OK, thanks to your answer now I get it! I made an error in the "host" part –- oops Again, thank you sir!

@pilgrim87: how could i run a packet capture to see what's in it? Diagnostics / Packet capture Set 'interface' to the appropriate entry The resulting .cap file can be analysed quite nicely with Wireshark

My money is on a cheap NIC. I've seen some <$3 cards with completely fabricated MAC addresses, and often the whole batch will have the same address! Also it could be a legitimate NIC that's cr@pped-out the firmware.  Have also seen this (when someone put the card in the PCI slot the wrong way round!!!) - Different MAC addresses in Windows driver  than was showing in Wireshark - needless to say the card didn't work.

So if the machine was setup static there would be no releasing of anything. So do you really mean that you want your machine to always get the same IP from pfsense? This is called a reservation or static dhcp.  You an set them in pfsense yes. http://doc.pfsense.org/index.php/DHCP_Server#Static_IP_Mappings [image: staticmappings.jpg] [image: staticmappings.jpg_thumb]

@wallabybob: Is the content downloaded by http? If so, squid will surely be involved and will probably use its "local" DNS rather than whatever you have configured on the real client. I don't know enough about squid operation to suggest a fix but it could be worthwhile disabling squid on pfSense, rebooting (to make sure squid is disabled) and then trying your content download. Yup, that looks like it was the problem. Yes Hulu is delivered via HTTP. Was staring me in the face. Anyway I am now going to test for some configuration changes and see if I can get this to work with squid. Thanks for your help Wallabybob.

@victorhooi: The pfSense box and the Unifi AP are both plugged into the Linksys switch - those two ports have been configured as trunks. My understanding was that this would be enough, and I don't need to explicitly make it a member of each VLAN. So how do you think your switch is going to decide which traffic to forward on a trunk port? Everything? Everything from a trunk port? If necessary read your switch manual to see if it provides an answer to this question. I suggest you make the trunk port from the switch to pfSense a member of all the VLANs configured in the UniFi and retry your DHCP request then consult the pfSense DHCP server log (Status -> System Logs, DHCP tab) to see if the DHCP request was received and on the correct interface.

Been doing a bit of reading from this tutorial: http://lsgondane.hubpages.com/hub/How-to-Configure-PXE-Server-on-Linux Though it TFTP (which is obviously going to my file server where the CentOS images are located) and keeps saying can't find config files. I know the configs I have set in pfsense are working, just can't seem to understand why it can't find the config files under /tftpboot/pxelinux.cnf/default I mean this is the contents of that file: default: off description: The tftp server serves files using the trivial file transfer \ protocol.  The tftp protocol is often used to boot diskless \ workstations, download configuration files to network-aware printers, \ and to start the installation process for some operating systems. service tftp { socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /var/lib/tftpboot # there's nodirectory there or file so! http://lsgondane.hubpages.com/hub/How-to-Configure-PXE-Server-on-Linux says: server_args = -s /tftpboot disable the yes command here: disable = yes above url says no: disable = no per_source = 11 cps = 100 2 flags = IPv4 }

OK! @johnpoz: 553 guessing that is a typo ;)  That sure isn't a typical port. Oops… for sure! I meant 53 of course  ;D Thanks a lot!

So they state Every computer or other Internet-enabled device has an address. It's made up of numbers, like a street address. Our solution is brilliantly simple. We give you an address where the content you want is available It's like moving your computer or other device without actually moving it. Ok its just a freaking proxy service for the services they support, they just use dns to point you to the proxy is all to bypass the IP check.  Yeah this is sneaky..  So you want to got to netflix.com, their dns returns the proxy to use ;)  You hit that like the site, it proxies your connection to real site and looks like you came from where the proxy was - this is done until the IP check portion is completed.

Show us what /var/dhcpd/etc/dhcpd.conf looks like, it may have the answers.

After adding the the server to its own DHCP static ip range, All I did was, 1. flushdns on all computers 2. renew ip on all computers 3. cleared states on pfsense firewall. I was then able to see the server \server . This is a fresh install of the firewall, so it was all default settings. Only thing I changed was I added a opt1 nic card for the wifi AP and then bridged that to the lan network. I am still having issues the users are reporting that wifi is connecting but for some reason only certian devices are allowed to see the internet, laptops can see internet but ipod/ipad and droid devices cannot.

