@jimp Thank you for checking ! It may be my system with several interfaces with DHCP enabled running on not so powerful hardware.. Have a nice day :-)

I got the certs out again and now it doesn't work I can't get pass the WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2" /usr/bin/logger -st "pfatt" "waiting for EAP authorization..." During all this messing. I deleted my cert, so I had to pull again. =Here is my full script #!/usr/bin/env sh EAP_SUPPLICANT_IDENTITY="" RG_ETHER_ADDR="" LOG=/var/log/pfatt.log ONT_IF="igb0" getTimestamp(){ echo date "+%Y-%m-%d %H:%M:%S :: [pfatt.sh] ::" } DO NOT EDIT BELOW /usr/bin/logger -st "pfatt" "starting pfatt..." /usr/bin/logger -st "pfatt" "configuration:" /usr/bin/logger -st "pfatt" " ONT_IF = $ONT_IF" /usr/bin/logger -st "pfatt" " EAP_SUPPLICANT_IDENTITY = $EAP_SUPPLICANT_IDENTITY" /usr/bin/logger -st "pfatt" " RG_ETHER_ADDR = $RG_ETHER_ADDR" Netgraph cleanup. /usr/bin/logger -st "pfatt" "resetting netgraph..." /usr/sbin/ngctl shutdown $ONT_IF: >/dev/null 2>&1 /usr/sbin/ngctl shutdown vlan0: >/dev/null 2>&1 /usr/sbin/ngctl shutdown ngeth0: >/dev/null 2>&1 /usr/bin/logger -st "pfatt" "your ONT should be connected to pyshical interface $ONT_IF" /usr/bin/logger -st "pfatt" "creating vlan node and ngeth0 interface..." /usr/sbin/ngctl mkpeer $ONT_IF: vlan lower downstream /usr/sbin/ngctl name $ONT_IF:lower vlan0 /usr/sbin/ngctl mkpeer vlan0: eiface vlan0 ether /usr/sbin/ngctl msg vlan0: 'addfilter { vlan=0 hook="vlan0" }' /usr/sbin/ngctl msg ngeth0: set $RG_ETHER_ADDR /usr/bin/logger -st "pfatt" "enabling promisc for $ONT_IF..." /sbin/ifconfig $ONT_IF ether $RG_ETHER_ADDR /sbin/ifconfig $ONT_IF up /sbin/ifconfig $ONT_IF promisc /usr/bin/logger -st "pfatt" "starting wpa_supplicant..." WPA_PARAMS=" set eapol_version 2, set fast_reauth 1, ap_scan 0, add_network, set_network 0 ca_cert "/root/pfatt/wpa/ca.pem", set_network 0 client_cert "/root/pfatt/wpa/client.pem", set_network 0 eap TLS, set_network 0 eapol_flags 0, set_network 0 identity "$EAP_SUPPLICANT_IDENTITY", set_network 0 key_mgmt IEEE8021X, set_network 0 phase1 "allow_canned_success=1", set_network 0 private_key "/root/pfatt/wpa/private.pem", enable_network 0 " WPA_DAEMON_CMD="/usr/sbin/wpa_supplicant -Dwired -i$ONT_IF -B -C /var/run/wpa_supplicant" Kill any existing wpa_supplicant process. PID=$(pgrep -f "wpa_supplicant") if [ ${PID} > 0 ]; then /usr/bin/logger -st "pfatt" "terminating existing wpa_supplicant on PID ${PID}..." RES=$(kill ${PID}) fi Start wpa_supplicant daemon. RES=$(${WPA_DAEMON_CMD}) PID=$(pgrep -f "wpa_supplicant") /usr/bin/logger -st "pfatt" "wpa_supplicant running on PID ${PID}..." Set WPA configuration parameters. /usr/bin/logger -st "pfatt" "setting wpa_supplicant network configuration..." IFS="," for STR in ${WPA_PARAMS}; do STR="$(echo -e "${STR}" | sed -e 's/^[[:space:]]*//')" RES=$(eval wpa_cli ${STR}) done Create variables to check authentication status. WPA_STATUS_CMD="wpa_cli status | grep 'suppPortStatus' | cut -d= -f2" IP_STATUS_CMD="ifconfig ngeth0 | grep 'inet\ ' | cut -d' ' -f2" /usr/bin/logger -st "pfatt" "waiting for EAP authorization..." Check authentication once per 5 seconds for 25 seconds (5 attempts). Continue without authentication if necessary (no WAN). i=1 until [ "$i" -eq "5" ] do sleep 5 WPA_STATUS=$(eval ${WPA_STATUS_CMD}) if [ X${WPA_STATUS} = X"Authorized" ]; then /usr/bin/logger -st "pfatt" "EAP authorization completed..." IP_STATUS=$(eval ${IP_STATUS_CMD}) if [ -z ${IP_STATUS} ] || [ ${IP_STATUS} = "0.0.0.0" ]; then /usr/bin/logger -st "pfatt" "no IP address assigned, force restarting DHCP..." RES=$(eval /etc/rc.d/dhclient forcerestart ngeth0) IP_STATUS=$(eval ${IP_STATUS_CMD}) fi /usr/bin/logger -st "pfatt" "IP address is ${IP_STATUS}..." /usr/bin/logger -st "pfatt" "ngeth0 should now be available to configure as your WAN..." sleep 5 /usr/bin/logger -st "pfatt" "set mac address on ngeth0..." /sbin/ifconfig ngeth0 ether $RG_ETHER_ADDR break else /usr/bin/logger -st "pfatt" "no authentication, retrying ${i}/5..." i=$((i+1)) fi done

