@bmeeks The auto-config backup feature is what I was talking about. Hopefully I will be able to login and grab a recent config and install it, even if it is on a different device.

@patch Uh, complicated. I'll leave it at default then.

@ddbnj Confession: I had a floating rule messing up DNS forwarding. Hope this helps anyone else.

@giyahban So private host are resolved by the resolver respectively forwarder on basis of host overrides you have added? Makes not really sense to me. Some hints in the logs?

@mcmurphy said in DHCP Server missing: LAN3 = 172.16.16.X LAN3 is RFC1918 right ? So why hiding ? And the "thing" that is wrong is also hidden : [image: 1642065100580-1a5c6280-32bf-47ce-bdc3-14d5254c8211-image.png] Iif the network mask is set to '32' there is only one IP, there won't be any room left for a pool : DHCP server isn't available for that interface : as the pool would be zero in size.

@presto said in Wan static address problem: but when i enter the ip address, there is no place to enter submask Mask is here [image: 1641896659446-mask.jpg] Where the bit would match up to the mask 255.255.255.0 = 24 255.255.0.0=16 255.255.248.0=21 What is your mask suppose to be? Out of the box pfsense resolves, there is no need for dns to be set. If you need to forward to somewhere dns would be setup in general settings and, and you would set unbound to forward. If your setting static on wan, you would also need to setup the gateway IP.

@w0w For my multiwan setup I setup DNS resolver in forwarding mode and use SSL/TLS for all forwarded requests. In the general tab, I use cloudfare and google dns servers with the appropriate DNS server Hostnames. The only issue is some port 853 traffic always present on the LTE interface. If WAN goes down, LTE is still functioning.

@gertjan This just worked for me on version 21.05.2-RELEASE (arm). Thank you!

@quasaur So you mean having a single supernet broadcast domain with e.g /22 mask and have many / 24 "subnets" with a /22 mask and single gateway? If yes, it can be done, BUT the issue would be tha you need to manage all mac addresses manually. It can be done but it is very cumbersome, especially in the long run. You are better off segmenting your lans with vlans and use single dhcp on pf to manage them all. You cant have rules between them as long as they are on the same physical interface too

I figured it out, I originally had the LAN interface enabled, but not in use and recently was doing some maintenance on the firewall and figured since I do not use that interface I would disable it. For some reason the same DHCP range was set on the LAN interface and VLAN 10. This was conflicting with VLAN 10 even though the LAN interface was disabled. Its really weird because the the IPV4 static subnet address under LAN was different then VLAN10, so I am not sure how the DHCP range got set to the same as VLAN10, that should be even be possible as they were on different subnets. So I reenabled the LAN interface change the DHCP range and then disabled the LAN interface and now I can set DHCP reservations on VLAN 10. I noticed after disabling the interface I would lose access to the web GUI and then would need to reboot the firewall from the console. But If I delete the interface there is no issues, so I just removed it and now it does not show up anymore in the interface assignments which is even better.

I've been in touch with the pfSense team who have stated that this shouldn't happen, particularly if the DHCP registration is enabled however I'm seeing conflicting posts elsewhere on the internet that this is a known issue. Is anyone else able to confirm this?

@crankshaft said in Rules-Based DNS Forwarding: I don't thing this can be done with a NAT rule ?? Yes it can if you redirect the dns to dnsmasq and have it forward for you.. But no trying to redirect directly from say 53 going to 8.8.8.8 to 9.9.9.9 or 4.2.2.2 is not possible in just port forwarding, but it can be done if you redirect the 53 traffic to something that would ask more than 1 NS. that device refuse to use the DNS provided and use their own choice of DNS server to perform some queries. Yeah that is a common scenario - just setup your normal dns redirection. https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

