Glad you have it working now. -Rico

Yes, you can see it was blocking IGMP traffic on the IPTV interface so adding that floating rule will pass it. You don't need to pass all IGMP traffic on every interface though. I wouldn't expect to need it on WAN at all. You don't need 'any' destination there either. It's always better to pass only the traffic you need. Still seems odd that it appears to be using the source IP of the interface it's arriving at.... Steve

@jknott i prefer to do this way [image: 1607514887517-immagine.jpg] you can't use host override for IOT device with embedded 2001:4860:4860::8888 i don't use dns of pfsense and i don't use ntp from pfsense i need to redirect to a bind9 dns server and it was only an example

Well, over 24 hours, and rock solid since replacing RAM. Even restored the config file from newer pfSense, not skipped a beat. Thanks for the help guys.

@bob-dig Thanks for support!

Does it always fail for that cert? You have something unresolvable set there? Failing after 60s seems reasonable I doubt increasing that value will help. Steve

@jknott Good to know. I appreciate all your help so far. Once (if) I decide to proceed with this, I might have to come back to get more assistance...

The limit is set by pfSense, I am not aware of a limit in mpd. But again, it hasn't been tested so you're pretty much on your own there. It isn't intended for that many users, but it may work.

You can try filtering it in DNS but I'm not sure if Facebook Messenger will work without being able to resolve facebook.com. Steve

Are the URLs in question resolving? Do you have any other packages installed besides pfBlocker? What error do you see when you try to visit one of these URLs? Steve

Ah, yes, if it tries to boot and finds the assigned interface missing then you will see problems. I would not normally expect a panic though. An Ethernet connected external modem will give far better results pretty much every time. Steve

@stephenw10 If I call the URL from another PC on another network in another city, the problem is not there. And it doesn't even exist if I call the URL from a smartphone. I only have it from multiple PCs in THIS network, under pfSense. So that's something here in this office. I don't know where, but it's here. OK, I close the thread. I try to reinstall everything.

@leungda said in Secondary DNS Server: Why not using the pfsense as a SLAVE server. Because https://forum.netgate.com/topic/133593/bind-setup-pfsense-as-slave-dns-server/8?_=1607327341512 I'll add a why not more : bind, as any other daemon type process, bind uses config files. And like servers daemons like apache2, nginx, postfix etc : it's close to impossible to build a GUI around them. You wind up doing what's been done for the last 3 or 4 decades : edit the config files with a text editor. Typically, you'll be needing 3 SSH open during editing : One where you edit the config files - bind has config many files, zone files. One to restart or reload bind9, and one where you 'tail' the bind log file(s). Typically, these log files are split in debug, xfer, dnsssec, debug, query, etc. Ones set up correctly, you'll be fine for some time. You have two choices : bind does everything for your pfSense, working as a resolver for pfSense, and your LAN's and slave DNS name server for your domain name. Or you make a mix : unboud listens only to the LANs and pfsense local host, and have bind bind to the WAN IP, port 53. I guess it is possible - with actually ONE restriction : you have to know bind. My own slaves run on a VPS that exists for only that reason : for DNS and mail backup server. I've been using https://freedns.afraid.org/ a long time as a second (third, actually) but had to remove them : as I'm using Letsencrypt, freedns.afraid.org is to slow to update (execute the XFER upon NOTIFY) so acme failed to renew my certs. What happens is that I ask mostly for wild card certs, which implies two records being pushed (using nsupdate) to the master DNS. When this happens, the master sends out after each record update a NOTIFY to the slaves. The first XFER initiated by the salves happens quickly, but then - @freedns - some rate limiting kicks in, the second records gets XFERred much kater, making the Letsencryptcheck fail. In the past, Letsencryptchecked just one name server, which could be the master answering, or the slave, making the chance bigger to succeed. These days, master and all the slaves are checked.

@bla said in Very slow login to dashboard++: that one of the DNS servers being used Keep in mind : you don't have to enter during setup any DNS server. The resolver already knows where the 13 original main 'root' servers are, as these are build into the code. No need to pas on your DNS info elsewhere.

@jwj I don't think the Unifi kit support 802.1x and any form of WPA on the same network segment even if the SSID is different. I'm with @johnpoz on the guest WiFi and QR codes.

@pagger i disable my WAN ipv6 and everything is solved .

Yeah knew that was going to happen.. Could tell from the IP.. I don't think we have 1 legit user from there.. It's just spam.. Your googlefu in finding the threads they are coping from is better than mine - I searched and could not find where they had copy pasted from.

Hmm, odd. That should be identical to re-assigning it as WAN.

@heper I see. Interesting. I'll see if I can find the poll. I mean if folks are willing to pay a premium for Unifi gear, you'd think they'd be willing to buy cheaper (but just as good) gear and pay more for pfSense. I know I would. Interesting.

@johnpoz Hello and thanks Yes I only had TCP port 443 outbound from my work VLAN and after adding UDP all is better. I'll VPN into work and update that wiki page