Bind is clearly not on the way out that is for sure ;) You asked what package can do it other than squid - bind is a package for pfsense, and can easy do a dnsblackhole setup.  Your just becoming authoritative for whatever domains you want to blackhole. why not just do it on your MS dns, so you out a hop in your queries..  Just make MS dns authoritative for whatever domains you want to BH. There are ways of preloading domains in MS dns. Blocking resolution of a domain not a very effective solution in my personal opinion - if you want to block URL based stuff, then why not just  use a proxy.  And only allow the proxy out of your network.  This is far better protection for your clients than just dns black hole.

Same thing with 2.0.3. It's starting to look pretty bad for your claims that having the DNS Forwarder listening on WAN somehow magically opens a hole in the firewall.  

can you post your DNS configuration ?

Thanks. In moving the installation to a new box, I found that everything worked as you described. However, before rebooting I had carefully gone through to find if there were any changes waiting to be saved, and I tried making the changes again and saving them, but it wasn't acknowledging the change. I wonder if I paged back without saving, made some change, and somehow corrupted a record or something? Anyway, in the grand scheme of things, I'd rather devs work on improving 802.11n support than anything else.

Due to how I use my domain at namecheap, and a bug in the built in updater, I couldn't use the built in one. What would probably work in your case would be installing the Cron package and then setting up a cronjob to do the work Mine is /usr/bin/nice -n20 fetch -o /dev/null "https://dynamicdns.park-your-domain.com/update?host=@&domain=sub.domain.ext&password=passwordhere" Which I have set to run at 12:10 am and 12:10 pm.

Hi johnpoz ! Yes SFR is French… I'll try to reboot SFR's device too… Thanks a lot.

Your other option is to just not use over rides, and set the IP of the dns server you want your client to use directly on the client.  Then your policy routing would work for the query.

I seem to be having same issue here.. Cable mode is Thomson DCM476. system is supermicro motherboard with two embedded em based nics. em1 is connected to Baystack 450-24t and is always up and rocksolid. em0 connected to cable modem is flapping. after landing on this thread I have just set wan interface speed to 1000baseT and will monitor for next couple of days. –Rajiv

But … Status => DHCP leases  and sort on IP Address. Go to the bottom of the page. Hit the "Show all configured leases". The list will be longer  ;) Mine shows all IP that I declared in the range 192.168.2.6 and 192.168.2.254) = 249 IP's All black lease are current - all grey ones are expired and considered to be free (and thus not renewed by the client that owned the IP in the past). You can also see the MAC of the clients, so when the same clients drops by, it will be offered the same IP (I guess this is the normal behaviour of the used DHCP server).

Verify that the fix is indeed in all supported versions of FreeBSD. The bug database was just migrated to Bugzilla from the old GNATS system and there might be false alarms etc. before everything stablizes.

You don't say how you plan to run a VM on that multipurpose box, but pfSense on 2008 HyperV is not a trivial task.  The superior solution is much easier, build it on a re-purposed spare box.  In fact, built two :) PS having a firewall/internet gateway/DNS/DHCP up and running when working on your server is VERY handy as well.

I recommend using 10.x.y.0/24 subnets where x and y are numbers of your own choise. There are 65536 different combinations of x and y to choose from and you're not likely to collide with the subnet of someone else. This can be very important if you ever have to build a fully routed site to site VPN tunnel with someone else and you don't have control over what the other guy's addresses are. Also you'll be avoiding the more commonly used 192.168.x.0/24 networks where there are only 256 different subnets.

And where are the gateway address for your vlans?  So pfsense is not the gateway or firewall your just trying to use it a proxy server? So your say pfsense lan is 10.10.17.33/24 and the gateway of this segment is 10.10.17.20/24 If pfsense is not the gateway for your networks, then yes it would need to know how to route to get to 10.10.18 and 10.10.19.0/24 etc.  Or it would try to go out its wan to get there.  Do not place a gateway on pfsense lan - just create routes. You will also need to adjust the lan firewall rules to allow those other segments.  And will also have to create nats so that pfsense nats them - unless your not natting at all.  You will also need to setup proxy to allow those other networks to use it. As to clients doing dns??  Yes a proxy is what looks up dns for a client..  If a client of a proxy wants to go to www.google.com - the proxy is the one that looks up www.google.com..  If your saying your clients are doing actual dns to pfsense…  Did you not disable dhcp on pfsense?  Or not configure its dhcp server if your using it to correctly point to your network gateway and dns?

Any chance you can do a screen shot from the actual Firewall Rules screen? From your listing I can't tell if those are actually Block or Pass rules. As well it would be helpful to see a post of your DHCP servers pages for LAN & LAN1

Thanks for the replay. That makes sence ofc :-)

Uncheck Register DHCP leases in DNS forwarder Register DHCP static mappings in DNS forwarder get updates… check Register DHCP leases in DNS forwarder Register DHCP static mappings in DNS forwarder (P.S) i allways have these unchecked ...) but i dont know if its 100% OK

If it's a current IP/MAC, then the DHCP Leases table would show it if it came from DHCP, or the ARP table (Diag > ARP) would show it even if it didn't come from DHCP, assuming that IP has talked to the firewall recently. If it's not active now, the DHCP log might still have some info, but that depends on how busy the DHCP daemon is. A program like arpwatch can help you keep an eye on those sorts of things over time.