@jerryf72 Did you install the patches from the System Patches package and restart? There is one to disable unneeded 3am cron jobs that (per other long threads) filled up ZFS ARC memory. The cron jobs are disabled in 23.05.

@g0rck yeah how exactly are lan_guest and lan_home isolated.. You have 1 as a vlan? You have a vlan switch? You have them plugged into 2 different switches.

Making to interfaces with different IP ranges and them into some dumb switch doesn't isolate the networks.

@cappie
Thanks a lot. Think all should be ok now. 👍

@mrpete the part further down:

Disable Enable DNSSEC Support if enabled.
DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.

@surroundtortilla said in pfSense+ DNS slow (10+ms):

DNS is configured as a forwarder to Google DNS atm.

If I forward to googledns... I don't see 10 added to my query, directed I get

;; ANSWER SECTION: www.google.com. 250 IN A 142.250.191.100 ;; Query time: 14 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 01 21:30:04 Central Daylight Time 2023

If I setup unbound to just forward to 8.8.8.8 and turn off dnssec I get this. This is right after a flush..

;; ANSWER SECTION: www.google.com. 3600 IN A 142.250.191.100 ;; Query time: 15 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Mon May 01 21:32:35 Central Daylight Time 2023 ;; MSG SIZE rcvd: 59

Doing a bunch of queries direct to 8.8.8.8 I seem get between 11 and 21ms

;; ANSWER SECTION: www.google.com. 182 IN A 142.250.191.100 ;; Query time: 21 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 01 21:34:04 Central Daylight Time 2023 ;; MSG SIZE rcvd: 59

I wouldn't worry about 10ms or even for that matter 100.. 10 ms is 0.01 of a second.

you see the 3600 ttl on my query to unbound, because I have min ttl set to 3600..

maybe your unbound is way busier than you think it is - maybe you have some box pounding asking the same thing over and over again?

I had some issues with my internet the other day (cable cut) - and when devices can not resolve either because your blocking or not working, some of these iot devices can just hammer dns..

2023-04-29 09:38:51 RATE_LIMIT Client 192.168.7.3 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 14:06:25 RATE_LIMIT Client 192.168.4.80 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 14:40:29 RATE_LIMIT Client 192.168.4.77 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 15:22:20 RATE_LIMIT Client 192.168.4.79 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 17:20:24 RATE_LIMIT Client 192.168.4.76 has been rate-limited (current config allows up to 1000 queries in 60 seconds)

My alexa's were going crazy when my internet was down asking for dns..

24hour.jpg

That is the number of their queries in 24 hour period - little bastards!! ;)

@steveits I was using DHCP lease registration but turned that off as the unbound restarting was problematic. I'm not entirely sure if my pfblocker list would be considered large it does take a bit to reload whenever it does.

I turned off DNSSEC after seeing some posts about it causing issues in 23.01. I have not tried disabling DNS over TLS.

@johnpoz said in Adding so-rcvbuf: to Unbound Crashes unbound:

@sgc what is this setting on your system?

[23.01-RELEASE][admin@sg4860.local.lan]/root: sysctl kern.ipc.maxsockbuf kern.ipc.maxsockbuf: 4262144

I don't think you would be able to set 8, if your limited to 4..

I have update my system to 16777216 and now I can set it thank you for the info

@mebert
Consider that you have to state the remote domain if you client uses another search domain, what I assume.

So if you want to request the remote host name is "host" and its domain is "local" you need to type "host.local" to access it.

Figured out the button I tweaked. I had an old config file and diff'd it with the current. Change by change I thought about the implications. The winner was that I noticed the old file had "Enable UPnP & NAT-PMP" enabled and "Allow NAT-PMP Port Mapping" enabled, but they weren't on the current configuration. Switched them on and its off to the races.

Problem solved.

@steveits Thanks!
I'll check them out.
I'm in pretty good shape just turning them off, but was extremely curious why it is suddenly
an issue lately when it had been working up until now.
And it's on 2.6.0 so there have been no changes to the software that would have affected this
from when it had been working till now. :)

@highc I'm glad to hear it helped you! Also, thanks for clarifying that a person needs to type the word "none" without quotes—good catch!

@steveits I appreciate the help. DNS FORWARDING was never enabled, only local resolution - with DNSSEC enabled. I have sense disabled DNSSEC on LOCAL resolver and we will see how that fairs.

@gertjan Thank you. Your advice worked for me as well.

Stopped dhcpd service

cd /var/dhcpd/var/db mv dhcpd.leases dhcpdleases.bak mv dhcpd.leases~ dhcpdleases~.bak

Started dhcpd service

@viragomann Hiya. This was caused by the default IPv4 config set it to /32 and not /24 which caused it to be hidden.

Thanks for your help.

@mystique_

Maybe not what you need right now, but :

4b2e684f-13bd-4042-9124-81ed85b0f7f6-image.png

I know, this is 'IPv6' so it's 'dhcp6d' doing doing RF2136 thing.
I have "Add reverse dynamic DNS entries. checked.

Btw : My IPv6 /56 comes from my ISP, and there is no way I can have this info pushed so 'everybody' can reverse request my IPv6.
My web/mail/whatever dedicated server uses bind, and also takes care of zone of my pfsense local domain.
So now my server knows how to find diskstation.my-domain.tld by its IPv6, so I can backup my server to NAS behind pfSense.

I don't do "registration of DHCP client names in DNS" for my IPv4, as these are ... IPv4 and all RFC1819.

@sowqwick said in How to adjust WAN DHCPv6 Solicit Messages?:

OK, I am pretty sure now I need this

https://redmine.pfsense.org/issues/8173
https://github.com/pfsense/FreeBSD-ports/pull/1181

to include option 20 (Reconf Accept).

Don’t get your hopes up for a native fix. pfSense has been missing a proper working DHCPv6 client for many years, but it no longer recieves any love from the devs. I think the general IPv6 support project has been lovered so much in priority that it’s dying now with all the focus on FreeBSD 14, drivers and a new PHP.

In favor of the devs it should be mentioned that DHCPv6 is a hornets nest of crap that no-one adheres to, and thus has about zero standardisation in actual practice.

I didn't work with UniFi switches, however I'm planning to later this year.

But concept I'm using with other switches that support VLAN is like this:

Chromecast will need to receive traffic only from IOT VLAN (if I understand your requirement correctly. But for Chromecast (and other consumer grade appliance) it is important to receive this traffic as untagged, so if it is possible in Unify switch you need to configure ports to which devices are connected directly as belonging to proper VLAN but sending untagged traffic.

Also I'm seeing you seem to have solved your issue already, but I'd suggest to consider configuring untagged ports properly (if Unify allows it, maybe it is too smart and guesses proper config on it's own)

I'm just thinking if e.g. Chromecast is connected to port which sends tagged traffic, Chromecast will probably be able to receive some packets, but some portion of packets may be dropped, and this will affect quality of the connection.

@juanzelli said in DNSSEC and NextDNS:

don't need DNSSEC if you're forwarding queries

I'd go a step farther...per Quad9 forwarding with DNSSEC may cause failures. And in pfSense 23.01 it seems way more problematic than older versions where I saw no failures.

@Antibiotic If those instructions are generically how to enable forwarding, which it seems, pfSense has a checkbox for that:
452edca0-9101-4092-a66b-5a9e63200f9d-image.png

ref: Quad9 doc saying to uncheck DNSSEC: https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS

thread about Quad9 and several others, where DNSSEC and/or DNS over TLS is causing problems in 23.01: https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/