Kind of resigned to the fact that is either not going to work (and may be fixed in a future release) or not designed to work - in other words I'm trying to make it do something it is not meant to do. I think that as far as supplying DNS servers is concerned, the DNS Forwarder and DHCP Static Mapping DNS fields are mutually exclusive with respect to Windows Clients.  It's either one or the other. To that end, I've removed all the DNS entries from the static mapping DNS fields for all my Windows hosts and simply assigned manual DNS servers against the network cards of each Windows box using the IPv4 "Use the following DNS server addresses" dialogue. Everything non-windows works perfectly.  I'm happy with this as it it reflects the solution I had in place with the old Draytek router. Cheers, Rowland.

Adding a domain over-ride with IP of "!" solved this problem for me… I wonder how common it is for new users.  Seems like a good tip for FAQ if it doesn't already exist.

That did the trick, thanks phil :) Strange thing is that DNS servers for both domains are sitting on the other end of the same VPN tunnel, only difference is the subnet to which they belong on the other end…

Didn't we already go over this in this thread? https://forum.pfsense.org/index.php/topic,73213.msg400295.html#msg400295

Thank You Sir !!!    :-* :-*

@h.guerrier: I'm trying to figure out what steps to take to use the Dynamic DNS feature provided by OOL, since it's free with my subscription. I don't want to have to setup an account with DYNDNS.com. When I can get the same thing done for free via OOL. I am not saying you have to. You need to get the information YOU need from optonline and stick it in custom configuration in the Dynamic DNS settings page on pfSense? Follow a guide you will need similar information. possibly dyn.optonline.net used and your username + password.

I will look into this some more over the next few days. Right now I am not paying anything for the unblock service since they are currently in beta, but I got an email a few days ago saying they expect to go gold in a couple of weeks and at that point the service will cost $4.95/mo. They did state that they were planning a discount package for anyone who signs up in the first week after they go live. What happens is that as long as I connect to Netflix from my home LAN the unblocker works fine, no matter which device I connect with (I see and can play US programs in Canada on any PC or laptop, a Samsung Smart TV, a WDTV Live HD connected to a dumb TV, and two smartphones). I have pfSense set up with domain overrides for "netflix.com" and "netflix.net" so that any device requesting hostname resolution will normally use the regular DNS servers, but will use the unblocker service for any requests involving Netflix. This is much safer than just pointing pfSense to always use the unblocker DNS since this way your DNS can't get hijacked when you connect to your bank, for instance. The problem is that if I want to watch US Netflix on my laptop or smartphone when I am away from home the unblocker service forces me to change the registered IP address, and then of course it doesn't work for any device on my home LAN till I get home and set it back. This is frustrating for anyone at home who wants to watch US Netflix while I am away. I was going to do some experimenting with my OpenVPN connection to my LAN, but I just discovered it is broken right now. It used to work, but now it seems the gateway is not being set up correctly for the VPN connection so nothing routes properly. I don't know what happened since it used to work fine, but I haven't used it in maybe 6 months.

Hi Sir Johnpoz, Thank you very much Sir Johnpoz, you're solution worked! You're the best!!! For others who have the same problem follow the solution provided by Sir John: @johnpoz: Dude setup forwarder on your AD dns to point to pfsense, or google or opendns or 4.2.2.2 or have it directly query the roots.  And setup the correct firewall rules to allow whatever your choose to do. Thank you thank you…

@8191: @bryan.paradis: examples auth-zone=our.zone.com,1.2.3.0/24 auth-zone=lan.thekelleys.org.uk,2a01:348:29f::/48 auth-zone=demo.deltalibre.org.ar,2a00:1508:1:feca::/64 So shouldn't it look more like auth-zone=4.10.in-addr.arpa,subnethere/16 ? It says subnets are also used to define the in-addr domains for reverse queries and that if no subnets are specified no reverse queries are answered. I didn't see that example section so far, in the man page. This part helped me to configure it:       auth-server=server.example.com,eth0       auth-zone=our.zone.com,1.2.3.0/24       and two records in the external DNS       server.example.com      A    192.0.43.10       our.zone.com            NS    server.example.com Unhappily dnsmasq stops handling domain overrides when in DNS authoritative mode. Can anyone confirm that, or do I have a configuration issue here? could you add log-queries to advanced options and have a look to see what it actually is doing when it doesn't process the domain override?

@DNS_Newbie: Well, one thing i definitely don't understand is why "localdomain" was added to the string, as the command i ran was "nslookup cool.com" These days many systems (like Windows) append your local domain to name that you ask for, if the raw name is not found. This helps people type in short names inside their organisation and get success e.g. you work in myorg.org and type in server1.branchoffice - server1.branchoffice gets NXDOMAIN - the system then tries server1.branchoffice.myorg.org for you, and success! Saved you typing the whole FQDN. So when your general name server services are not working properly, you will get the client trying with ".myorg.org" ".localdomain" appended, and thus see seemingly confusing messages like that.

as soon as you disable and enable your adapter you will see it (ağ başdaştırıcını yenilediğin anda dhcp.leases dosyasına yerel zamanla düştüğünü göreceksin, ben denedim oldu)

@phreshjive: Ended up disabling RDP after a few colleagues took a dump on me over using it.  Now using TeamViewer.  Thank you for help. Whats wrong with RDP?

