Glad you got it sorted..

In my ongoing "battle" with DDNS and dynamic prefixes I was able to get a "RFC 2136 Client" in pfSense working with dynv6.com. The "normal" DDNS-Client in pfSense for dynv6 wouldn't work for me. Anyway, what it allows me, is to have a prefix on an interface in the DNS. Together with static interface identifiers (host part), like you can have in pfSense with DHCPv6 Static Mappings on an interface which tracks IPv6-WAN, now the hosts have a working DDNS, because the changing prefix get registered in DNS, not only in pfSense. [image: 1617366283443-capturexy.jpg] dynv6.com even allows you to use your own sub-domain via delegation, which I did.

@tomashk Thank you very much, that helped!)

Yeah that allows you to use a domain that is public, and look up non local resources. I personally think it should default to static.. To prevent queries for domain that doesn't exist in the public space. I have mine set to static, since the domain I use locally doesn't exist in the public space - so no point in trying to resolve public if there is no local record..

Them pointing cname to cname isn't best practice either. While its allowed - it causes extra lookups.. ;; QUESTION SECTION: ;www.broadcom.com. IN A ;; ANSWER SECTION: www.broadcom.com. 300 IN CNAME cdn.broadcom.com. cdn.broadcom.com. 3600 IN CNAME www.broadcom.com.cdn.cloudflare.net. If they want www.broadcom.com to point to www.broadcom.com.cdn.cloudflare.net. Then they should just do that, but they are pointing to cdn.broadcom.com first, which then points to the cloudflare.net cname.. Its not efficient to do that.. Just causes extra work..

@fearlessfara I realize this question is getting older, but since it's a main result in search engines I want to add that now with the latest pfSense version you no longer use the record ID. Just use the actual host name, e.g. "host", and "domain.com" for domain. It just works now; right inside pfSense. Though the instructions on the dynamic DNS client edit page still talk about using the Record ID for DigitalOcean, which is no longer correct. It would have saved me hours if the instructions had been updated. So maybe this additional info will help someone.

Nevermind. Recreating DDNS entry with domain name + key resolved the issue. So just a glitch after upgrade :)

Oh. ? Had originally enabled on OPT1 to mirror OLD router's scope, save myself having to make lots of changes. Then decided to just "bite the bullet" and get it over with. Deleted the DHCP server and disabled the interface. Static leases remained on the Status | DHCP Leases page. Had to re-enable the interface w/ a stack address of old scope, THEN go to Services | DHCP Server and was able to delete them. I suppose that makes sense as old statics could still have routes... None existed, but. Still neophyte RE pfSense. That's why I bought it, want to learn, what does the world (network) look like from the BSD/pfSense view. Thanks for taking the time to reply. Just didn't "see" the 3rd octet being foreign. Sheesh.

There is nothing magic about this, route port 80 and 443 to your local webserver, in the webserver you configure which host(fqdn) goes to which configuration as all http/https traffic will pass as is. Your ISP modem will have to be in bridge mode though, double NAT doesn't always work and CGNAT does not work at all.

@gertjan thank you, that makes sense

Glad its sorted - odd that 1.13.0 no parse error but 1.13.1 parse error. If you have any questions with setting up tunnel from HE.. Just ask - be using them for like 11 some years.. I'm a big fan of just using tunnel vs what normally amounts to a shitty deployment from ISPs - because its static, you can take it with you no matter what ISP you move too.. And makes it very easy to setup whatever /64 prefixes you want on your local vlans, etc. They have a great global IPv6 backbone with tons of great peering..

@90ninety said in Gateway DHCP Down: Thanks for the help

@starles said in DNS Query is refused: Config is set up according to this Guide 2018 ? You mean this guide ?! Check : Services > DNS Resolver > Advanced Settings : Disable Auto-added Access Control If checked, you have to add your ACL's, see Services > DNS Resolver > Access Lists What happens if you undo all your Resolver settings ? Yeah, I know, things start working again. Now, add your changes one by one - and test after every step, when thing break you know where to look ^^ Btw : the packet capture shows what you see on the wire. What did unbound tell you ? Did it receive the DNS request ? Was it unbound who refused ? Or some other process ? To find out, make unbound query verbose ( see Services > DNS Resolver > Advanced Settings : Log level - choose level 3 ) and check the "Resolver log". Your not using a OpenVPN server access, right ? What is Probably not related : Why : [image: 1616587940716-e9b6808f-0849-44b4-9e58-aa97180c0cb4-image.png] Both domains point to thousands of IP's - IPv4 and IPv6. What happens if, example, 204.79.197.220 is takes down for maintenance ? To make a long story short : you can't override domaines like bing.com and youtube.com (naf all the other big ones).

For anybody that might get here looking for the same option, I've asked this question on reddit and this is the solution: "Domain Search and Domain Name are option 119 and 15 respectively. You can override that and set an empty string under "Additional BOOTP/DHCP Options"." After setting those options with empty values, the search domain dissappeared.

Finally got it! snort was blocking the check-IP service. Added the corresponding suppressions and all works fine again!