@iwishitwouldwork

pfSense told me :

79276e31-8545-4ca7-b0ac-bb655ab53733-image.png

Remember : the logs always contain 'the answer' 😊

@slo-bo-dan that picture makes no sense - are you hiding the names? And the full IP?

domain overrides would be for where you want to resolve a specific domain and all its records from a specific name server..

For host overrides they need to be fully qualified, and point to a specific address - so believe your just not showing what is fully there?

Also for clients to get the host override they need to be asking pfsense for dns.. Or the nameserver clients are asking needs to then ask pfsense..

edit: Lets do a specific example, maybe that will help you understand how host override works.

you have www.domain.tld out on the public internet that resolves to 1.2.3.4.. This is your pfsense wan IP, when you see traffic to 1.2.3.4 on port 443 you send it to 192.168.1.100 via a port forward.. This is how outside your network gets there to your website on www.domain.tld

Now internal you have some client on 192.168.1.90, and he wants to get to www.domain.tld - does his dns resolve that to 1.2.3.4 or if you setup a host override on pfsense to point www.domain.tld to 192.168.1.100

If your client on .90 resolves it to 1.2.3.4 you need to setup nat reflection. If your client is asking pfsense for dns, then a host override would tell this .90 hey just got to 192.168.1.100

But if your client is using say 8.8.8.8 or 9.9.9.9 for dns directly then no yoru host override would never work.

@offstageroller Hello

I ran into this issue and what fixed it for me was when I changed unbound to unbound python.

I noticed that whenever I made changes and needed to update or reload anything with PFBlocker, it would also do the same thing to me as well as the normal scheduled updates it does via cron job. I believe one of the main reasons is because it restarts/reloads everything a bit quicker than normal but whatever it is, this fixed it for me. No more losing connections whenever I make changes and updates nor have I seen anymore disconnections in the logs.

@mpfrench

I ran the test you used, just to see what it did with my setup:

2023-04-12 at 12.52.43.png

So my DNS Resolver is pretty quick.

I can make the graph look awful by including the uncached results:

2023-04-12 at 12.52.04.png

But in reality my DNS queries rarely require going outside of the cache thanks primarily to prefetch, expired and the regular cache. When they do I have DNSSEC, DoT and the extra round-robin exchanges that go with them. As a result, these queries are much slower but as they happen <4% of the time the real-world impact is just imperceptible. The average results are just dominated by the cache performance.

As for Mr Gibson's test conclusions:

2023-04-12 at 12.50.33.png

Some of it may be a little misleading but it does highlight the performance advantage of the DNS resolver in my system. I could improve the non-cache test speed by removing DoT and undertaking pure port 53 UDP resolutions but outside of this DNS test it would not be noticeable and expose more data than needed.

☕️

@jknott So I recieved this from the vendor, but I am still not able to get the data to go out. I have set this like recommended here.

https://service.snom.com/display/wiki/DHCP+options#DHCPoptions-Option43(vendor-encapsulated-options)

You're using DHCP option 132 and 133 using for the VLAN tags in the router,
although, to have this working you have to encapsulate in the DHCP 43, encapsulate the content of DHCP option 132 for the VLAN

So,
You'll need to configure the devices from Network -> Advanced Settings and set these values as follows:

Enable DHCP VLAN: Enabled. Enable Manual VLAN Configuration: Disabled. Enable LLDP: Disabled.

Then, on a router, you will need to set the DHCP option 43 as described on the following link:
** https://service.snom.com/display/wiki/DHCP+options#DHCPoptions-Option43(vendor-encapsulated-options)

According the link , For example,
for VLAN 10 should be
84:03:31:30:00;

for VLAN 20 should be
84:03:32:30:00;

@steveits

working fine. thanks

Sorry for the delays... family RL kicked in.

Lots of helpful suggestions... looking into it! THANKS

@steveits Thanks for replying. I only have the DNS resolver on pfsense, so no other DNS server to point to. I just have a home network, no AD or anything fancy like that. No, you're not allowed to enter an asterisk but you can leave host blank, however that does not seem to do anything!

I guess I could have another DNS server running and then use a Domain Override as you suggest unless someone else has a better idea.

It was an ACL problem. I don't know what was wrong, but, after creating a new one, it started working.

Yes, I have the patches package installed, but it lists no patches.
However, I was able to manually add the patch with the URL. The produced entry didn't look quite right so I deleted it again and re-added it, but this time I referenced the commit ID "46b159032fef8c78783aa1a749d2238cfed7ac0d" from Georgiy's post under https://redmine.pfsense.org/issues/13851.

All works a treat now! After I applied the patch and cycled the DNS Resolver service, all of my local clients with IPv6 are able to get dns resolution replies once again.

Thank you everyone for the incredible work with this platform!

Figured it out...answering my own post in case it helps someone else.
The problem WASNT dns! Mark that for the record books. I believe it's one of two problems.
When I originally setup the wan I set a static wan interface. My ISP complained and told me to set it as dynamic (even though they issue us a static). Also on the initial setup I had not spoofed the mac address of the old firewall my isp had registered. The isp will issue a completely different ip range but not allow you to connect to the internet if using a different/unregistered mac. Somehow when I switched to dynamic it left the original (nonworking) static gateway. Upon checking the status/gateways I noticed the top entry in pink as offline under that is a WAN_DHCP with "Online" status. Once I deleted that top "offline" gateway, then I got internet.

I was going insane because the vpn worked so I knew the internet worked...but also wouldn't. Hope it helps someone else

Installing Identity Management
1.4.1. How IdM uses chronyd for synchronization

..
If you do not pass any NTP options to the IdM installation command, the installer searches for
_ntp._udp DNS service (SRV) records that point to the NTP server in your network and configures
chrony with that IP address. If you do not have any _ntp._udp SRV records, chronyd uses the
configuration shipped with the chrony package.

Where can I look to see if pfSense has the records for its NTP server? I'm using pfSense for my DHCP, DNS Resovler as the Forwarder from the IDM Server, and NTP for the IDM Domain clock sync.

Network Topology:
Network.jpg

UPDATE:
After further research, configuring chronyd on the IDM Server and some clients to sync with pfSense NTP Server, it appears good, pfSense NTP UI is all I need to make any adjustments and I don't need any SRV record look-ups, because the IDM will default to using chronyd configuration.

I removed the pool setting, added the server directive in the chrony.conf to server 10.30.70.1 iburst which is the IP to pfSense LAN Gateway and add the pools there. This way I will just have a single configuration to deal with.

My NTP Network Topology:
Network IDM NTP.jpg

@johnpoz Thanks again john. Decided to by-pass the whole local network and plugged the internet straight into Wireshark. Couldn't find any DNS packets! Did a factory reset and assigned Snort to the LAN interface and all is good! Thanks for your help.

@dawsnet said in unbound updating host host_entries.conf:

handled via Docker Swarm

That is not normally how mcvlan works - any device that is on network X with its own unique mac and set for dhcp would and should get an IP from the dhcp server running on the network... If its not, then its not really fully on the network..

So your moving the container to a different host, that is on a different network? Then it would get an IP from that dhcp server, so you could setup a reservation for it on that network as well, etc.

If it moves to host on a different network it would get say 192.168.1.x and when it moves to 192.168.2 it would get 192.168.2.x etc..