@jknott its TINY!!! guarantee is smaller than whatever 5 port switch you have in your bag now.. Didn't say you had to get rid of yours and use this.. I am pointing out for others reading your thread about using a switch as a tap...

@johnpoz Thank you again for explaining! I have a German Telekom VDSL with true dualstack, get a dynamic public IPv4 (and v6) from that ISP. I get an /56 prefix. The first router is a fritzbox, pfsense is set as exposed host for IPv6 and (as mentioned) gets the GUA for WAN by dhcp from fritzbox. It cuts a /59 net out of the ISP's /56 (fritzbox uses two /64 for LAN and Guest-LAN) as described in this forum a few times by others)... Since everything intern and (trusting those various IPv6 test sites) extern seems to work just fine (intern working with track interface, slaac, no active dhcpv6 servers) I put the topic to a rest. Thank you for taking time to elaborate the log entry!

@steveits Not sure if I resolved yet as had mem issues that had to be fixed, I did start adding sites manually to a white list which seems to solve some problems but not yet all. Am going to swing back around and see if I can get more info to share and hopefully resolve.

@brian-smit said in DHCP 169x IP until i reconnect LAN cable or Turn WIFI on or OFF: reuse_lease: lease age 1217 (secs) under 25% threshold, reply with unaltered, existing lease " Those are common - leases normally don't start to renew until 50% done. But as the client gets closer and closer to lease expire, it should start screaming for a renew.. Sending them more and more often. Once a renew fails - it should send a discover.. I would watch your logs the next time it happens and look right away, set your log to keep more in the gu.. I think it defaults to only the last 50 entries. I have mine set at 2000.. This should allow you to see more entries.

@johnpoz No problem, all water under the bridge. Maybe this lengthy thread will be help to someone in the future in regular Resolver mode. I should have been more clear in my post too. I knew the DNS Forwarder was dnsmasq and wanted to make sure someone knew it was unbound instead. Next time I'll state it upfront which mode I'm running in. I learned more abound unbound and some dig queries along the way which is always helpful. Thanks again!

@randombits said in Local IP's resolved from names ?: under host overrides ? yes

@bingo600 said in getting out of IP-addresses: Offcause i meant DHCP lease Yeah, right.

@johnpoz constraint is a solid brick house. i had cat 7 cables run throughout the house to the boiler room. so for the small environment i have, it is easier in this case, to work with s/w configs that to physically run new cables, etc;

One issue you will face if you use the DHCP server on pfSense is that hostnames of local clients will not be registered in DNS in AD. That may or may not be of concern for your setup. And you don't want to turn on DHCP DNS updates within pfSense as that will cause the unbound daemon to be restarted each time a client renews its lease. There are many posts on the forum about that little gotcha. DNS can be dead for many seconds during that restart, and the dead time is greatly expanded when you use tools such as pfBlockerNG-devel and DNSBL. In my opinion, if you have an Active Directory shop, you really should let most of the DNS and DHCP infrastructure be hosted within AD. And in Windows 2016 and up, AD supports DHCP failover if you install the service on multiple hosts.

@brian-smit so they are still on their normal address is some rfc1918 address, not the APIPA 169.254 address. You sure just not an issue with your unbound restarting with dhcp reservations.. Has been a long time issue where when a lease is issued or renewed, etc. that unbound restarts and if your using pfblocker that can cause start up delays, etc. this can present itself as dns not working - but its just dns is restarting. One solution to that is not register dhcp leases in unbound settings.

Hello @viragomann, The problem is DNSSEC. Thanks again.

If you have a Windows AD you need to configure only the IP of the DCs on clients. Windows with domain could have weird behavior if clients use a non DC DNS server. You have to configure the DCs to forward to the other DNS servers. The best approach is having at least 2 DC to have some redundancy, and configure both IPs on clients.

@cool_corona Thank You both ! I indeed going to make sure that nobody can plug things into the switches and i change the 192.168.x.x into something else