@johnpoz said in Static DHCPs not showing as static on DHCP/status??: just because you made something static (dhcp reservation).. If it had a lease before, that would still be shown. Yes, absolutely agree, that is one of the beauties with using DHCP instead of just static addressing @johnpoz said in Static DHCPs not showing as static on DHCP/status??: are you sure you actually applied once you created the reservation? Well, I would believe so? I can see the static reservations at the bottom their respective DHCP server tabs, just not indicated as reserved/static on the status page, which I would have thought should show more than just a single one of them... but I appreciate the question, if it works for all but me, it maay just be a setting somewhere I guess :)

I am seeing flakiness too, since I switched to PPPoE and now using haproxy. Or it is just a loose cable somewhere, I can't tell for sure.

@viktor_g Thanks, I hadn't seen this.

Hi yugisop aftr a bit of search I found the guilty config in /usr/freebsd-dist/base/etc/inc/system.inc ... function check_dnsavailable($proto='inet') { if ($proto == 'inet') { $gdns = array('8.8.8.8', '8.8.4.4'); ... So it seems they check if a DNS is available and then decide whatever about it. Cheers Michael

@rm135 To answer my own question, if no one give me the light... After milliion tries to figure out the issue I realized that this entry should be unchecked in the dns forwarder config section. [image: 1649080101758-7d9b446e-aa42-45ba-a246-552fb9e85177-k%C3%A9p.png] After this all goes fine, no more refusing.

@skogs said in DNS Headaches Since Switching to PFSense: but 99% of people will put something in there, and many will turn off the root dns servers. 99 ? Keep in mind that most people can access Youtube these days. It's easy to find some video that explains what DNS. Take one from some respectable school, like a prof from MIT, these guys do inspire normally some confidence . They won't tell you to use any company"s DNS server, as these are not needed. They will explain why these exists ;) ( and it has nothing to do with giving a free service, it's about money - and yes, these might be a couple of ms faster and no, you will lose DNSSEC in the process ). But, I understand what you mean. The 'market' tries to learn us also that "VPNs" are needed for your protection and privacy. And Antivirus programs are also needed because you feel constantly the need to open every attached file (it was of course an executable) in your email because it told you that it contains the winning ticket of a lottery, or the instructions how to get your hands on the legacy of that African uncle that died, and "they" can't transfer you his fortune. @skogs said in DNS Headaches Since Switching to PFSense: couple of the root DNS servers NXDOMAIN, I DNS doubts, use for example this https://www.zonemaster.net/domain_check and type in the domain name. You'll be surprised how often a domain name has broken DNS info, so you have to wait. For to often, me included, we start changing setting locally, with some serious head banging, to discover afterwards that the issue wasn't on our side. For example : a year ( ? ) some one made a small error while changing some settings and the company domain name servers became unreachable. This was a big company, they had their own "AS" and now it was 'broken', and the entire thing vanished from the Internet. Millions have restarted their routers, or worse. It was the other side. The company was facebook.

@rupocinski said in Issues configuring DNS: I have a expressVPN router in front of the pfSense firewall. The VPN is set at 10.105.17.1 and DHCP for the firewall. The firewall is set at 10.105.17.3 and then I have a DHCP router behind that firewall. You have a router ( expressVPN ) and then a router ( pfSense ) and then a router ( DHCP router behind that firewall ) chained up ? You could make live much more simpler. pfSense can connect to Expr*ssVPN as it has a OpenVPN client. I know it works, as I have it working. A DHCP router behind pfSense isn't needed as pfSense can handle DHCP just fine. So, why not : get rid of a maximumum of boxes and have settings centralized in one. Or, another option, remove pfSense from the chain.

Just to add the DNS landscape is changing rapidly and it is becoming more difficult to maintain control over how your network's hosts are able to resolve names. See this thread!

@gertjan Just to confirm here that after upgrating pfsense OS from 21.05.2 to 22.01, and recreating (copy) all dyndns entries, it finally worked. Without recrating those dyndns entries, I was having badauths on logs under 22.01 version.

False alert. It stopped working. I think Cloudflare proxy took longer to engage on the backend even though their web UI showed differently. On the plus side, I know more about their services. "Zero Trust" and "Tunnels" free services maybe a good replacement for VPN. Hope this helps.

