• I'm struggling to configure my new SG-4860's DNS settings.  I have no issues with the Verizon FIOS router in place between my laptop and the ONT, but when I swap in the pfsense box I can't get DNS working right.

    What's strange is when I set the optional gateway on the DNS, I'm able to get some domains to resolve (ie google.com works, but yahoo.com doesn't).  I've tested with both Google DNS and my ISPs DNS.  I've spoofed the mac on the Verizon router, tried those checkboxes in the DNS settings, tried restarting everything, turning off the DNS Resolver as well, updating to latest version …all to no avail.  Without setting the optional gateway, I can't even ping - it times out.

    ...and ideas?

  • Have you contacted your ISP about this? It may be that they've got a filter in place somewhere which might prohibit your PFS from making a valid connection.

  • Yes, FIOS business doesn't have any restrictions on 3rd party devices.  Note also, that connecting my laptop directly to the ONT also has no issues.

    I'm at a loss…

  • LAYER 8 Global Moderator

    So connecting your laptop to the ONT gets you want for an IP and where does the client point for dns?  Or your plugging your laptop into a "router" that does what exactly for dns?  Forwards to your isp, uses  What does this router get for its wan and lan.  And then your replacing this router with pfsense, or putting pfsense behind this router?

    What exactly are you doing with optional gateway, you state you can not even ping without doing what exactly?

    Troubleshooting dns is pretty straight forward.  But we need some details.  Are you using the forwarder (dnsmasq) or resolver (unbound) in default resolver mode or forwarder mode?  What are your setting for pfsense to use what for dns?  In resolver mode pfsense should point to itself and that is it!!  You should then be able to go to diag dns lookup and look up stuff.  Does this work or not?

    Your first lookup for something might be longer, then your second lookup for the same record because the first time you lookup something the resolver has to walk down from roots and talk to the the authoritative servers directly.  After that for the length of the ttl its going to be very quick because your just going to pull it from cache.

    If your having problems looking up specific domains in this setup, it could be you have a issue with connectivity to their authoritative servers, it could be they are down, it could be their dnssec is broken?  Doing direct queries to the servers in question from your client with your fav dns query tool would help you determine root issue.  dig is a fav of mine, or you could use drill or nslookup or host, etc.  Lots of different tools for doing direct queries to any name server you want, etc.

  • I fixed the issue.

    Combination of things…. 1. FIOS blocks all non-Verizon DNS (infuriating), 2. My subnet mask CIDR notation was wrong, 3. I did a factory reset to clear "all the various settings" I changed to try to solve #1 + 2.

    Minor recommendation, the mac address validation should be case insensitive - spend way too long on that one :)

  • LAYER 8 Global Moderator

    Yeah I would really really complain about #1..  Why would they force you to use their nameservers??  That is just plain - I will find a new ISP sort of restriction!!!

  • Rebel Alliance Developer Netgate


    Yeah I would really really complain about #1..  Why would they force you to use their nameservers??  That is just plain - I will find a new ISP sort of restriction!!!

    The authoritarian & business reason: Because they can, and they probably have "helpful" things like redirecting to a search page instead of giving an NXDOMAIN response, and naturally they sell ad space on said search page.

    The reason they might actually admit to: To stop their network from being used for DNS amplification attacks and maybe some other wishy-washy handwavy "user experience" mumbo jumbo.