Netgate 4200 - connection problems / DNS Resolver

johndoe102 · Mar 29, 2025, 8:09 PM

Hello here,
the title is a bit misleading, but I really didn't find a better one.

To be honest , slowly I am tired of using this device (Netgate 4200). I had previously Netgate 2100 and I had no issues at all. I also cannot say if it is hardware or software, that is causing so many problems I have.

Here is the problem (not the only one with this device/software).

Very often (not each time) I cannot go outside to the public internet.

So I am switching my PC on and trying to call any of the web sides in the web browser, but I cannot. I can reach pfsense GUI , but no DNS resolution works either from my PC nor directly from pfsense. So e.g. "ping google.com" doesn't work neither from my PC nor from pfsense box. Every time this problems occur, I need to restart either "unbound DNS Resolver" from the pfsense dashboard or my PC... then it works.

Here is my setup:

My PC is directly connected to igc1 (this LAN2 with local IP 192.168.2.2) - I assume some of you will write , that I should place a switch in between and connect my PC thru the switch and not directly to the pfsense, but hey, this is also a switch on Netgate device , so why I cannot do this ?
I am using quad9 as DNS - everything is setup as described on quad9 page -> https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

I am also attaching the pfsense.log. As you can see from the log I switched my PC at Mar 29 20:15:48 on.

best regards
Tom

pfsense_general_log.txt

JonathanLee · Mar 29, 2025, 8:25 PM

What are your DNS port rules in terms of interface ACLs ?

Did you create a NAT rule for DNS?

Can you screenshot your rules for the interface that has issues?

What packages are you using?

Do you see the DNS listed when you look at status?

SteveITS · Mar 29, 2025, 8:44 PM

@johndoe102 The 4200 doesn’t have a switch built in. Powering off your PC will cause pfSense to detect the interface disconnect/reconnect and restart packages/services.

Do you have DNSSEC disabled since you are forwarding? It’s in the doc, but often missed.

Are you registering hostnames in DHVP? That restarts ISC DHCP server at each lease renewal.

johndoe102 · Mar 29, 2025, 11:11 PM

@SteveITS

Do you have DNSSEC disabled since you are forwarding? It’s in the doc, but often missed. -> Yes I do.

Are you registering hostnames in DHVP?. -> I am not aware about DHVP ... I am not using it. I didn't setup it ... at least not me. If there is something setup out-of-the-box then I am not aware about that.

The only thing I do is , that for all clients in my home network I am using static IPs based on MAC and for all clients I do create ARP table static entries.

best regards
Tom

johndoe102 · Mar 30, 2025, 5:30 AM

@JonathanLee
Hello,

Did you create a NAT rule for DNS? -> No.

Can you screenshot your rules for the interface that has issues?

What packages are you using?

SteveITS · Mar 29, 2025, 11:54 PM

@johndoe102 DHCP, typo

patient0 · Mar 30, 2025, 5:30 AM

@johndoe102 I know it is boring but please add a switch between pfSense and your PC on LAN2 (the 4200 does not have a built-in switch, in contrast to the 2100).

The log shows LAN2/opt2/igc1 going up/down a few times in half a minute or so. That triggers a whole lot of scripts each time, wan restart is one of them. Removes and adds the gateway and so on.

patient0 · Mar 30, 2025, 5:35 AM

This post is deleted!