@valepe69 said in Webiste not loading: help me to understand why: Considering that it's a local food distribution it may sense that it locks VPN ips I would understand that a local food delivery store doesn't want to take orders from an IP coming from South Africa, or the south pole. It's a known issue : people want to use the lists from "MaxMind GeoIP" and check as many countries a possible. @valepe69 said in Webiste not loading: help me to understand why: I use VPN to make my privacy stronger That's far more an idea carefully being constructed by entities that want to sell you services linked to this concept. It's "VPN here VPN there" these days, as it was "anti virus here / anti vius there" before. People finally found out that "do not execute that unknown EXE from the Internet, even as it promised a free World of Warcraft game play". These days its more a) many media services so you can show to the word what your are doing 24/24h. b) many VPN services so you can hide showing yourself. (something like that). The ones who know who you are, what you are doing, what you are buying and what you are looking for, are not hindered by the fact you use a VPN. A VPN was help full when web and mail traffic was 'clear'. That's rarely the case these days. If I was a member of one of those 3 letter organisations, I would have a talk with the share holders of all those VPN companies, and propose them : I) big infrastructure like big routers, all paid by 'uncle sam', II) a big (really big) $/€ check III) the promise they won't get bordered by their legal services. Both parties are in for a big win here. The third party will be you. You want to be member of the Internet ? Ok, you will be the product. This stays valid, and this time you are even paying for it. Remember : the VPN is the end point of the tunnel, they know who you are, where you are, so live gets much easier for those 3 letter agencies.

@darcey That's also all the stuff that needs to be carried over as well, looks like it is anyway, there's not all that much there that has any real parameters set. The idea is that the single interface just gets replaced with the LAGG (which has the old interface as one of it's members). Addressing and how that interface presents itself should all be the same, it's just that it'll have 2 connections to 2 different switches (stacked). The other issue is that "the process" involves making the firewall an island, well from a GUI perspective, while I move everything around to get all this back to the original subnet. Thanks for the reply BTW, my post had been hangin' out there for a while.

@iorx said in Get around DNS restart and still have client register?: @keyser https://redmine.pfsense.org/issues/5413 But I read this thread correctly? To me it looks like a solution has been delivered there, tested and committed? Yeah, I thought that as well until i read the thread carefully - including inspecting the dates on posts. The proposed code based on the high level code has never been adopted beyond a proposal. The proposed fix thread then stopped once that happened (more than a years ago). The reason we misread the thread is because someone suggests you just disable DHCP registrations, and another poster confirms that fix works well. But he’s not talking about the code, he’s talking about the workaround to disable DHCP registrations. So it’s still a dead end…..

Redmine issue: https://redmine.pfsense.org/issues/12985

We have seen the same issue after upgrading from 2.5.2 to 2.6.0. The first VLAN in the configuration file doesn't have the problem, all the VLAN after have the extra filename options. It is odd that the filename is different. I haven't found where it is getting that option from. subnet 192.168.240.0 netmask 255.255.252.0 { pool { option domain-name-servers 192.168.243.254; deny dynamic bootp clients; failover peer "dhcp_lan"; filename "legacy.donotuse"; range 192.168.240.80 192.168.243.249; }

Hello! I have the same problem on several 2.6 installs. The dyndns Save & Force Update works but will appear to hang. Sometimes it results in an nginx timeout. The rc.dyndns.update script has the same issue. The problem appears to be in the curl system. The curl_close call at the end of the _update in dyndns.class will hang for 60 seconds before returning. I am not a curl expert, but this smells like a curl connection cache/pool issue. The dyndns _update creates several nested/overlapping curl sessions. The curl_close in updatedns:_update might be waiting until the shared/pooled/cached connection closes (60sec). This could also be causing problems with ACB, which also uses curl and can overlap the dyndns update when it is enabled and kicked off by a Save & Force Update. The easiest workaround might be to tell curl not to share connections, with something like... if ($this->_dnsService != 'ods') { curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_FORBID_REUSE, 1); //ADD THIS LINE if ($this->_curlProxy == true) { ...at the end of the _update function in dyndns.class. This CURLOPT might also help for other curl users (acb, front page widgets, etc...). Of course, this might break something else and I could be completely off base...:) John

@gertjan Thanks for your response. I will have a close look to your suggestion and get back to you. Regards

@akuma1x Thank you!