@gertjan Thank you, I am trying it out right now to see, if the behavior of showing red IPs in the ddns-widget is changing.

No more red IPs... will stick with gertjans service for now.

🖖

I initially thought you were just referring the root domain server list aka “.” so I just didn’t redirect them. When it comes to SSL certs validation rules always apply.

But if you saying the CN is not tied to the domain of the DNS lookup then mitm is no problem with a trusted CA deployment. I just got that impression from what you said above

@_igor_
No worries. I thought I'd reply to my own post with the solution i found hoping it would help someone else out in the future, but jeez that was quick.

@johnpoz gotcha, much appreciated! Implementing this right away ;).

I think the point was missed. It would be nice as an option. pfSense being used as the DHCP server implies a small site and a site that would not function very well if pfSense is down. I would think most people running small sites want uncomplicated lives and 2 DHCP servers is not uncomplicated.

@derelict Thanks for the clarification an the FreeBSD link.

@illydth upgrading to 2.5.2 does solve the issue

You do not need to create a nat - but if your policy routing, then yes you need a rule above that policy route rule that allows where your trying to go before you policy route out a vpn.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

@swixo So I deinstalled pfBlockerNG and was hopeful that it would make that firewall stable again, but within half an hour I was getting watchdog restarting unbound frequently and eventually 100% packet loss on a couple of interfaces.

After taking some time examining my configuration in detail, I found three settings that had been checked by habit, not by reason. Many years ago, I may have had an actual reason to check mark the settings but I have long since forgotten why.

In menu 'System', submenu 'Advanced', tab 'Networking' there are three check boxes to disable hardware processing on the network adapters. I figured that kernel drivers have improved a lot since the days of NDIS drivers in FreeBSD, so I unchecked them all. I have allowed my NICs to do Checksum, TCP Segmentation and Large Receive Offloading all in hardware.

The system has been running for a day now without a glitch.

I'm on 2.6.0 but it is worth trying on 2.5.2 .

I am going to wait a week or so before reinstalling pfBlockerNG.

@gertjan
I've done a bit of fiddling and cobbled this together and its logging correctly. - I made a manual change directly on the service and it detected it.

$dyndnsis = gethostbyname($this->_FQDN); // lets see what the public DNS things our IP is

if ($this->_dnsIP != $dyndnsis) {

log_error(sprintf(gettext('Dynamic DNS Someting is wrong %1$s should be %2$s and its come back as %3$s'), $this->_FQDN, $this->_dnsIP, $dyndnsis));
}

else {

log_error(sprintf(gettext('Dynamic DNS all is well %1$s should be %2$s and its come back as %3$s'), $this->_FQDN, $this->_dnsIP, $dyndnsis));
}

I'm not too sure where it should sit in the dyndns.class file, I've got it at line 360 just above the line that reads $this->_debugID = rand(1000000, 9999999);

I also need to be able to trigger an update should the public DNS return a different IP than expected.

@capitanblack good to hear from you, sorry it took so long for me to respond. I’ve been slammed with other stuff and keep pushing it to the back burner. In short, I dropped that effort six months (or more) ago, and just picked it up again a couple weeks ago. Sounds like we are on the same page. I’ll have to go back to see what I did to get it working (pretty sure it was OMAPI + sshfs for sharing the lease files) but essentially after tying it into the pfSense, I decided that I wanted a separate infra VM to control everything with DHCP on it (as well as named) for environments where people won’t have a pfSense box. I’m in the middle of finishing a playbook that builds out both servers (infra and foreman) and configures and installs foreman to use the infra VM. Happy to share when it’s done.

Are you a MS shop? If your running AD - it pretty clear you should just use your AD for dns and dhcp.. Its part of MS design, etc.

Running them on something else doesn't get you really anything. You can run dns and dhcp on pfsense sure. But why when you already have a well rounded feature rich dns and dhcp that integrates by design with your AD.

Moving these services to pfsense will only complicate the setup.

You can leverage unbound, and pfblocker very easy by just setting your AD dns to forward to pfsense to let it do your internet resolving, and blocking of stuff on dns via pfblocker lists, etc.

If me - and I had AD setup... I would just use it for dns and dhcp. It just makes sense to do it that way with all your clients pointing their for dns.. Setup AD dns to forward to unbound, and let it resolve your public stuff.

I would also setup unbound with domain override for your AD domain and PTR zones so that pfsense can resolve your client IPs for hits in your firewall, etc.

As to blocking unwanted dhcp servers - what switches are you using, you would normally block unwanted dhcp traffic via dhcp snooping. This would be done on your switch(es)

@kom Your awesome, I appreciate you taking the time to respond and so quickly. Lan not Wan, good to know, need to setup some sort of test to see how/if the rules I setup work, maybe something that affects my kids access, if it works I will know by the screams and panic that will accompany the 404 or other destination unavailable messages. What music it will be. More to come.

@gertjan said in DNS resolution to random ip:

really people out there use these kind of settings

Can happen after renames/mergers if they let the old domain expire. Windows asks for "domain name" when setting up a domain controller so people enter their Internet domain name. If Exchange is installed on premises the domain can't be renamed.

We still have one web hosting client that way (that we don't provide IT for) that uses their own Internet domain internally and keeps forgetting to duplicate DNS changes to their LAN.

if you use lan gateway to get to internet, its no longer really "lan" ;) pfsense will think of it as wan interface as soon as you put a gateway on it, etc.

If your setup as lan, and you have devices on this lan, and using another IP on this same "lan" to get to the internet then you have a asymmetrical problem for anything using pfsense IP as its gateway..

Not sure exactly what your trying to isolate, but seems like bad configuration to me.. If anything is pointing to pfsense as its gateway, and pfsense route to get to elsewhere is using this same network..

Anytime you connect "routers" you create a transit network - you don't put hosts on said transit without issues of asymmetrical routes..

Could you provide more info on exactly what your trying to do - and be happy to discuss a better way to do it ;)

I think it is part of base install now... When 2.5/+ came out I did clean installs.. And I don't recall having to install that, and I have dig..