Are you planning on doing upwards of 50K Packets Per second?  If so ok then maybe you need to save some cpu cycles and throw out all the benefits of just letting esxi handle the nics and give your vms virtual nics. To be honest if you were setting up a network that would come close to moving that many packets over a vm infrastruce you sure an the hell would not be buying your nics on ebay for $40 nor would you be here asking questions ;)  If you were you got promoted into the wrong job or lied like crazy on your resume and not going to last in your position for more than a couple of weeks ;) hehehe No I don't, this is just for my home network. I've also never really worked with ESXi before that much, so I'm pretty much a newbie mostly. I've used Proxmox before but when I decided to set up my own router with pfSense I thought I'd switch to ESXi because I thought a baremetal hypervisor would feel better, which it does, no more annoying kernel updates. There is obviously a lot I have to learn now. ;D But I'm doing it to learn something and it's a fun hobby for me. I'm not employed as network admin of course, I'm just a software developer. :D As to more nics - its is good thing.  Well worth a $40 cost.. I would suggest you break out your vmkern to its own nic.  This will for sure give you a performance increase moving files to and from your datastore from your physical network. Having more nics allow you to create more networks and not have to vlan and hairpin connections which allows you better performance, etc.  I have 4 physical nics in mine, I would much rather have a couple of more.  You see my wlan vswitch is doing vlan tagging all sharing the same physical nic.  If I had more could break those out to their own physical nics..  Prob not all that big of deal because that traffic is mostly wifi.  But makes for simpler setup and for sure no hairpins, etc. Yeah I've also thought about using the NIC for more networks, I wanna separate my WiFi and the devices in my living room, so I'll do that. For now I've disabled DirectPath for all the NICs and I'm now using a similar configuration like yours, it works and the speed is fine so I'm happy with that result, thanks for your help and patience! :)

^^^^ As mentioned earlier, UDP is used, unless the response it greater than 512 bytes.  When that happens, the server returns truncated info, with the truncation bit set.  At this point, the client will request via TCP.  The client does not start with TCP.  It must start with UDP.  Exchanging zone records, between servers, always uses TCP. but that wouldn't likely be a concern for a home user.

Thanks.  I'm going to rebuild my pfSense box and set up my rules all over again from scratch.  Hopefully whatever strange problem I created the first time will mysteriously vanish when I redo everything.

Ok, you were right the problem showed itself in the ARP table. This must be a bug with parallels macos compatibility update. The software reports a unique mac address but all pfsense is seeing is 2 nics using the hardware mac instead of one hardware mac and one virtualized one. If I was using some generic crap router I would have never seen that, lol.

@s0dhi: So, I applied the update without catching that the following would have a big impact to my configuration: Added "-C /dev/null" to the dnsmasq command line parameters to avoid it picking up an incorrect default configuration which would override our options. I use dnsmasq extensively (for ad and malware  blocking) and it appears that the dnsmasq.conf file I place in /usr/local/etc is no longer getting picked up. Is there a way I can get it to start using my custom conf file again? Any help appreciated. All you have to do is edit /etc/inc/services.inc and search for the dnsmasq entry in that file and remove the "-C /dev/null" part of that line (without the quotes of course). Then save the file and restart the dnsmasq service. This freaked me out as well and took me a few minutes to understand that they changed things which broke my simple yet effective (meaning very fast) adblocking routine. Hope this helps you too!

yeah if you add the other domain to the search list then a client could just look for host..  It would auto add sitea.domain.tld and siteb.domain.tld, when it asks for sitea.domain.tld it would get back nx, sorry no host here by that name, then when ask for hostb.siteb.domain.tld he would say oh I don't have anyone here by that name, but let me go ask this guy - hey guy you have a host.siteb.domain.tld

You are seeing traffic from link-local addresses (169.254.0.0/16). Looks like clients are failing to get DHCP on LAN for some reason. Hard to tell from that. What's in the DHCP logs?

This thread is from 2014… The OP never came back..  So have no idea what his actual problem was. Vs necro such an old thread, why don't you start a new one giving YOUR details.

I guess one option for me to do is use the fastest 2 DNS servers 1 and 2  in DNS server settings for WAN and use 209.222.18.218 for PIAVPN1 and use 209.222.18.222 for PIAVPN2 where PIAVPN1 and PIAVPN2 are the two openVPN clients actively connected. and uncheck the DNS server list override. not sure if this is correct, but just a thought. ashish

Well, I was coming from a previous (2.1) pfsense version and didn't have the time to review all changes in detail. Anyway you guys are right, thanks. Rubén.

You might be able to modify the subject to add (solved). Glad to be of help.

My mistake when pruning the information. Pasted VLAN from wrong log. Here's the proper relevant config: VLAN Name                            Status    Ports –-- -------------------------------- --------- ------------------------------- 1    default                          active    Gi1/0/3 2    VLAN0002                        active    Gi1/0/2 interface GigabitEthernet1/0/1 switchport mode trunk interface GigabitEthernet1/0/2 switchport access vlan 2 switchport mode access interface GigabitEthernet1/0/3 switchport mode access

Anyone?

@KOM: This perhaps? http://arstechnica.com/security/2016/10/dos-attack-on-major-dns-provider-brings-internet-to-morning-crawl/ Perhaps, yes! It makes a lot of sense.

Have updated my diagram .. still ignore Red lines - as they are not active yet - will abandon blue trunks for Red in some cases - think are some Buildings that will also be daisy chain Trunks as well back to core…. [image: network-design-2.jpg] so the rules I have looks like this: [image: rules-student-02.jpg] [image: rules-lab-02.jpg] [image: rules-lan-02.jpg] DNS Rule wasn't thought out… should simply use VLAN gateway as DNS - was giving LAN IP for dns - that will be fixed then remove the dns allow rule. to block VLAN20 & 100 from being able to access Firewall GUI I should be able to add a simple port block the thier respective gateways on PF correct?

If you really want them to use different domain.. You could setup reservations for dhcp and set their domains to be different that way. To me if they are on my network and connecting to my pfsense, then they are all part of my network ;)  Don't really see the need for subdomain or different domains.  Now saying that I did setup subdomains for my pfsense different IPs..  So for example user@ubuntu:~$ dig -x 192.168.2.253 +short pfsense.wlan.local.lan. user@ubuntu:~$ dig -x 192.168.3.253 +short pfsense.dmz.local.lan. user@ubuntu:~$ dig -x 192.168.4.253 +short pfsense.wlanpsk.local.lan. Which I can query real quick to remind me which network is which vlan ;) hehehe

If you can ping from the 172 network but can't do much else, that usually means a DNS problem.  Can you resolve any hostnames from a client on that network?

@johnpoz: What??  No a vpn use would use the IP address of pfsense as its dns.. Just like your dhcp clients use pfsense IP address in that network.  Set your openvpn to hand out say your lan IP of pfsense.  If you had a client 127.0.0.1… Its just going to try and ask itself..  Thats not going to work, unless its running a resolver of his own ;) I see, thanks.