@johnpoz: "where a corporate network serves up partly or   completely different DNS inside and outside its firewall." That is from the RFC you linked too – so how is it that host over rides does not provide that?? …assuming you also maintain outside another DNS. This was my point. But this detail aside, you're right. I got your point. Clear enough  ;) Let's not waste time with this perhaps stupid debate  :-[

The problem will be maintaining the static mappings.  I have no doubt it will work, but you will be looking at webgui pages of thousands of entries.  They will take some time to render.  It's really not designed to maintain mapping databases of that size.

Can it be that the reason i cannot ping a hostname i want to ping is because i am under a VPN connection? I was able to do what i believe i wanted to do through Services>Ping… could ping the hostname instead of the actual Server's IP. Still, i cannot access the OCS Inventory webpage using the hostname, only with the ip, but since im with a VPN i really have no idea if that causes all of this.

Thanks for suggestions, the Problem was that our LAN-net is getting DHCP and DNS from another DHPC-Server which apparently changed also the DNS-Settings incl. Search-Domains. As conclusion it was not possible to communicate from VLAN nets to the parent LAN net via hostnames.

@sherkas: Im not sure how to describe what im looking for or how to go about setting it up. Im in a network where I want to make my personal network invisible to the other network but allow either static only or dhcp apon gateway request…. So what you want is a firewall box (like pfsense) with a WAN interface onto this network, and a LAN behind the firewall which is your "personal invisible network"  The pfsense box will do NAT, so anything on the main network (the WAN)  will only see the natted traffic. If you want devices on the WAN  to see your computers, then you will have to add NATs on the pfsense box, or tell the main WAN router to route an ip network to your pfsense box. I'm guessing that you're in a dorm with lots of crappy windows laptops, and want to hide your stuff ? Does this meet your need?

@doktornotor: WTF is this shit? Dude, unless you are running some DNSBL or something in 127/8 range, this crap has nothing to do in public space. WTF. I agree - and I said that in the initial problem statement.  Mostly this forum post is to help anyone else who finds DNS weirdness. Also, I agree that this was a symptom of poor design, rather than a root problem.

@phil.davis: If you do not have full routing paths to/from all of your intranet tunnels… then use DNS Forwarder and specify the local LAN IP address as the Source IP of the Domain Override queries - presumably the remote DNS server will have a good route back to the LAN IP address. I do have routes to all my subnets on both ends of my VPN tunnel.  And what's weird is that if I do a tracert from a host on the 192.168.4.0 network to a host on the 192.168.2.0 network it displays the DNS name of that host.  However if I try to ping by name or do an nslookup it does not work. P.S.  I'm no longer using DD-WRT.  I have pfSense on both ends and I've got a site-to-site OpenVPN tunnel setup between the two.

@decibel83: @doktornotor: Warning note: Do NOT attempt to use unbound on pfSense as a DNS server for Active Directory. Why? So you do advise to use DNS forwarder and not DNS resolver on 2.2? This is a very helpful link.  https://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx AD's architecture requires it to be the primary DNS server for all servers and clients on a network.  You could run two primary DNS servers (sort of)–the AD DNS server and another server that does non-AD lookups for your LAN.  I am running a 2012 domain controller with DNS being run (ironically) on a Mac for my LAN.  The Windows clients use AD's DNS, and all internal queries that are for non-Windows or domain members--things like my Linux servers and Mac clients--use the Mac server.  The Mac runs bind, which is my preferred DNS server.

yeah I just found that dhcp relay does not auto add firewall rules awhile back.. Dok is quick on knowing the issues list, I need to follow that more ;) If you do a relay you have to make sure you have the right firewall rules in to allow it, when you enable dhcp the rules are auto created for you and hidden..

ok thanks I'll read that. but yeah, at that time, I didn't know bridging wasn't really a good thing, but found out later, so stopped trying, but at this point, I am looking at keeping it on this interface, and maybe have the security network on a different interface. My original plan, was to have 3 interfaces (I have more network cards I can add if I want, they have no other real uses right now) one lan, one for wireless and one for home media devices like PS3, netflix boxes etc, and the Nas box would be able to stream on it, (Not sure yet if it will be able to without being physically attached to both interfaces?)  then the security would get placed accordingly (Kinda assumed I'd add another nic)  But, the more I look at it, the more it seems there isn't much value in having wireless on a separate interface, and it works better in terms of vlan + SSID vs seperate interface + VLAN + SSID… as wifi be needed on both, so might as well just use seperate SSID's and VLAN, and use the other interface for security, eliminating the need for an additional nic.

