So you want people on the internet to talk to your dns server, your public IP is one of the registered IPs for your nameservers for you domain. Well just port forward 53 (dns) both udp and tcp to the private IP address of your dns server. Just like you forwarded traffic for your web server or your mail server.  BTW – if your on your own network, and you put in our webserver fqdn - and you get redirect back into your webserver.  That does not actually mean outside people can get to it.  That is nat reflection..  You really should validate from the outside to make sure port forwards are working. If you PM me your domain and IP address I be happy to validate any port forwards for you - if you don't want to make them public. BTW -- hosting your own dns not great idea with all the dns attacks around lately..  There are plenty of dns services out there that do dns for their bread and butter, etc.  No real reason to host your own - and where is your secondary name server?

In my case I was messing with two rules to make it log something, so I made an allow out and a block but I had accidentally set my allow to TCP rather than any. I did still have the default one, it just wasn't getting triggered by anything because of the block.

That was a known issue on 2.1.x but I thought it was fixed before 2.1.3. Are you running the current version?

@pernika: hm, good point. I was wrong. I've change Device Name, but it was not in the Developer Option. Obviously this name is in use for another things. I activated developer option on my Nexus 4 and I'm using version 4.4.2 but there is no DeviceName inside them. I tried also on Samsung Galaxy S4 mini - same result. The version is 4.2.2 . In 4.4.2, the option I have in developer options is called "Device Hostname". "Device Name" may be the same option.  Are you using stock firmware or a custom rom, and where was the option you changed? If you have any terminal app on your phone (or you can get one), try running the command "hostname" and see if it matches what pfsense says, or what you changed it to.  (That command may work in an ADB Shell too).

Here is the output of htop -aSH: http://imgur.com/HgkRKpD This also happens when no device uses the webinterface

So your clients that you want to join the domain need to point to the server 2008 IP for DNS.  So they can resolve the AD dns entries.  you then can setup DNS on your 2k8 server to use pfsense as its forwarder.  So your AD clients can then resolve say google.com Your clients ask your AD dns, which in turn asks pfsense - which in turn asks your isp or public dns for say www.google.com pfsense or the internet has no idea about your AD..  This is why you have to point your clients to AD dns.  They should ONLY Point to this - nothing else.

I'm pretty sure they're a new feature. The way I'm using them right now, is I've blocked the MAC address for VMs, and Apple Products on my main DHCP pools. In a second pool, I have whitelisted the VMs MAC's, and in a third, I have whitelisted the Apple Product's MACs. This why I can keep these devices constrained to specific IP ranges on the same subnet. I image it would also be good for things such as IP based phones, and similar.

I agree w/johnpoz, your LAN subnet overlaps BOTH your WAN1 & WAN2 subnets - not a good plan :o I would suggest as step 1 to simply change your LAN subnet to something completely different, such as 192.168.17.0/24. You'll have to update the LAN's DHCP server as well. You may have to update your firewall rules but that shouldn't be a huge issue. At minimum this will give a better indication of what's configured properly and what isn't. Try it and let us know what happens or changes.

You can manually edit the config.xml file (/cf/conf/config.xml). each entry is in the config file under an element called "staticmap"… just create a couple of entries via the UI and you will be able to find them in the config.xml. Manually edit to your hearts content - then reboot.

No problem - why were are here ;)  I have not been able to find any reasoning behind MS not allowing for the dhcp request.  They update their dhcp server software to be able to offer it, and have documentation on how to add option 119..  So why would they not allow their clients to use it via dhcp?

I get 2.2 is not production-ready ;) Meanwhile is there a way (either via Web GUI or SSH) to change (eg. add "interface: 192.168.0.254" line) to Unbound configuration file? I've browsed into pfSense file system but could not find the configuration file Unbound program actually uses. Other possible solution: an iptable-like rule to re-route traffic from 192.168.0.42:53 to 192.168.0.254:53. Does it even exists on pfSense?

Hi anyone have any new thoughts on this problem? During this time I have tries 2 other Linux firewall software packages on the same hardware and don't have this problem but would really like to use pfsense.