For info, this issue has been fixed on 2.1-BETA1 and later. See forum thread: http://forum.pfsense.org/index.php/topic,59231.0

Just to close out the issue, all seems to be back to normal with respect to CPU usage - see the attached System CPU graphs. Thanks again for your help! [image: firewallCPU.png] [image: firewallCPU.png_thumb]

@Paul47: Or is pfSense caching those DNS requests if the forwarder is turned on? Yes. @Paul47: Is caching the point? Yes, generally. The DNS forwarder can also be used to apply local host name overrides, for example, point the name of the server of banner ads to a "non-existent" IP address or to a host that will quickly give a NULL reply. @Paul47: Also, what happens with static addressing? In the 2nd link above, does that dodge work for static addressing too? In other words if your user wants to use an "anything goes" DNS so he can look at porn at work, and you'd rather steer him to OpenDNS, that method will work? Automatic if user configures by DHCP and has no local DNS overrides. If user has local DNS overrides (or configured DNS because they have static IP address) they will find they suddenly can't access their name server and will probably have to squeal for help. @Paul47: Will he have to change his DNS server setting to the pfSense lan address, to see any internet at all? Yes if he wants to resolve hostnames (e.g. wants ping www.google.com to "work"); no if he is content to use IP addresses.

And windows will tell you have limited access if it can not do dns, or if it can not access a specific site. You going to post the output of ipconfig /all or not - from what your posted. "I also ran ipconfig /all in command prompt and the dns server was set for 192.168.1.1 which is my NIC" That sure sounds like your pointing to yourself for dns to me - it would take you like 2 seconds to post the output of ipconfig /all – its real simple see Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. C:\Windows\system32>ipconfig /all Windows IP Configuration   Host Name . . . . . . . . . . . . : i5-w7   Primary Dns Suffix  . . . . . . . : local.lan   Node Type . . . . . . . . . . . . : Broadcast   IP Routing Enabled. . . . . . . . : No   WINS Proxy Enabled. . . . . . . . : No   DNS Suffix Search List. . . . . . : local.lan Ethernet adapter Local:   Connection-specific DNS Suffix  . :   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet   Physical Address. . . . . . . . . : 18-03-73-B1-0D-D3   DHCP Enabled. . . . . . . . . . . : No   Autoconfiguration Enabled . . . . : Yes   IPv6 Address. . . . . . . . . . . : 2601:snipped::666(Preferred)   Link-local IPv6 Address . . . . . : fe80::e0cd:efb8:f50:7e7b%12(Preferred)   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Default Gateway . . . . . . . . . : 2601:snipped::1                                       192.168.1.253   DNS Servers . . . . . . . . . . . : 192.168.1.253   NetBIOS over Tcpip. . . . . . . . : Enabled

It didn't quite make it, we took it back out a couple weeks ago, we may try again for 2.2.

Forgive me for not helping, but you have a host that changes its IP address every 1-5 minutes? I just need to wrap my head around this.  They are using a dynamic DNS service to remap the IP address to DNS at that rate?  What's the TTL they assign their domain name when it is written to the DNS provider's system? I'm not sure what the business or technical reason for changing your IP that frequently is, but it breaks a lot of stuff (as you've discovered), it really isn't the way DNS should be implemented, and generates a lot of unnecessary DNS queries. You're really playing a game of chase to get the current IP address.  If you know the dynamic DNS service that these servers are using, I would use their name servers as your primary name servers and query them.  You're at the mercy of their TTL, so if it's set for an hour, you're only going to get an update each hour unless you flush your DNS (like you're doing) in a cron job. Again, I apologize, but I'm still trying to wrap my head around the "why" part of the implementation.

There have very rarely been issues with stale dhcpd PIDs going back years, maybe happened a handful of times, and good luck replicating it. We don't touch the dhcpd.pid contents at all, whatever ends up in that file is put there by ISC dhcpd.