Yeah, that makes sense now. Windows is appending the DNS suffix search list on all look ups. In my case, it is syndicate.com.  I have corrected it by editing the DNS settings on the network card to Append DNS suffixes in order, starting with "." and then "syndicate.com"  No issues now.  Much Thanks

IF you have this port forward in place:  EXT-63.21.91.64 (http)  –  INT-10.0.0.7 (http) then 10.0.0.7 is your web server. Apparently you have the port forwarding to the IP of your pfSense which complains about it. Sorry we're only programing engineers … not network engineers... our boss and network guy are away on business and won't be returning for another 6 weeks... We have our web service port forwarded.. E.G - 243.564.234.23:20000 we can access this from outside our network now with no issue, we're struggling to make this accessible from our domain name.  can you do a runthrough please.

@ast: @JKnott: They will still be able to access the Internet if an address within the subnet is manually configured.  You could set up pfSense so only authorized addresses are allowed. By authorized addresses allowed, you mean via static arp or static ip? You can configure the DHCP server to assign a specific IP address to a MAC address.  If you also only allow those MACs, then no other computer will obtain an IP address via DHCP.  You can then set the firewall rules to allow only those IP addresses assigned via DHCP.  So, if someone tries to manually assign an IP address outside of the allowed range, then it won't make it past the firewall.  If they try to assign one within, then you'll have an address conflict, which can be detected.

@NogBadTheBad: Clients on your network using a VPN / Proxy external ? If the above is true then no. Yes, VPN app like Ultrasurf.  I noticed during my tesitng, that ultrasurf running on Chrome on Mac OSX can't seem to connect, but Ultrasurf on Android can.

@ChefRayB: That means the earlier suggestion of reinderien of bridging the interfaces together won't work because you can only have 1 DHCP per bridged interfaces ? You can certainly have more than one DHCP server and that's often done for redundancy.  However, expecting a DHCP server to know whether you want to use it will not work.  When a device makes a DHCP request, any server can respond and generally the first response is used.

OK. Well that's good to know. I would propose that this is "surprising" behaviour, and at the least, an option should be introduced to the UI such as "Add entry in DNS to resolve router hostname". This is a common-enough problem, I'm sure, that it would be a useful feature.

Thanks for your reply. I was able to find more inf on route-to and reply-to in openbsd pf doc thena pfsense. https://www.openbsd.org/faq/pf/pools.html route-to wasn't in the pfsense pdf at all. If something isn't in the doc is there a reason and if thee a known place to go. Also there is an openbsd pf book. Would it be worth it to buy that for pfsense additional doc

Kpa, you're right.  My memory must have been stuck on an older version that didn't support it. Nevertheless, the solution I presented also takes into account devices and applications that make DNS requests to hard-coded DNS servers, irrespective of the DHCP option values, thus "leaking" information outside the VPN tunnel.  It is also a great way to make DNS work even if someone has statically configured their DNS servers.  MACs have been known to now properly update DNS settings when moving from one WLAN to another.

Ahh, I see the usefulness of that now.  It will stay.

heheh no fine.. I really don't see anything wrong here. Your traceroute from your sg1000 shows it going to your isp router 10.0.1.1 The response times seem a bit high for a lan 1  10.0.1.1  3.447 ms  8.987 ms  9.197 ms here tracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1    <1 ms    <1 ms    <1 ms  192.168.9.253   2    11 ms    11 ms    9 ms  96.120.24.113 See the 1st hop, my pfsense box.. This is from a VM, so it bit more sluggish user@ubuntu:~$ traceroute -n 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1  192.168.9.253  1.090 ms  1.297 ms  1.286 ms 2  96.120.24.113  11.292 ms  18.049 ms  16.522 ms 3  162.151.90.117  17.445 ms  17.726 ms  18.584 ms still right around the 1ms range. Pinging ntp or anything for that matter on the internet might or might not return an answer.. Many will not answer ping..  So that is nothing odd in itself.. Since you were pinging 2 different IPs there doesn't tell you anything.  If you pinged the same and from your host it responded, but sg1000 did not get a response then something to look into. All you can validate from the sg1000 side via a sniff is its actually sending the ntp query to your gateway.. If so and you don't get an answer then its something else upstream from the sg1000.

It's in the port-forward under 'NAT reflection'. If you use pure NAT, go to system/advanced/Firewall & NAT and check the box to enable automatic OB NAT for Reflection. You probably shouldn't be hosting your public zone, but that is another discussion.

@jimp: We don't normally seek out random DNS providers to add on a whim. Dude, Jim!!  Come on what kind of fly by night outfit.. Figured you guys would be burning the midnight oil seeking out every last ddns provider on the planet and adding them… And if they didn't have an api you could use - would be writing that for them so you could add them ;)

If you truly want to force all devices on the network to use whatever DNS servers you set in pfSense, make sure you force all DNS requests from clients to pfSense using this guide: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

Hi! I know this is an old post already, but were you able to use and benefit from ARP binding? ast @ericnix: What is the benefit of ARP binding?  I see it as an option when setting up reserved IP address (MAC:IP binding).

Thanks for the advice!  Will try this out. @awebster: The DHCP server requires that the "reservations" by outside the pool of dynamically assigned addresses. Setup your DHCP pool to cover 192.168.2.10 thru 99 for example, and then you can assign static (reserved) addresses starting at 192.168.2.100 and above.

Aah yea that's true, forgot that he is using Verison forwarders….

Thank you awebster and Johnpoz…you rock!