@woggy Makes no sense to have a proxy doing your ssl offload if you have zero want to even talk to them.. Just talk to your server, setup a ssl offload for it, etc. I have zero understanding of why you would setup proxy to allow clients to talk to your cameras - if your goal is to not let your lan talk to your cameras..

@rcfa pfBlockerNG can be installed and work with dnsmasq. The first 'IP' based part isn't DNS related at all, it's just pfBlockerNG, after all 'Blocker' says "it blocks" using 'pf' and 'pf' is the pfSense firewall. DNS has nothing to do with this. People wanted more (as usual) so the local DNS handling had to be intercepted so more sophisticated host name (DNS) filtering could be applied. dnsmasq can't do that. Unbound can. The DNS part, shows : [image: 1649790778481-9876f1db-f9be-4f31-b098-329cfbb0177a-image.png] which means what it means. dnsmasq is still an option present in pfSense for historical reasons. There will be a day that there isn't a choice anymore. It will be 'unbound' the resolver, and that's it. As far as I know, unbound can do what dnsmasq does, that's why it was chosen. All this is "IMHO" of course. If it was me, I had thrown in the super bloat ware called 'bind' but bind can't really be mastered with a GUI as it is (to) big - and complex as it it masters 99,x % of all DNS interactions. bind would solve the question of this thread, as it it wouldn't exist anymore. Everybody would know the answer already as everybody would know 'enough' about DNS to answer for themselves ;) pfSense needed a resolver (which is neutral and doesn't feed external companies with user's private info) and a local DNS cache. zone handling etc isn't the role of a firewall anyway. unbound has a rather small footprint, and can be 'extended' using scripting (Python). The choice was easy.

@gertjan i applied the patch, let's see what happens next. ;) a big thank you @Gertjan for your help!

@thiasaef said in DHCP only working in one physical interface: een these ports) and then a Thank you for the response, indeed I will have a manage switch in the final setup but the response from @johnpoz was on spot, forgot to configure vlan tag on my laptop that I am using for testing.

@johnpoz said in Static DHCPs not showing as static on DHCP/status??: just because you made something static (dhcp reservation).. If it had a lease before, that would still be shown. Yes, absolutely agree, that is one of the beauties with using DHCP instead of just static addressing @johnpoz said in Static DHCPs not showing as static on DHCP/status??: are you sure you actually applied once you created the reservation? Well, I would believe so? I can see the static reservations at the bottom their respective DHCP server tabs, just not indicated as reserved/static on the status page, which I would have thought should show more than just a single one of them... but I appreciate the question, if it works for all but me, it maay just be a setting somewhere I guess :)

I am seeing flakiness too, since I switched to PPPoE and now using haproxy. Or it is just a loose cable somewhere, I can't tell for sure.

@viktor_g Thanks, I hadn't seen this.

Hi yugisop aftr a bit of search I found the guilty config in /usr/freebsd-dist/base/etc/inc/system.inc ... function check_dnsavailable($proto='inet') { if ($proto == 'inet') { $gdns = array('8.8.8.8', '8.8.4.4'); ... So it seems they check if a DNS is available and then decide whatever about it. Cheers Michael

@rm135 To answer my own question, if no one give me the light... After milliion tries to figure out the issue I realized that this entry should be unchecked in the dns forwarder config section. [image: 1649080101758-7d9b446e-aa42-45ba-a246-552fb9e85177-k%C3%A9p.png] After this all goes fine, no more refusing.

@skogs said in DNS Headaches Since Switching to PFSense: but 99% of people will put something in there, and many will turn off the root dns servers. 99 ? Keep in mind that most people can access Youtube these days. It's easy to find some video that explains what DNS. Take one from some respectable school, like a prof from MIT, these guys do inspire normally some confidence . They won't tell you to use any company"s DNS server, as these are not needed. They will explain why these exists ;) ( and it has nothing to do with giving a free service, it's about money - and yes, these might be a couple of ms faster and no, you will lose DNSSEC in the process ). But, I understand what you mean. The 'market' tries to learn us also that "VPNs" are needed for your protection and privacy. And Antivirus programs are also needed because you feel constantly the need to open every attached file (it was of course an executable) in your email because it told you that it contains the winning ticket of a lottery, or the instructions how to get your hands on the legacy of that African uncle that died, and "they" can't transfer you his fortune. @skogs said in DNS Headaches Since Switching to PFSense: couple of the root DNS servers NXDOMAIN, I DNS doubts, use for example this https://www.zonemaster.net/domain_check and type in the domain name. You'll be surprised how often a domain name has broken DNS info, so you have to wait. For to often, me included, we start changing setting locally, with some serious head banging, to discover afterwards that the issue wasn't on our side. For example : a year ( ? ) some one made a small error while changing some settings and the company domain name servers became unreachable. This was a big company, they had their own "AS" and now it was 'broken', and the entire thing vanished from the Internet. Millions have restarted their routers, or worse. It was the other side. The company was facebook.

