@junebuhg The pfsense community wants to help. But it is hard to help you without being able to see the full picture.

Please show screenshots of the following:

LAN firewall rules WAN firewall rules Any NAT outbound rules Any NAT port forward rules DNS resolver settings page DNS servers on the General Setup page LAN interface settings page WAN interface settings page If using DHCP, the DHCP settings page for LAN

What is the IP address and netmask the WAN interface is on?

@griffo said in [SOLVED] Which DNS-Servers does unbound use?:

have millions of users keeping records in their cache fresh and up to date

You would think that huh - but quite often when you query you get a very short ttl, and now you have to do a second query.. And then again it might not be full ttl.

Also with pointing to a cdn based forwarder - are you sure your getting the closest answer for everything your doing queries on that use geoip to point you to the closest place your wanting go..

The only reason I would ever forward, is you have crap internet where resolving is a pain - satellite internet not good for resolving.

Other would be you have some concern with your isp doing something with your dns traffic - so you want to forward and encrypt.. Which is going to be a hit to performance, and would be hit to forwarding is faster.

How many different websites do you actually go to to be honest? Now and then a new one - The million of users increasing the cache.. Doesn't make forwarding faster to the point that it makes any sense to think its worth not just resolving.

You do you - if you want to forward, then forward. If you want to use dot then do that.. But resolving is the default for a reason.. Because normally 99/100 times its going to be the best option.

If these dns providers had their way every single client would be doing queries to them via doh.. So there goes your local cache of even your 2 or 3 users sharing.. And sure isn't going to be faster for any of your local clients.

But resolving is not slower to the point that it should be a deciding factor to you forward or resolve. Even on a cold resolve vs asking someone else, that may or may not have it cached. Your talking a few ms..

@alexp-lft

Corp.net DNS server must be configured to forward all requests for domain vpn1.corp.net to pf1 and vpn2.corp.net to pf2.

@teamits

Thank you, Steve, you somewhat pointed me in the right direction.
The location of the events are located here:
Applications and Services Logs > Microsoft > Windows > DHCP-Server

I checked and I couldn't find the culprit, but there's a DHCP server log file here:
%windir%\System32\Dhcp

The log file revealed the following error while a client was asking for an IP and the OpenVPN tunnel was on:
"Packet dropped because of Client ID hash has mismatch or standby server"

Upon further search, it turns out that the Active Directory DHCP server on Site A was trying to contact an AD DHCP server on Site B that once was part of the AD Domain of Site A, but since was removed from, but some more cleanup was necessary on AD Site A to make it stop trying to contact that orphaned AD Domain Controller. The issue has been resolved, all clients are able to obtain IP #'s from Site A.

Thanks so much for the hint.

Stay safe my friends.

SuperVertrix.

@teamits Yes, the school does not want to change its Windows Server x)
Thank you for your help have a nice day !!

@giminik You can assign subdomains at the interface's DHCP server tab.

Domain name: "The default is to use the domain name of this system as the default domain name provided by DHCP. An alternate domain name may be specified here."

So you can end up with
-firewall.home or firewall.lan.home
-firewall.lan2.home
-firewall.dmz1.home
-firewall.dmz2.home

@bclinuxco said in DHCLIENT/BOOTP Broadcast Flag Support:

bootp-broadcast-always

There is interesting (but not so easy) workaround:
https://forum.netgate.com/topic/141362/dhcp-client-unable-to-get-lease-from-cable-provider-solved

@ofloo :

Go one setp up : be.pool.ntp.org instead of x.be.pool.ntp.org

The IP's listed are people like you and me, exposing their IP as a NTP server.
This list changes all the time. Become unreachable, come back, etc.

@mdt said in DNS Resolver Won't Work on Cellular Failover:

I believe I was able to get this to work after binding the DNS resolver to specific Outgoing Network Interfaces instead of to ALL. Very unclear why this would be the case, but it seems to work flawlessly now.

My best bet would be GW failover but glad you got it working

Thanks for the suggestion!
After calling the ISP to double check if they had shadowbanned the MAC, and they reset the modem for me, the problem remained the same.

My Work around was to swap the interfaces for WAN & LAN!
Suddenly my WAN can pull an IP!
And... I immediately noticed that PFSense was also assigned an IPv6 IP
I had tried to disable IPv6 from the Spectrum DHCP!
Spectrum Techni was happy with all the other devices MAC but not my PFSense MAC!!! The Spectrum Techni would not show me anything, except put the MAC in the inactive list! (This occurred while attempting to place the Spectrum Techni into Bridge mode - but I had to reverse on that problem!!! So ISP - Bridge - IPv6 block - Hated my WAN MAC and wouldn't let it go - Customer Service could not see anything blocked!!!

Got a little more info on this - I set the local DNS resolver logging to show queries, and when I query the cozynet domain from cozyhome I see:

Feb 6 06:18:44 unbound 57298:1 debug: return error response SERVFAIL Feb 6 06:18:44 unbound 57298:1 debug: configured stub or forward servers failed -- returning SERVFAIL

This is only happening for lookups for the cozynet domain, everything else is resolving properly

Actually I am testing the VPN through an iPhone hotspot and that's the DNS/Gateway of the iPhone connection.

@viragomann Ah, yes I see that works.

Ok I guess I was confused as to what hostname/domain name means. I thought host was always the physical machine, but obviously I was mistaken.

I don't fully understand how it works in detail.

Sorry for digging this up - I am struggling with the same problem, but can't seem to get it working. Is this the configuration you are proposing?

pfsense_ipsec_config.png
macos_config.png

I dig some more on the problem. It seems to be a dns problem with pfsense-pppoe and Windows.
I will update when i discover some more info

OK thanks just needed confirmation. :)