I found the problem. Use SSL/TLS for outgoing DNS Queries to Forwarding Servers was on and causing it to not work.

@zotan said in Deaf DHCP server on a VLAN: So 25 and 75 appear as distinct vlans rather than nested? Yeah any switch does that - any switch that does vlans understands tagged vs untagged. You can always have 1 untagged vlan (native). If you want..

@nogbadthebad I never had occasion to use IP on DOS. Back in those days, we had Netware at work and I recall modifying config.sys and autoexec.bat to run it. NET3 & NETX come to mind. I didn't deal with IP until I got my own connection and was running OS/2. Then, at IBM, I worked with IP, SNA and NetBIOS on token ring.

I have the SG-2220 and do not have this issue. I know this doesn't help a whole lot but someone suggested it could be hardware specific. I hadn't used my SG-2220 for about two years due to divorce and just recently got it going again which is what led me here. I did have this problem and when I did an update when it came out I still had some troubles but not this trouble. I did a factory reset twice and for whatever reason the second reset is what made everything happy. I started with all new settings and didn't restore a thing. I know this doesn't necessarily help a whole lot, but I wanted to offer additional relevant info. It isn't failing on my Netgate SG-2220. What can you do with that? I don't know exactly, but I don't think it is just the software. It might be hardware specific race conditions as another user noted.

@pzanga Just a quick update, if anyone cares. Turns out the issue was a flaky keystone jack. Not sure if it was a bad terminal connection or some dust in the jack, but took off the wall plate, made sure connections were secure, blew out some dust and now its working fine. Also made sure Ethernet cable is not being squeezed and it secure. No problems since. So, as I said above, always check your equipment.

@jknott So after analysing some packet captures and digging around in the depth of the switch config options it seems the switch 'screens' DHCP servers unless they have been explicitly configured as 'trusted'. It seems that for DHCPv6 this involves dropping the multicast messages used for 'advertise' (and maybe others). Once I added the SG-3100 LAN link-local iPv6 address as a 'trusted' DHCP server then things started working as expected.

What mask did you put on the network on the vlan - common mistake is defaults to like a /32 mask.. Which no you couldn't enable dhcp on that because there isn't any addresses to hand out.. That one comes up quite a bit actually.

@gertjan Thanks for the prompt reply. Indeed. Not long after I initially posted I found the file to be rebuilt with just the pfSense host in it. Looks like the best way is to add DNS Host Overrides. Only about 50 entries, so just need a little patience. Thanks for the advice on dnsmasq. Will look into unbound, too. ;-} P

@sport78 With a host over ride. That is, if I understood the question.

Thanks for looking into my problem. @mer said in DNS Resolver and Gateway Groups: Can you set the Gateway group as the outbound interface in the DNS Resolver? Logically doing that "should work". I don't know if you can, just off the top of my head. That would also make sense to me as well but the configured gateway group is not appearing as a network interface neither in the ifconfig output nor as an option in the outbound interface selection box for the DNS Resolver configuration tab.

@mr-rosh said in DNS Resolver Starting Stopping: Windows 10 would connect via random macs. Typically, "random MAC's" should be activated (is meant to be activated ?) when the user uses Wifi network he doesn't trust. This is NOT the case with your @home network. A good thing is : you understand that this setting will produce far more DHCP negotiations at start. Every device, using every AP, will produce another DHCP lease using on the same network. I do recall (I thing) that when A device (Windows PC or whatever) was connected ones to a AP using MAX X and SSID Y, it will use the same 'random MAC' for that AP. Which means it doesn't change it's MAC for every lease renewal, or when a known AP commes into range. I advise you strongly to make Static MAC DHCP lease for all your known (local) devices. And shut down this 'random MAC' thing when they use your home connection.

@godatum said in Unable to access internet on certain devices - trying to find root cause: My brother turned on his laptop but could not access the internet. Easy : whatever OS he uses, he changed something. As any device (PC) uses a DHCP client these days, so the user can : Order one. Receive it. Unbox it. Putting it on. Select a SSID or slide in the Ehernet cable. Connected. This is a 100 % no brainer. On the pfSense side : Do the initial set up. Change only the admin password. And maybe, for very special cases : make the WAN work. Done. DHCP server on LAN works. @godatum said in Unable to access internet on certain devices - trying to find root cause: I went into PFSsense and did a DNS Lookup diagnostic. I got 127.0.0.1 unavailabl That's a lucky shot. the resolver could be restarted ones or twice a day ? week ? It will do so with a second or so. You doing a "resolve' right at that moment, that a 10/(24*3600) chance. The resolving (unbound) should always work. [image: 1629729961531-3883e69c-b677-4ad6-b383-94ba33a652e9-image.png] Now who is "1.1.1.1" ? I have only "127.0.0.1". The resolver does all the work for me. Btw : even if unbound was not running, this would not break Internet access. Just the 'name resolving stops'.

@mickamickatchu said in No free lease on fresh install: At this step if I enable DHCP on LAN1 interface, a machine plugged to the LAN2 interface can get an IP from LAN1 DHCP Well then your setup is broken.. And you don't actually have isolation between your networks. Your 2 networks should be either physically isolated, or isolated via vlans. There should be no way lan 1 interface would ever see a discovery from lan 2 network since they should be isolated at layer 2. And vise versa, 2 should never see discovery broadcasts from network 1 I have 8 different networks, all correctly isolated at layer 2.. dhcp on network A, never sees broadcast from any other network, etc. Trying to isolate devices by just using different IP space when they sit on the same network is not valid from a security point of view. You can isolate at layer 2 even if everything is virtual. You just need to setup your vitual network and how it connects to your physical network correctly to do so.