Verify that the fix is indeed in all supported versions of FreeBSD. The bug database was just migrated to Bugzilla from the old GNATS system and there might be false alarms etc. before everything stablizes.

You don't say how you plan to run a VM on that multipurpose box, but pfSense on 2008 HyperV is not a trivial task.  The superior solution is much easier, build it on a re-purposed spare box.  In fact, built two :)
PS having a firewall/internet gateway/DNS/DHCP up and running when working on your server is VERY handy as well.

I recommend using 10.x.y.0/24 subnets where x and y are numbers of your own choise. There are 65536 different combinations of x and y to choose from and you're not likely to collide with the subnet of someone else. This can be very important if you ever have to build a fully routed site to site VPN tunnel with someone else and you don't have control over what the other guy's addresses are. Also you'll be avoiding the more commonly used 192.168.x.0/24 networks where there are only 256 different subnets.

And where are the gateway address for your vlans?  So pfsense is not the gateway or firewall your just trying to use it a proxy server?

So your say pfsense lan is 10.10.17.33/24 and the gateway of this segment is 10.10.17.20/24

If pfsense is not the gateway for your networks, then yes it would need to know how to route to get to 10.10.18 and 10.10.19.0/24 etc.  Or it would try to go out its wan to get there.  Do not place a gateway on pfsense lan - just create routes.

You will also need to adjust the lan firewall rules to allow those other segments.  And will also have to create nats so that pfsense nats them - unless your not natting at all.  You will also need to setup proxy to allow those other networks to use it.

As to clients doing dns??  Yes a proxy is what looks up dns for a client..  If a client of a proxy wants to go to www.google.com - the proxy is the one that looks up www.google.com..  If your saying your clients are doing actual dns to pfsense…  Did you not disable dhcp on pfsense?  Or not configure its dhcp server if your using it to correctly point to your network gateway and dns?

Any chance you can do a screen shot from the actual Firewall Rules screen?

From your listing I can't tell if those are actually Block or Pass rules.

As well it would be helpful to see a post of your DHCP servers pages for LAN & LAN1

Thanks for the replay. That makes sence ofc :-)

Uncheck

Register DHCP leases in DNS forwarder
Register DHCP static mappings in DNS forwarder

get updates…

check
Register DHCP leases in DNS forwarder
Register DHCP static mappings in DNS forwarder

(P.S) i allways have these unchecked ...) but i dont know if its 100% OK

If it's a current IP/MAC, then the DHCP Leases table would show it if it came from DHCP, or the ARP table (Diag > ARP) would show it even if it didn't come from DHCP, assuming that IP has talked to the firewall recently.

If it's not active now, the DHCP log might still have some info, but that depends on how busy the DHCP daemon is.

A program like arpwatch can help you keep an eye on those sorts of things over time.

So you want people on the internet to talk to your dns server, your public IP is one of the registered IPs for your nameservers for you domain.

Well just port forward 53 (dns) both udp and tcp to the private IP address of your dns server.

Just like you forwarded traffic for your web server or your mail server.  BTW – if your on your own network, and you put in our webserver fqdn - and you get redirect back into your webserver.  That does not actually mean outside people can get to it.  That is nat reflection..  You really should validate from the outside to make sure port forwards are working.

If you PM me your domain and IP address I be happy to validate any port forwards for you - if you don't want to make them public.

BTW -- hosting your own dns not great idea with all the dns attacks around lately..  There are plenty of dns services out there that do dns for their bread and butter, etc.  No real reason to host your own - and where is your secondary name server?

In my case I was messing with two rules to make it log something, so I made an allow out and a block but I had accidentally set my allow to TCP rather than any.

I did still have the default one, it just wasn't getting triggered by anything because of the block.

That was a known issue on 2.1.x but I thought it was fixed before 2.1.3. Are you running the current version?

@pernika:

hm, good point. I was wrong. I've change Device Name, but it was not in the Developer Option. Obviously this name is in use for another things. I activated developer option on my Nexus 4 and I'm using version 4.4.2 but there is no DeviceName inside them. I tried also on Samsung Galaxy S4 mini - same result. The version is 4.2.2 .

In 4.4.2, the option I have in developer options is called "Device Hostname".
"Device Name" may be the same option.  Are you using stock firmware or a custom rom, and where was the option you changed?
If you have any terminal app on your phone (or you can get one), try running the command "hostname" and see if it matches what pfsense says, or what you changed it to.  (That command may work in an ADB Shell too).

Here is the output of htop -aSH: http://imgur.com/HgkRKpD

This also happens when no device uses the webinterface

So your clients that you want to join the domain need to point to the server 2008 IP for DNS.  So they can resolve the AD dns entries.  you then can setup DNS on your 2k8 server to use pfsense as its forwarder.  So your AD clients can then resolve say google.com

Your clients ask your AD dns, which in turn asks pfsense - which in turn asks your isp or public dns for say www.google.com

pfsense or the internet has no idea about your AD..  This is why you have to point your clients to AD dns.  They should ONLY Point to this - nothing else.

I'm pretty sure they're a new feature.

The way I'm using them right now, is I've blocked the MAC address for VMs, and Apple Products on my main DHCP pools.
In a second pool, I have whitelisted the VMs MAC's, and in a third, I have whitelisted the Apple Product's MACs.

This why I can keep these devices constrained to specific IP ranges on the same subnet.

I image it would also be good for things such as IP based phones, and similar.

I agree w/johnpoz, your LAN subnet overlaps BOTH your WAN1 & WAN2 subnets - not a good plan :o

I would suggest as step 1 to simply change your LAN subnet to something completely different, such as 192.168.17.0/24.
You'll have to update the LAN's DHCP server as well.
You may have to update your firewall rules but that shouldn't be a huge issue.

At minimum this will give a better indication of what's configured properly and what isn't.

Try it and let us know what happens or changes.