@oliwel: Thanks for your answers, @bryan.paradis: As I am new to pfSense and did not use dnsmasq before, can you please point me to some docs or give an example how to enable logging? @johnpoz: Exactly this happens, here are the results made on my Ubuntu Workstation within 2 second - I got two failures and a result on the third try. oliwel@platin ~ $ dig www.bus-profi.de @10.16.6.1 ; <<>> DiG 9.9.2-P1 <<>> www.bus-profi.de @10.16.6.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18937 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.bus-profi.de. IN A ;; Query time: 32 msec ;; SERVER: 10.16.6.1#53(10.16.6.1) ;; WHEN: Thu Feb 27 08:03:15 2014 ;; MSG SIZE  rcvd: 34 oliwel@platin ~ $ dig www.bus-profi.de @10.16.6.1 ; <<>> DiG 9.9.2-P1 <<>> www.bus-profi.de @10.16.6.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23048 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.bus-profi.de. IN A ;; Query time: 31 msec ;; SERVER: 10.16.6.1#53(10.16.6.1) ;; WHEN: Thu Feb 27 08:08:12 2014 ;; MSG SIZE  rcvd: 34 oliwel@platin ~ $ dig www.bus-profi.de @10.16.6.1 ; <<>> DiG 9.9.2-P1 <<>> www.bus-profi.de @10.16.6.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45941 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.bus-profi.de. IN A ;; ANSWER SECTION: www.bus-profi.de. 6902 IN CNAME bus-profi.de. bus-profi.de. 6902 IN A 81.169.145.152 ;; Query time: 28 msec ;; SERVER: 10.16.6.1#53(10.16.6.1) ;; WHEN: Thu Feb 27 08:08:13 2014 ;; MSG SIZE  rcvd: 75 Upstream Servers on Pos 1 and 2 are those of my Upstream Provider and 3 and 4 are the google ones (8.8.8.8 and 8.8.4.4) using parallel query. I also dropped the provider servers and just used google but it didnt change anything. As said, the provider dns works flawlessly when used directly from the clients. Oliver Services -> DNS Forwarder -> Go down to Advanced and add log-queries -> Save Status -> System Logs -> Resolver Log

@it_support: where the dhcp lease file located? i mean status_dhcp_leases.php file /usr/local/www/ if you need to find things on command line you can use find find / -name filename if you need wildcards use find / -name \*filename\*

I will assume that most users are to be filtered, and the unfiltered ones are a smaller number. You could: a) Setup the OpenDNS servers for pfSense generally as you have already, to send DNS to OpenDNS, and have block rules preventing users reaching other DNS servers. b) Add static-mapped IP addresses in DHCP for the unfiltered users. Put them in a nice sub-range of your LAN (e.g. LAN 10.20.0.0/16 - and put all unfiltered in 10.20.254.0/16. c) Make an Alias for that range of static-mapped LAN IPs (e.g. call it "UnfilteredLANips") d) Make an Alias for the DNS servers you want to allow for unfiltered DNS (e.g. call it "UnfilteredDNSips") e) On those static mapped entries, specify the unfiltered DNS servers (e.g. 8.8.8.8 and 8.8.4.4) d) Add a firewall rule, pass protocol TCP+UDP, source UnfilteredLANips, destination UnfilteredDSNips, port 53 (DNS) Of course, smart users who know and have admin access on their device can set their IP in the UnfilteredLANips range - but I think that applies to all the solutions. Even if you make a solution that is really MAC-address-based, people can spoof their MAC address. The unfortunate part of this implementation is that you have to repeat pasting the same DNS server IPs into every static mapping entry.

Thanks for the heads up!  :-)

@bryan.paradis: @ray167: Ok so I finally got my devices to communicate with each other. I read some posts about bridging network cards together and that did it for me. This is what I did: 1. Created a bridge and bridged all my NICs to LAN 2. I went through all NICs and disabled the DHCP sever for them except for the LAN NIC 3. Set firewall rule to pass and source any and destination any I have not tested all me equipment but I am pretty sure they all work and see each other on the network. I have also kept UPNP and NAT PMP enabled so this may also be needed to have all devices on the network see each. Was going to say putting them on a bridge for the lan would be the idea unless you want something else specific. Glad you got it working. Unless I am extremely foggy today it shouldn't require anything other then just setting those extra nics into the lan bridge to get you going. I did try to just bridge everything and setup rules but that didnt work for me. I read on another thread here that I should disable DHCP server on all NICs except for LAN and that did the trick.

Is there some other rogue device that comes on the network from time-to-time with address 192.168.1.1 - if that happens then sometimes some systems will find the MAC of that device when they use ARP to find 192.168.1.1 Do "arp -a" on a machine that is working and note the MAC address associated with 192.168.1.1 - should be the MAC address of pfSense LAN NIC. Do the same thing when a machine is not working and see what MAC address it think is 192.168.1.1 Having pfSense LAN at 192.168.1.1 on a reasonable-sized network is a risk, because there are likely to be people setting up devices and quite often those devices default to 192.168.1.1 when first powered on.