You don't  ;) A forum admin can do so, if things go nasty, but that is rare. "Closing threads" isn't really needed anyway.

@doktornotor: No, you cannot use pfSense to supply DHCP outside of the subnets configured on the firewall itself. It can relay them elsewhere. No idea what's your "relay endpoint". When I said relay endpoint I meant DHCP server that can serve scopes outside of its locally visible subnets. As in, the 'endpoint' of the DHCP request after its been relayed.

I suppose there is some misunderstanding here. 1 - Deploying standard (explicit) HTTP proxy does not require any cert to be deployed. with neither HTTP nor HTTPS. Reason being that HTTPS connection is between web server and browser. 2 - WPAD stuff doesn't depend on pfSense, altough you may want to have pfSense handling some WPAD related stuff like DNS or DHCP or even proxy.pac 3 - I suspect there is something mixed up with MITM like implementation. While strongly suggesting not to move in this direction, In case you do want to deploy it, please understand this is something different from the general behaviour with HTTP proxy and WPAD. Give a try with WPAD + HTTP proxy in explicit mode without HTTPS interception (MITM): it will give you capability to profile access to internet (who can do what) and access control to HTTP and HTTPS URLs. Obviously, with such implementation, there is no content filtering for HTTPS web sites but this is another story  ;)

btw. I get two thumbs up from Borat.

@karimwassim: just make a rule reject in firewall with alias of the specified clients and enable Schedule for all the week for that clients and all working perfectly I don't get what's this "schedule" good for. Just set up a permanent block rule for those. Why are you scheduling something for 24/7?

@killmasta93: …i just changed the DHCP range from 192.168.3.20-192.168.3.253 so then i added the static ip 192.168.3.3 for my device Yes that is what Doktornotor (and the descriptive information in the gui) was trying to tell you all the time. Any statically assigned ip address must be selected outside of the dynamic address pool. Now that you changed your DHCP pool to 192.168.3.20-192.168.3.253, you have the addresses 192.168.3.1-192.168.3.19 (and 192.168.3.254) available to use as static addresses. It's great that you finally cracked the code! ;)

https://forum.pfsense.org/index.php?topic=92437.msg512054#msg512054

Here is what I get from the log. May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: DynDns: updatedns() starting May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: DynDns (subdomain.url.com): x.x.x.x extracted from local system. May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: DynDNS (subdomain.url.com): running get_failover_interface for wan. found igb3 May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: DynDNS (subdomain.url.com): DynDns _update() starting. May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: DynDNS (subdomain.url.com): DynDns _checkStatus() starting. May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: DynDNS (subdomain.url.com): Current Service: dnsexit May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: phpDynDNS (subdomain.url.com): PAYLOAD: HTTP/1.1 200 OK 4=IP not changed. To save our system resources, please don't post updates unless the IP got changed. May 3 09:30:29 php-fpm[28779]: /services_dyndns_edit.php: phpDynDNS (subdomain.url.com): (Unknown Response) Right now the IP address on DNSexit is 0.0.0.0 so I'm not sure why it is saying "PAYLOAD: HTTP/1.1 200 OK 4=IP not changed."

For reference here is the complete Dynamic DNS custom config required for anyone using pairNIC dynamic DNS: Service Type: Custom Username: pairnic  (all lower case!) Password: [Your pairNIC Dynamic DNS Key - from your pairNIC account]. Update URL: https://dynamic.pairnic.com/nic/update?hostname=<dynamichostname>.<yourdomain>&myip=%IP% where <dynamichostname>is the name of the dynamic host (e.g. webserver) NB If this hostname already exists in your pairNIC config - it will be overwritten! <yourdomain>is your pairNIC domain (e.g. privatedomain.org)</yourdomain></dynamichostname></yourdomain></dynamichostname>