@rcoleman-netgate said in Can't ping any LAN hosts by host name: Bridging in BSD should be used in a very sparing, limited function. It's not a switch, it's a router. @redbearak said in Can't ping any LAN hosts by host name: If bridging is really something BSD can't do reliably, If you really wanted bridging on your hardware you could run a Hypervistor such as Proxmox which does support bridging via underlying Linux. pfsense can then be run in a VM. A Linux bridge emulates a switch (not Hub by default) but may still be inferior to a dedicated switch. The complexity of running a hypervisor just to create a switch is likely to be poor use of your time. I run pfsense under Proxmox but pass through the NICs used by pfsense to optimise pfsense function and minimise the exposure surface however may others use VirtIO

@danjmillier have you run a packet capture on the interface to see if it's seeing the DHCP requests?

@jwwags92 DNS resolver would make it a universal setting to all items that use your pf to resolve... but you're still stuck in the spot of having to do it manually. Configuring a static-map is still a need, and while it usually works it won't help you when you have a static address already that needs an FQDN.

@viragomann Thanks. Will follow over there.

@mtarbox said in Unbound is still crashing, at least once daily.: service watchdog restarting, etcetera Be careful with that one. To keep things close to your profession : what happens when you electro choc a patients heart when it is still beating ? Right, you stop it, and thus you're making things worse. When ever possible, stop using the "service watchdog".

@cryptos said in DNS Host Override not working: Still doesn’t make sense, though, since the override should have returned the internal IP for internal queriers. Yeah - and you showed it did with your direct query. These browsers and their doh ticks me off to no end.. I don't think you can view what the browser shows as IP for fqdn in chrome, but firefox you can.. And it should list your doh settings on the top example [image: 1657673107615-trr.jpg] See my nas.local.lan - and what doh mode I am in, and if it came from TRR or not.. 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default. You can never trust these guys these days... I have all known doh IPs blocked in pfsense as well.. If you couldn't tell, not a fan of doh ;)

@pajinha said in Unbound dns resolver stops resolving every few days after 22.05 upgrade: not sure how they managed to screw this one. The forum mentions a couple of 'DNS' issues since 22.05. But, what is a couple ? 22.05 has been downloaded and installed many thousands times (I can't tell, but I'm pretty sure). @pajinha said in Unbound dns resolver stops resolving every few days after 22.05 upgrade: ( removed my VPN outgoing interfaces ) If your DNS also goes over this VPN and the VPN is bad - as this can happen, they are not all equal and perfect - then, yeah, DNS looks bad. Because your uplink is bad. DNS is mostly UDP, these can get lost. unbound won't hammer away, and return a SERVFAIL. TCP get renegotiated and is far more resilient. For now, my DNS using 22.05 using default settings and no VPN is working as before. And don't tale my word for it, see for yourself.

@bob-dig Make sense now that I read the tooltip differently. When the tooltip says "...if DNS Forwarder or Resolver is enabled" they mean enabled VS disabled from a service perspective and not on a per-interface basis.... That's what I misinterpreted. That's be nice to be able to NOT run unbound on an interface and serve system DNS servers. IMO the DHCP server should pass DNS servers in the following order: If DNS fields are populated use their settings; Otherwise If unbound is running on the interface use interface IP Else pass system DNS servers That's probably more of an improvement idea than anything else. For now (and probably forever) I have copied the system DNS servers onto the DHCP fields for DMZ and I'm back to normal. Sorry about the confusion. Funny how something can be interpreted differently... Thanks for your patience @Bob-Dig !

@johnpoz That makes more sense, I agree. You think that perhaps client (windows or mac) firewall deactivation only happened after a reboot ? If so that is bad behaviour, hope it doesn't do that when enabling it !

@scroll_dp said in Domain name of pfsense via Cloudflare: that routing public IP to lan network That is a port forward.. You mean you want a "dmz host" like home routers allow you to do? You could do that with a 1:1 NAT - again BAD IDEA!!!

@johnpoz @keyser So ty for the screenshot, I didn't have source advanced matched correctly.. And I was trying to redirect to another host.. so I am now seeing ntp clients on the router.. but of course (without physically going to each host..) I have another question.. pfsense host tcpdump -v -i igb0 dst port 123 and src net 10.20.0.0/16 -n -vvv bare metal (void) linux host.. tcpdump -v -i enp1s0f0.173 dst port 123 and src net 10.20.0.0/16 -n -vvv [image: 1657326398429-657bfd16-2a1f-4e81-994a-f9b8f7bbdce7-image.png] What is up with all the time disparities? 1 and 4 look fine.. what is up with 2, 3, and 5? The host on top is pfsense and running ntpd, host on bottom is running chronyd.. host 1 is another pfsense, host 2 is a bare metal linux which locally reports correct time, host 3 is an esxi vm also locally reporting correct time, host 4 is an esxi windows vm locally reporting correct time, host 5 is an axis camera locally reporting correct time.. I just wouldn't have expected to see all those different times.. This was the host I was testing from originally.. (which also looks correct locally and in the tcpdump..) [image: 1657326939985-a1f81a54-a519-4357-a250-dfaca34d2e04-image.png] Random host had this to say about tcpdump timestamps.. (https://weberblog.net/packet-capture-network-time-protocol-ntp/) "transmit timestamp: “Time at the server when the response left for the client.” This is the most interesting timestamp in those NTP packets since it shows the time the NTP client/server had as it sent the NTP packet. If you roughly want to know the time by looking at an NTP packet, look at this transmit timestamp."

@rcoleman-netgate No. I have one lan interface from the pfsense router that connects to a switch. They are all in the default VLAN.

@ofir29200 said in DHCP wont start after a power outage: 10 PC was running 1 year straight without a power outage (but then it became unresponsive, so I had to reboot it...) That's pretty darn good for a consumer grade desktop OS. Still, as this is consumer desktop OS, after the reboot I would bet heavily on "issues" after such a period. You were also skipping major security updates .... that's something I wouldn't even dare to do.

@deanfourie said in Huge DNS traffic?: pi Thinks get easier now. Who admins this thing ? You ? Go for the easy choice : rip it out of your network. Solved ;) Or go for the Youtube 'wtf is a pi anyway' series. You be in for some pretty good DNS info ;) edit : Btw : pi and pfBlockerng-devel do somewhat the same thing. Using both == annoying a best.