I think we are talking past each other on the base of my poor explanations ;-)
I could solve the problem already ... but I cannot understand it:
The main problem was that the remote DNS servers have denied dns recursion queries from the pfsense WAN interface. The recursion queries where already allowed for the pfsense OPTDMZ interface.
The solution was to allow the recursion from the pfsense WAN interface.
So my question was, why this was suddenly necessary without config change. Before all dns queries are coming from the OPTDMZ interface.
=> no recursion allowed, because SOURCE IP is pfsense WAN
=> Before SOURCE IP for DNS queries was 194.XXX.YYY.1 (OPTDMZ pfsense)
@gertjan said in [Upgrade not possible from 2.5.0 to 2.5.2. Netgate
So you have something likenameserver 194.XXX.YYY.ZZZ
There must be some info in the routing table that mentions :
194.XXX.YYY.ZZZ is on 'this' (OPTDMZ) interface.
All the other addresses are reachable on the 'other' (WAN) interface.
In the route table
Again, in my opinion there is no routing and the default Gateway is not used if the DNS-Server is located in an internal network which is directly attached to the firewall, in my case OPTDMZ.
In the route table there is an entry that all traffic goes to a device ...Destination Gateway Flags Netif 194.XXX.YYY.0/24 link#11 U lagg1
I think we are fine ;-)