@doktornotor said in How to set srv record in unbound:

Did you even bother with clicking the first link that comes out of the search? Apparently not.

Almost four years on, this is the first link that comes out of the search. Stupid response immortalised!

@kom

Thanks a lot

@gertjan
I got it working, thanks for the quick help.

2.5.2 will have a lower version for Unbound due to instability.

@areckethennu It's possible I "fixed" this simply by rebooting my SB8200 cable modem (I realized it was the only thing I'd not rebooted after updating to pfSense 21.05 and I'm pretty sure it has its own DHCP server (over which I have no control)). I was getting multiple "discarding..." log entries per hour until I did so. In the 4 hours since then, I've gotten none. We'll see.

@jayman81 @ind1g0

The solution I've found to fix this is to do the following:

Interfaces > Your Starlink Int. > Tick Advanced Configuration under DHCP Client Configuration > Reject leases from 192.168.100.1 (which is the Dish aka Dishy) and then PFSENSE should stop having issues on reboot or new ip changes.

Please let me know if this works for you. Cheers.

Thanks for the suggestions @KOM and @SteveITS
After upgrading the firmware, the traffic started flowing right away. This is an object lesson in "upgrade your firmware first before asking for help". 😇

@bob-dig said in (solved) 2.5 connecting via hostname not working across interfaces:

why it will work after some time (could be weeks, month maybe) anyways.

Well troubleshoot it... When it doesn't work - why doesn't it work... You can instantly tell from a simple ping if it came back by broadcasting when it doesn't come back fully qualified..

Your never going to figure out anything just wondering about it - its not rocket science here there are only so many ways to resolve a name to an IP be it fully qualified or not or dns query..

But no your never going to understand anything on why something does or doesn't work if you don't actually understand the method your using to resolve or not resolve.

If I put in just nas and it doesn't come back fully qualified and the IP I know my name resolution is failing. But until look into not exactly sure why - did my client no longer send the correct domain, did my dns not answer, does my dns not have that record in there and sent back nx, or servfail, etc. etc.

edit: Maybe your trying to hit something up in your browser - and yoru browser decided to F whatever you doing locally and ask xyz dns via doh.. etc.. Because just ask the browser makers - users are too stupid to be able to run their own dns and resolve what they want how they want.. So since they know better and could switch from your local dns to theirs on a whim ;)

Something else to consider if your switches and APs support it might be 802.11x / WAP2 Enterprise using RADIUS.

You could have the clients authenticate before they get an address at all, and the RADIUS server would tell the switches/APs/etc where to put the clients on the network (e.g. a specific SSID, VLAN, or address assignment). That separates the user identification from other parts of the process which are more prone to error.

That may be its own special kind of management headache and end user headache, however. It's much more viable for wireless than wired clients.

At least that way you would know for certain that the clients you want to use a specific network are the correct clients without having to guess by MAC address.

I wonder if someone can comment on this issue. Release information says it was included - https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html#dhcp-ipv4

I have tried defining OMAPI (same key & port) for all LAN interfaces, only 1st and only the last one. However OMAPI entry is not written into the DHCP config file and OMAPI port is not listened as the result.

Hi guys,
Thanks. I haven't created any rules to port forward traffic from the WAN to Lan (Not sure what the hell I was thinking).

Yes PfSence won't be public facing once I re-set up the lab. I don't see any benefit from having web access to either Esxi or PfSense, so I'll make sure that they are set up on private ip's when I do set it all back up.

I do have to thank you both for helping. I can't believe how dumb I've been with this.

@kwaleeb said in Conditional forwarder pointed to pfSense causes Error 5504:

It was the "Access Lists" tab,

That list, the "Access Lists" is only used when you check :

a2ca9cd2-b93f-45b8-ba23-9e8450519fe4-image.png

I've checked that "Disable Auto-added Access Control" so I have to populate the list myself :

6da90395-e4bb-40d9-96fb-2745d615b8cc-image.png

Normally, the default is :

445eda5f-d0dd-4600-8a43-f4c38b69437e-image.png

will do just fine, as all 'known' interfaces will get included :

By default, IPv4 and IPv6 networks residing on internal interfaces of this system are permitted.

If you have other networks, and these aren't known to pfSense (unbound), you have to use the Access Lists tab.
For IPv4 stuff, this isn't really hard.
Things gets a bit more complicated if you have a double stack (IPv4 and IPv6) - see my image.

@johnpoz Thanks, I see what I was doing wrong. When I clicked on the plus sign to create a static mapping the default hostname carried forward was the IP for the current device. I just assumed that everything filled in was good to go. Thanks again.

@kurlee said in Unbound fails to restart after DNSBL feed update:

Gives the 'SQLite database missing, Force reload DNSBL to recover' error which does not clear no matter how many times its reloaded or restarted

You have to clear the error yourself.
That is : clean out the 'log file' that triggers this message / warning :

a8e6c395-2520-44b4-a915-aa6d60f7cb48-image.png

( I guess it's the error.log file that contains the error message )

edit : see also https://forum.netgate.com/topic/164305/py_error-log-errors-maxmindb-and-_sqlite3-modules-not-found as it could be related.

I just wanted all on this topic to know that my Netgate has not crashed once since reducing/modifing the pfBlocker geo IP rules as well as changing to Python for Unbound. I'm going to upgrade to the latest OS tonight...21.05. Thanks again all! Franklin p....

@jori56 nop, that is the one!