SOLVED - I figured out my problem. It was caused by this setting below (Static ARP under the DHCP Server configuration for the interface), which I had enabled on the interface because I interpreted it incorrectly. It essentially took precedence over any and all allow rules configured for the OPT2 interface, and prevented any host without a statically assigned DHCP address from communicating with the interface even though the host received the dynamic DHCP assignment from the OPT2 interface. I hope this saves other folks time and headache.

Screen Shot 2019-11-06 at 9.46.34 PM.png

As explained in docs.netgate[.]comScreen Shot 2019-11-06 at 10.40.04 PM.png

Followed the full reset instructions on the linked page, reinstalled squid - back in business.

Thanks for the help @stephenw10!

@JeGr said in DNS hostname for dynamic IPv6 address:

Newer Hosts tend to use EUI-64 if implemented so are not "predictable" by their MAC address anymore

Actually, all IPv6 addresses are EUI-64. The host part can be either MAC based, random number or other. With IPv6, the EUI-48 MAC address is converted to EUI-64 by inserting FFFE in the middle and inverting bit 7.

If you want

hostA.domain.tld to return local
hostB.domain.tld to return public
hostC.domain.tld to return local

Then you would have to create host overrides for each specific fqdn that you want to return local.

Or you can go the other way and do a redirect, and then just create records that point to your public IP for those fqdn.. Depends on how many you have on what side, etc.

@jpod2019 said in Can you run DHCP, DNS and NTP on different VIPs?:

(I’m assuming everything will be done through the LAN interface and VIPs)

I'm assuming you mean WAN there. 😉
You can have a single interface and it will be WAN and that's fine. The anti-lockout rule will be applied there instead of LAN in that case.

If you add a VIP on the WAN all services will listen on it by default so you can add VIPs for NTP and DNS and it will work. DHCP will only run on the interface address though.
By default DHCP wil hand out it's own IP for NTP and DNS so you would need to make sure you set those values in the DHCP setup. Though it would still work fine for anything using DHCP since those services would also be listening on the interface IP.

Steve

Hi Gertjan,
We forward the logs in a syslog server, and then the relevant ones in a Security Information and Event Management system (SIEM), splunk based. So we can always investigate in the syslog server (no log dropped at all), but for our security needs, internal DNS requests are irrelevant and I don't want to pay to index them in splunk.

@stephenw10
I think it is related to the P and C state settings in the BIOS.
It is possible that I changed one of them and just forgot.
P-state is the exact one I changed I think.
It has to be set to its default value (HW_ALL irc).

These may help:
https://www.supermicro.com/support/faqs/faq.cfm?faq=29482
https://www.thomas-krenn.com/en/wiki/Processor_P-states_and_C-states

Yeah you should be able to use either HAProxy or reverse Squid to redirect requests based on the host headers to different internal servers. Or different ports on the same server.

https://docs.netgate.com/pfsense/en/latest/packages/haproxy-package.html

https://youtu.be/FJSHMyrd29E

Steve

@KOM said in Setting up DNS *correctly*:

enable resolver, disable forwarder, check DNS Query Forwarding and put 1.1.1.1 under System - General Setup - DNS Servers.

This is the exact configuration I went with. Thank you very much for the help!

@bahsig

This was the first thing I tried to do and was stumped cause it wouldn't let me.

Now it just let me.

Mind blown.

Thanks!

Hey all.

I hate to dig up a long dead thread, but I was wondering if this ever got resolved (other than reinstalling Pfsense and restoring from a working config.

Having a similar issue actually on my machine.
Little more background: these issues started with an attempted install of a freeRadius package. It was having trouble, giving similar "assigning address" errors (didn't screenshot at the time. apologies). I gave up, thought nothing of it, and removed the freeradius package and then my pfblockerng dns blacklist started giving me trouble. I restored to a config that I knew was working, but that also did not solve the problem. I've tried reinstalling pfblocker, totally deleting the config, and resetting it up, rebooting the whole pfsense box, and continue to get the same error.

I still could reinstall pfsense from scratch, and then restore that config file, but have there been any updates?

@bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6:

I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.

It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.

Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.

I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.

Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL.

And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners.

I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.

@elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!

Solved by enabling " Enable Forwarding Mode"

@interloper Do you have a guide on how you setup your google domain settings for your subdomains? I am trying to figure it out but having a hard time. Here is my open topic on this forum (https://forum.netgate.com/post/830593).

Thanks

1- Vá em System -> Routing
2- Clique para editar o Gateway
3- Altere o campo "Data Payload" de 0 para 1
4- Salve e aplique a modificação
5- Reinicie o dpinger

Em um caso parecido, comentaram sobre estarem usando apenas um DNS da emrpesa no 1º link, então quando saía pelo segundo dava erro, então o recomendado deve ser usar os dois DNS, um de cada empresa.

Esse não é o meu cenário, por isso não sei a vericidade, mas já vi as pessoas comentando isso e deixei essa solução salva no pc para quando precisar rsrs... Mas já me confirmaram que funcionou, mas cada cenário é cada um, espero que resolva o seu também.

yeah you need to create your key ;)

Simple google for bind dynamic dns should get you going.

Have not done it in years... But guess I could fire bind in pfsense and do a walk through... Pretty busy with getting back to work from holiday so not sure be able to get to until later.

@naskar

I don't have a good answer for you about enabling DNSSEC when using Cloudflare DoT. The sites that do support DNSSEC are few. I saw something the other day that DNSSEC sites are in the single digit percentage of all sites on the internet. I added the DNSSEC detector add-on on Firefox and I can confirm from my own experience that not too many sites I visit support DNSSEC. With DNSSEC disabled on the DNS Resolver, I still pass all of the DNSSEC tests on these sites:

This thread does shed some light on the topic.

Thanks for the quick reply!
I can't believe it was that easy, I guess I overlooked those settings!