@gertjan Well, problem has been solved. My set up involved 2 unmanaged switches. The eero connected to the first switch to provide internet access to wired devices. The error: I had two cables from the first switch connecting to the second switch. When I found this to be the case, unplugging one immediately fixed the problem.

@mclaborn said in DHCP server not supplying domain search list: (Not Windows, thank goodness.) hahah - made me laugh.. thanks!

@cool_corona said in No route to host: @gertjan I wont update to 2.5.1 since it has the MultiWAN issue. Normally the same branch of releases has access to package repository It does: [image: 1623236443701-47caa037-45fc-4984-83de-f0d0db79edcf-image.png] [image: 1623236409365-253fccae-8203-4a5f-8cb4-d2c9f594cf36-image.png] [image: 1623236427185-8671c7a4-5baa-4967-a976-16f83cf0e784-image.png] Check your update path under System/Update (should be latest stable 2.5.x). Also check your internet/DNS connectivity, as pkg-static: https://files01.netgate.com/pfSense_v2_5_1_amd64-pfSense_v2_5_1/meta.txz: No route to host "No route to host" clearly is an error that is local to you. Could perhaps be DNS related as the file-servers for packages are resolved via SRV records. Also check out via console: [2.5.0-RELEASE][root@mirage.nt.ops.to]/root: pkg-static update Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. pkg-static update should run without problem. I assume it doesn't for you? Cheers

@gertjan Thanks, I didn't like using my ISP's DNS so I was trying to get it to use a one other than there's. I was downloading a lot of stuff when I took that screen shot, but it's always worked, the update manager that is. Under system > Package manager / available....there's loads and loads....it would take maybe 6 or 7 screen shots to list them all...... Cheers [image: 1623230890012-working-now.jpg]

Thanks a lot Gertjan I did as you suggested, did a factory reset and now it works perfectly. Thanks again.

While unbound supports views. And you could setup local data to resolve differently depending on the source of the query, I am not aware of the ability forward to X for a view. To do such a thing you would look to using bind.

@cyberminion said in DNS dies periodically (due to unbound crashing?): pfBlockerNG is running for both subnets pfBlockerNG can restart unbound regularly. Do a manual reload of pfBlockerNG and see for yourself. This option : [image: 1623135301094-3c497c02-4cf0-48c5-b677-fd5012978728-image.png] will also restart unbound when a new DHCP lease comes in. Although, checking that option and using pfBlockerNG will make it complaining about it : [image: 1623135417650-ceb9c807-4d57-4fe8-a6dc-93fdd7cc6066-image.png] That is : the Python mode doesn't 'like' this "DHCP Registration" setting, so, if set, it (pfBlockerNG ) will default to the older "unbound mode" This mode uses more resources and is slower to restart. @cyberminion said in DNS dies periodically (due to unbound crashing?): when needed to a pair of defined public DNS severs. Are you sure ? unbound should be used as a resolver. With "public DNS" you mean you're forwarding ? @cyberminion said in DNS dies periodically (due to unbound crashing?): When DNS service drops out, I can wait about 20 minutes for it to come back by itself This is the real issue : it did not crash, it was just restarting, and this shouldn't take that long. Or it does so on your system. Bring your system back to default settings (remove or de activate pfBlockerNG and other packages) and add them back again step by step. Restart unbound with the GUI : [image: 1623135699615-3bc2cdff-5f81-4157-80d9-457f7b1bfef4-image.png] and check with the unbound logs how long it took. Do this for each step, each feed you add to pfBlockerNG. The Firewall > pfBlockerNG > Update : Reload > All also shows you how much time it took for unbound to restart : [image: 1623135880941-19ee308d-b97a-45ac-b79b-a36072585ff3-image.png]

@latency0ms great.

Apologies - I was seeing strange things and I thought it was my brand new firewall, as I am such a novice with it. The problem resulted to be the pool of addresses given to the DHCP server inside the MikroTik. It was in another tab, so I just configured DHCP but I didn't change the pool... I tried your solution anyway. Thanks

Updating to 21.05-RELEASE seems to have resolved this issue.

@amestag said in Replace unbound v1.13 with v1.12: I just need to have another DNS server to forward too There's only about a million of them. 1.1.1.1, 4.4.4.4, 8.8.8.8, your ISP... Free and Public DNS Servers

@patch said in DNS RESOLUTION BEHAVIOR: @tiger-0 said in DNS RESOLUTION BEHAVIOR: DNS was from 127.0.0.1 to DNS is 192.168.2.99, is this a normal If not done explicitly by you, I suspect pfSense added the setting from you ISP when setting up your WAN That happens when this option [image: 1622701604669-0f3ad839-7508-40ce-94dd-25b9dc758aa2-image.png] is checked. It should not be checked.

Looks like moving to a port based filter on the tcpdump is now showing the proper response so I don't think this is a PfSense issue.

You can run a very nice Unbound Implementstion of pfsense, but you ask Cloudflare direktly every time you habe to resolve a Name. Unbound with cache and prefetch is signifikant faster.

@lifeboy I used alias type IP networks, @johnpoz already solved the mystery.

@gertjan said in Add description to DHCP Leases???: so the MAC is a random string. In my environment i have only older android and the mac is from hardware! Thanks for enlightenment!

solved: the culprit appears to be the resolvconf script (which resolvconf) sha1sum /usr/sbin/resolvconf 4bfee7ac4e855ae48e35ab9ac37ebb8c2d37d210 /usr/sbin/resolvconf I haven't had an unbound stop message since I commented out #unbound_conf=/var/cache/unbound/resolvconf_resolvers.conf in /etc/resolvconf.conf, this on raspberry pi 3b, Raspberry Pi OS Lite, Release date: May 7th 2021. You can read the full story here summary of the events I noticed: stop message in unbound: May 14 06:15:26 unbound[790:0] info: service stopped (unbound 1.13.1) matching syslog error : May 14 06:15:26 raspberrypi dhcpcd[562]: eth0: part of Router Advertisement expired setup monitoring in screen: sudo strace -tt -ffo /tmp/trace-unbound -e trace=%signal -p "pidof unbound" logging script in screen (the topic also describes a method using audit): #!/bin/bash file="/home/pi/ps-test.txt" while : do while IFS=" " read -r USER PID CPU MEM VSZ RSS TTY STAT START TIME COMMAND; do if ! grep -q "${PID}" "${file}"; then if [[ ( "${COMMAND}" != 'ps aux' ) && ( "${COMMAND}" != *"ps-test"* )]]; then echo "$(date),${PID},${COMMAND}" | sudo tee -a "${file}" fi fi done < <(ps aux) done result in log: Sun 30 May 18:48:15 CEST 2021,32610,/bin/sh /usr/sbin/resolvconf -a eth0.ra commenting out the unbound entry in /etc/resolvconf.conf eliminates the unbound stops. For the first time, since I started monitoring errors and warnings in my logs, the unbound log doesn't contain any errors / warnings.