@rupocinski said in Issues configuring DNS: I have a expressVPN router in front of the pfSense firewall. The VPN is set at 10.105.17.1 and DHCP for the firewall. The firewall is set at 10.105.17.3 and then I have a DHCP router behind that firewall. You have a router ( expressVPN ) and then a router ( pfSense ) and then a router ( DHCP router behind that firewall ) chained up ? You could make live much more simpler. pfSense can connect to Expr*ssVPN as it has a OpenVPN client. I know it works, as I have it working. A DHCP router behind pfSense isn't needed as pfSense can handle DHCP just fine. So, why not : get rid of a maximumum of boxes and have settings centralized in one. Or, another option, remove pfSense from the chain.

Just to add the DNS landscape is changing rapidly and it is becoming more difficult to maintain control over how your network's hosts are able to resolve names. See this thread!

@gertjan Just to confirm here that after upgrating pfsense OS from 21.05.2 to 22.01, and recreating (copy) all dyndns entries, it finally worked. Without recrating those dyndns entries, I was having badauths on logs under 22.01 version.

False alert. It stopped working. I think Cloudflare proxy took longer to engage on the backend even though their web UI showed differently. On the plus side, I know more about their services. "Zero Trust" and "Tunnels" free services maybe a good replacement for VPN. Hope this helps.

@valepe69 said in Webiste not loading: help me to understand why: Considering that it's a local food distribution it may sense that it locks VPN ips I would understand that a local food delivery store doesn't want to take orders from an IP coming from South Africa, or the south pole. It's a known issue : people want to use the lists from "MaxMind GeoIP" and check as many countries a possible. @valepe69 said in Webiste not loading: help me to understand why: I use VPN to make my privacy stronger That's far more an idea carefully being constructed by entities that want to sell you services linked to this concept. It's "VPN here VPN there" these days, as it was "anti virus here / anti vius there" before. People finally found out that "do not execute that unknown EXE from the Internet, even as it promised a free World of Warcraft game play". These days its more a) many media services so you can show to the word what your are doing 24/24h. b) many VPN services so you can hide showing yourself. (something like that). The ones who know who you are, what you are doing, what you are buying and what you are looking for, are not hindered by the fact you use a VPN. A VPN was help full when web and mail traffic was 'clear'. That's rarely the case these days. If I was a member of one of those 3 letter organisations, I would have a talk with the share holders of all those VPN companies, and propose them : I) big infrastructure like big routers, all paid by 'uncle sam', II) a big (really big) $/€ check III) the promise they won't get bordered by their legal services. Both parties are in for a big win here. The third party will be you. You want to be member of the Internet ? Ok, you will be the product. This stays valid, and this time you are even paying for it. Remember : the VPN is the end point of the tunnel, they know who you are, where you are, so live gets much easier for those 3 letter agencies.

@darcey That's also all the stuff that needs to be carried over as well, looks like it is anyway, there's not all that much there that has any real parameters set. The idea is that the single interface just gets replaced with the LAGG (which has the old interface as one of it's members). Addressing and how that interface presents itself should all be the same, it's just that it'll have 2 connections to 2 different switches (stacked). The other issue is that "the process" involves making the firewall an island, well from a GUI perspective, while I move everything around to get all this back to the original subnet. Thanks for the reply BTW, my post had been hangin' out there for a while.

@iorx said in Get around DNS restart and still have client register?: @keyser https://redmine.pfsense.org/issues/5413 But I read this thread correctly? To me it looks like a solution has been delivered there, tested and committed? Yeah, I thought that as well until i read the thread carefully - including inspecting the dates on posts. The proposed code based on the high level code has never been adopted beyond a proposal. The proposed fix thread then stopped once that happened (more than a years ago). The reason we misread the thread is because someone suggests you just disable DHCP registrations, and another poster confirms that fix works well. But he’s not talking about the code, he’s talking about the workaround to disable DHCP registrations. So it’s still a dead end…..

Redmine issue: https://redmine.pfsense.org/issues/12985