Thank you very much for your response. Perhaps one day Unbound will be updated for taht ? Regards @johnpoz said in DNS resolver stop/restart 16 times in 1 hour: @kiwi91 if your are registering dhcp this has been a known issue for a log time. AFAIK the only real current work around to unbound restarting because of dhcp leases being issued or renewed is not to register dhcp leases. You can drastically reduce how often it restarts by increasing the lease time of your dhcp clients so that they do not renew as often.. But if you have enough clients they will renew and you will see restarts of unbound because of this. Unbound has been up for 17 some hours on mine without a restart.. Since I only register dhcp static reservations. [22.01-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.13.2 verbosity: 1 threads: 4 modules: 2 [ validator iterator ] uptime: 61984 seconds options: control(ssl) unbound (pid 58815) is running... [22.01-RELEASE][admin@sg4860.local.lan]/root: [image: 1644923252910-registrations.jpg]

@menethoran I'd recommend something in the 172.16 range. That isn't used very often, whereas 192.168 & 10. are.

@thebonden hi i can see that Added: New Dynamic DNS Provider: one.com # 11293 but how dan does it work and I have found it but can simply not make it work

Have a go at this in DNS RESOLVER CUSTOM OPTION forward-addr: 1.1.1.1@853 #Cloudflare forward-zone: name: "netflix.com" forward-addr: 9.9.9.9 with this configuration, all my traffic goes to cloudflare except netflix, my netflix goes to quad9 dns, you can check in the dns resolver status. Maybe something like this will help you. I assume name would be name of host or ip address of the device.

@nuggets-0 Yeah that is how it works.. It is some a manual process to be sure. But you can load files with your configurations in the custom option box as well. So I could be possible to manipulate your desired records in a maybe more easy to manage file via the custom option box in the gui.

@it_ib pfSense doesn't know which DHCP server is responsible for an interface and there is no possibility to configure this. What you can do is, to configure both scopes with respecting 'option 82' on both servers and check "Append circuit ID and agent ID to requests" in the DHCP relay settings and add both servers below.

@0xben Your setup is quite easy to setup.. But you really should have a transit network between your routers, and not have any hosts on this network.. Unbound while it can return an IP for any fqdn.. Not really meant as an authoritative ns that might listen on different IPs and only serve up specific IPs. Unbound listening on any interface will serve up any host overrides you have created for whatever.domain.tld, etc. that it knows about. Your dhcp registrations isn't going to be able to create records for domainX and domainY.. It will register your dhcp entries under the general domain you setup on pfsense.

@mer "Restarting the router" means that I rebooted the pfSense firewall. I didn't unplug/replug the cable or do the ifdown/ifup. I can see the packets coming in, it's just that the DHCP service wasn't working. Maybe if it happens again I can try that. I was trying to find one of those circling arrows that shows up throughout the interface to restart the NIC but didn't see it so I just rebooted the whole thing.

@gamienator-0 valid point about the tld.. Which is why use something like home.arpa which now the specific domain to use for local use domains. I have used .lan as my local tld for many years - I don't think such a tld would ever be public.. But your point is still valid.. At previous company, we used companyname.com for external resources, and the AD and used companyname.net which we did own, but not used in public space.. Problem with using a sub is with dns devolution it is possible for client to query the parent domain without the sub, etc. which could lead to resolution issues.

@furom, I CAN HELP YOU with whatever you need, just tell me we are here to serve you sir.

@srvirgil The usual way is to use host overrides on the DNS forwarder or resolver page.

@qwerty123 host overrides have nothing to do with it. if you had tried forwarding to tls.. that would of required forward mode. ipv6 and pfblocker nothing to do with forwarding..

In addition to the firewall rules the DNS Resolver also has strict internal ACLs which only allow queries from known local networks. So unless you've done something silly like add an ACL for 0.0.0.0/0 to allow queries, unbound would just toss them out anyhow.