@ezeerider said in Problem - pfsense working with WAN private IP: I'm seeing so many options in pfsense. It'll be interesting to dig into them Just keep in mind just because something can do something - doesn't mean you have to do it ;) There many packages for example on pfsense. Doesn't mean you have to install them all - they are not Pokémon ;) Two biggest examples off the top of my head are proxy and ips.. While they might be worth while for some users. Most users would have no uses for those packages, etc. Nothing wrong with installing something to learn about it, but just don't think you need to install something if you have no actual need for it. Most users have no actual need for IPS, but lots of people think - oh install it and clickly clicky be running IPS... Its not that simple ;) and there is a huge learning curve to setting it up correctly, and getting any actual benefit out of it. And more likely than not your home network has no actual need of it. And even spend lots of time to set it up and monitor it and trim the rules, etc. In the big picture other than a learning experience there is little point to ti. I have been running IPS in the enterprise for many many years.. Lots of different products, and feel I have a pretty good handle on it, and would not be too much trouble to actually set it up, etc. But it just doesn't really have a valid use case in my home network.. While it is great that pfsense supports it, and has the expert maintaining the packages, and providing great advice and support on the forums @bmeeks just because pfsense can do it - doesn't mean you need to set it up ;) Another example is the bind package available for pfsense - this overall a great product, and great package for some users. The gui interface to bind make it more accessible to those that are non conf file types.. But unless you have a specific need to run it, the built in unbound resolver is more than capable of handling pretty much anything you would need for dns services. So yes pfsense is very feature rich, and packages just expand on that.. Don't think you need to click every button, install every package to get value out of running it. Pfsense out of the box is great stable setup.. And out of the box pretty much will work for many a network.

@pete_aust what is the route on your device.. If pfsense answers first hop for something else, but not for google.. Makes no sense that pfsense wouldn't answer your trace for google. Even if pfsense couldn't get there or tried to route it somewhere that wouldn't work - the first hop should answer if you actually sent the traffic to pfsense. Are you running something like ips or pfsense, any sort of vpn setup on pfsense? Doesn't make any sense that first hop doesn't answer even if pfsense couldn't get to where your trying to go. example $ tracert 192.168.45.56 Tracing route to 192.168.45.56 over a maximum of 30 hops 1 1 ms <1 ms <1 ms sg4860.local.lan [192.168.9.253] 2 * * * Request timed out. I do not have that network local, and I block all outbound access to rfc1918.. But as you can see still get answer for first hop. I would guess maybe your forcing traffic out a specific gateway on pfsense? But that makes no sense since its answering first hop on your other traces.. What are you rules in your lan, any rules in floating? Are you running any alias sort of rules on your lan that could be blocking access to those IPs. So for example on my lan if I create a block rule to that 192.168.45 network... Then my trace doesn't answer. [image: 1641218400435-rules.jpg] Because pfsense drops traffic to that IP before it does anything with it, even try and route it and answer your first hop in your trace. So if you had something that was causing something like that - it would explain why you don't get answer to first hop when trying to go there.

@nic82m By default there is the DNS Resolver active on pfSense and it is listening on the LAN interface and the DHCP provides the LAN IP to the clients for DNS resolution. So it should work out of the box. However, if you have restricted the access by deleting or modifying the allow-any rule on LAN, you have to add a rule to allow DNS access to the LAN IP. If this is not the case, check if the unbound service is running and check the DNS Resolver logs for hints or provide your resolver settings.

@jeremyj said in DNS resolver - forwarding working recursive resolution not working: it would have been more intuitive for me to show screen shots with it set for recursive mode i.e. with the forwarding mode box unchecked. I probably not using the default settings, and I really want to help, but won't reset my pfSense to default. But you can do so, and you see what the default settings are. @jeremyj said in DNS resolver - forwarding working recursive resolution not working: as if I reset I have to rebuild all the rules, the vpns, etc. Noop. You can retrieve 'just' the OpenVPN settings, and 'just' the firewall rules from the backup you made. @jeremyj said in DNS resolver - forwarding working recursive resolution not working: I am also intrigued as to why it is not working and what I am missing Ones you have it working, make again a config backup. Compare it with the initial backup. The difference you'll find is the reason. @jeremyj said in DNS resolver - forwarding working recursive resolution not working: my outgoing NAT Outgoing NAT ?? That makes me think : when you undo all the changes you made when setting up the OpenVPN client, DNS works ... ?

@johnpoz Thank you a lot for this detailed answer. I will apply your advice, use my AD for DNS and DHCP. Thanks again and happy new year ! :)