Correct pfBlockerNG Set Up?

Gertjan

@WannabeMKII said in Correct pfBlockerNG Set Up?:

I've then checked the logs and I've found a device that is showing in the DHCP logs every 1 minute as DHCPOFFER. I'm guessing this is what's causing the issue? If so, is the resolution to reserve it an IP?

A DHCPOFFER is an offer that the pfSense is sending after a DHCPDISCOVER, coming from a network client.
After the DHCPOFFER is received by the client, it will acknowledge with a DHCPREQUEST. Which is then granted with a DHCP..... from pfSense.
In that order.

No other devices on your network should send out DHCPOFFER, If that happens, you have multiple DHCP servers on your network.

True, if some stupid device is actually REQUESTING a new lease, instaed of RENEWing it, then consider that device as pretty broken.
Assign it a Static DHCP lease (at least) or a classic static IP/Gateway/mask/DNS, or throw it out of the window (at bast).

WannabeMKII

So the device in question was communication every minute! So I power cycled it and now it's behaving. I've also increased my lease time from 2 hours to 6 hours to limit the DHCP traffic as it's quite a settled environment, especially at the moment! I may eventually increase to 12 or even 24 hours...

Thanks again, I'll be back if I have any further issues, fingers crossed it's not soon!

JeGr

If you absolutely need a client by name, reserve it an IP so its name will be known to unbound anyway and remove the setting that every dumb client will try to get its name into the DNS resolver - that will stop the endless restart orgy. Also your DNS cache gets lost every time that happens so not only it is restarting but getting slow every time it does. That's why you disable that option and if you really need a client to be known by its name (why should you?) get it a reservation via DHCP server. That is loaded into unbound per default - so no restarting after a dhcp registration. Also don't do that for OVPN clients, too. For obvious reasons :)

WannabeMKII

@JeGr said in Correct pfBlockerNG Set Up?:

If you absolutely need a client by name, reserve it an IP so its name will be known to unbound anyway and remove the setting that every dumb client will try to get its name into the DNS resolver - that will stop the endless restart orgy. Also your DNS cache gets lost every time that happens so not only it is restarting but getting slow every time it does. That's why you disable that option and if you really need a client to be known by its name (why should you?) get it a reservation via DHCP server. That is loaded into unbound per default - so no restarting after a dhcp registration. Also don't do that for OVPN clients, too. For obvious reasons :)

Superb advice! I've made the relevant changes and all seems well so far and nice and responsive, appreciated!

WannabeMKII

Actually, a quick question on this - Is there a way to add a client name to the resolver without adding an IP reservation and using just the MAC address? It's just useful when looking at the logs to have a meaningful hostname, or in some cases, just a hostname at all!

Many thanks.

Gertjan

@WannabeMKII said in Correct pfBlockerNG Set Up?:

to add a client name to the resolver without adding an IP reservation

There was a thread some time ago that asked for this.

Bassically, you're asking to have entered the device name in the DNS cache when it's DHCP-ing - before isn't possible : the IP isn't known.
You do understand that the DNS (unbound) has to be restarted to be aware of it, right ;)

If your trusted devices network isn't that big, you static-mac all IP's (devices). This gives you also a nice formatted list will all your equipment on a page, known, even when they are not put on or available.
Other, more visitor like devices and untrusted devices should be put on a separate network.

WannabeMKII

Thanks for the response.

50% of my network have reserved IP's anyway and other stuff is on a separate VLAN, it just to keep things looking nice. But it's all working fine as it is, was just a thought.

Many thanks once again!

JeGr

@WannabeMKII said in Correct pfBlockerNG Set Up?:

Actually, a quick question on this - Is there a way to add a client name to the resolver without adding an IP reservation and using just the MAC address? It's just useful when looking at the logs to have a meaningful hostname, or in some cases, just a hostname at all!

Of course, just use the host override section of the DNS resolver.

WannabeMKII

@JeGr said in Correct pfBlockerNG Set Up?:

@WannabeMKII said in Correct pfBlockerNG Set Up?:

Actually, a quick question on this - Is there a way to add a client name to the resolver without adding an IP reservation and using just the MAC address? It's just useful when looking at the logs to have a meaningful hostname, or in some cases, just a hostname at all!

Of course, just use the host override section of the DNS resolver.

I did look at that, but that also needs static IP's to work unless I'm misunderstanding it?

Gertjan

That's what DNS is all about.
Throw in a host name, and get out an IP.
So, yes, these two should be known.

JeGr

@WannabeMKII said in Correct pfBlockerNG Set Up?:

Actually, a quick question on this - Is there a way to add a client name to the resolver without adding an IP reservation and using just the MAC address? It's just useful when looking at the logs to have a meaningful hostname, or in some cases, just a hostname at all!

Ah I didn't read the "MAC address" part. But why? If you want a specific Client (MAC) to have a name, give it a static or dhcp-reserved IP. Simple as that. Otherwise, no, you can't map MACs to DNS, that makes no sense as both are on different layers (MACs are on layer 2, IP is layer 3)

Gertjan

Added to that, "names" = host names exists for humans.
DNS exists sot that all these names are converted to IP's, something that device actually can use.
You could throw away all host names.

Try visiting https://[2610:160:11:18::199]/ or https://208.123.73.199/ - your browser will yell at you because the cert of that web site doesn't have 2610:160:11:18::199 or 208.123.73.199 in it's ALT DNS list, so for the sake of testing, just override the warning, accepts it, and you'll see ...... this forum. Without using names (URLs).

Edit : when you see these browser certificate warniong, inspect the cert. drill down to the cert info list, and you will find :

so you know that you are connected to netgate.com or any sub domain of that site - forum.netgate.com in this example.

@WannabeMKII : when you call someone, do you enter his name, or his phone number ?
=> Well, you use your contact list, a sort of DNS lookup, to have the phone select the according phone number. The phone circuit isn't aware of 'names'. Just numbers. Setting up a contact list without phone numbers ... that's .... not useful.