with static reservations.

if your setting reservations for your devices, your fine - don't register dhcp.. Same thing I do.. If I add a device to my network, I let it get an IP - then set a reservation with an IP I want it to have and then I can resolve its name.

@Summer You may also want to block DoH, where (many) browsers bypass DNS to connect out to their DNS over HTTPS service. This page has a pfSense PDF that is very detailed but thorough.
https://github.com/jpgpi250/piholemanual#doh

I can see the IAID shown on the LAN DHCPv6 lease status page, but when assigning static lease in the DHCPv6 server there is only DUID no IAID so both interfaces on the PC gets the same IPv6 assigned.

See this post for full description

@Summer said in Improve documentation DNS Forwarder:

pfBlocker-NG and DNS Resolver are both unbound: Resolver

No.

Unbound is a resolver. See, for example : NLnet Labs - Unbound - About or Unbound (DNS server).

pfBlockerng uses the local 'resolver' (unbound, in this case), add acts like a 'plugin' : it intercepts all DNS request received by unboud, typically from the LAN connected devices, and before unbound executes a 'resolve' for every request, pfBlockerng (the plugin) gets its hands on the request first.
This permits pfBlockerng to compare the request with a big list (the DNSBL feeds) to see if it concerns a 'blocked' domain. If it finds one, it instructs unbound to 'stop the actual resolbing' and say to the client : the IP requested is "0.0.0.0." (so the client can't connect to this IP => the requested domain is blocked).

@kiokoman sorry took so long to spot it.. I was thinking that 192.168.8.x you were asking was just the pfsense IP.. Doh! if would of dawned on me that is was some other NS on your network rebind would been right away.. Sorry took a few posts for me to notice that, glad you got it sorted.