what?? what is pfsense going to do if you put its wan and lan on the same segment?  Do you want it to be a bridge?  If your going to route with it, be with or without NAT.. It has to have its interfaces in 2 different segments. In your current setup pfsense is not going to do anything with IPs in the same network on its wan and lan interface. So why do you think you have issues with some websites?  If you put pfsense on your network on its wan interface - then from pfsense you would have to verify it can access the internet and resolve whatever fqdn you want to check.  But your not going to be able to do that from a client on that same network as the lan and wan interfaces of pfsense using pfsense as anything.

not really the way I would of gone about it that is for sure.  How about just lowering the lease so that they would be freed up after a client disconnected.  Default I believe is 24 hours.

Assuming it's dhcpd taking up 100% of the CPU, that would be an ISC DHCPD issue, not something we have anything to do with or any control over. If it's replicable I'd suggest reporting it to ISC.

@asura: thanks a lot and i really appreciate ur reply .. mayb i can try put host, domain and ip as below HOST       DOMAIN                   IP www       .movie-server.com     192.168.1.11 I am pretty sure for domain you would put "movie-server.com" without the leading "."

Worked like a charm once i set up a virtual host in apache with the new server name. Thanks walaby!

What your saying makes no sense if you don't have rule on lan interface to block access.  I have plenty of boxes outside my dhcp scope.  So example my lan network is 192.168.1.0/24, pfsense lan interface is on 192.168.1.253 dhcp scope is 192.168.1.210 to .219 So for example my linux box at 192.168.1.7 can query pfsense for dns. dig i5-w7.local.lan ; <<>> DiG 9.8.1-P1 <<>> i5-w7.local.lan ;; QUESTION SECTION: ;i5-w7.local.lan.               IN      A ;; ANSWER SECTION: i5-w7.local.lan.        1       IN      A       192.168.1.100 ;; Query time: 2 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Fri Sep 21 11:11:19 2012 And here is windows box on .100 also outside the scope C:\Windows\System32>nslookup Default Server:  pfsense.local.lan Address:  192.168.1.253 > www.google.com Server:  pfsense.local.lan Address:  192.168.1.253 Non-authoritative answer: Name:    www.google.com Addresses:  2607:f8b0:400f:801::1012          74.125.225.177          74.125.225.179          74.125.225.178          74.125.225.180          74.125.225.176 So I would verify that you did not typo the dns server?  Do you have more than 1 dns server listed on the clients on your lan? I have more boxes outside my scope than inside to be honest, and have no issues - are these boxes on a different interface/vlan connected to pfsense, so different firewall rules than lan?  Is there anything between them and the pfsense lan interface, another firewall, local firewalls on the clients? Are you running say unbound, where you could of set ACLs on which IPs can query it?

@techmed: Thanks a lot. I've been looking at wildcards as well. I don't need granularity per se, I just want to have those rules in place to ensure that google isn't over ssl. I'll look into URL rewriting with squid The dnsmasq override solution works fine with the caveat that your overrides will quit working if the address of nosslsearch.google.com ever changes. With that in mind, I wrote a little hack to keep it up to date. The attached php code will udpate the ip address in the override to the nslookup ip address of a domain specified in the overrides description field. For the override rules for www.google.com, google.com, etc, you can set the description field to "ip=nosslsearch.google.com" and every time this script is executed it will lookup the ip address of 'nosslsearch.com" and update it in the override (if it has changed). I'm planning to just run the script from cron every half hour or so… Apologize up front if this isn't the most elegant php code. I don't claim to know php - I just hacked this together looking at the gui code for services_dnsmasq.php. /*         update_hosts.php Process the config settings of the dnsmasq service and set the host override IP addresses to values that we lookup using nslookup. If the description in the host override contains the string ip=domain (such as ip=nosslsearch.google.com) then lookup the domain value and put it into the ip address field */ require("config.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); if (!is_array($config['dnsmasq']['hosts']))         $config['dnsmasq']['hosts'] = array(); if (!is_array($config['dnsmasq']['domainoverrides']))         $config['dnsmasq']['domainoverrides'] = array(); $a_hosts = &$config['dnsmasq']['hosts']; $a_domainOverrides = &$config['dnsmasq']['domainoverrides']; $write_it = 0; $i = 0; foreach ($a_hosts as $hostent) {         /* If the description starts with "ip=", then we want to lookup the           domain specified         */         $descr=ltrim(strtolower($hostent['descr']));         $str_part=explode("=",$descr);         if ( $str_part[0] == "ip" ) {                 /* Pull the domain out (second part of 'ip=domain')                 */                 $ret_val=0;                 $out_array=array();                 $check_domain=$str_part[1];                 echo "Checking override address for {$hostent['domain']}\n";                 echo "should be set to resolution of {$check_domain}\n";                 /* Try to lookup the domain and get an address back for it                 */                 $tmp=exec("nslookup -timeout=2 " . $check_domain, $out_array, $ret_val);                 $str_part=explode(" ", $out_array[4]);                 if ($str_part[0] == "Address:") {                         $lookup_addr=$str_part[1];                         echo "nslookup of {$check_domain} returned {$lookup_addr}\n";                         /* If the address is different than the IP alread stored for this                           override record, then update it                         */                         if ($lookup_addr != $hostent['ip']) {                                 echo "{$hostent[ip]} != {$lookup_addr}\n";                                 echo "updating address {$hostent['ip']} ---> {$lookup_addr}\n\n";                                 $hostent['ip']=$lookup_addr;                                 $a_hosts[$i]=$hostent;                                 $write_it=1;                         }                         else {                                 echo "{$hostent[ip]} == {$lookup_addr}\n";                                 echo "skipping address update...\n\n";                         }                 }                 else {                         echo "unable to resolve {$check_domain}\n";                         echo "skipping address update...\n\n";                 }         }         $i++; } /* Only rewrite things if something actually changed */ if ($write_it > 0) {         echo "writing config\n";         write_config();         $retval = services_dnsmasq_configure();         /* Relaod filter (we might need to sync to CARP hosts)           don't know if this is really necessary or not         */         filter_configure(); }

@cmb: Don't disable it entirely, just add the additional hostname under System>Advanced. YES - YOU DA MAN! Thanks :)

Those are resolved using a little daemon that checks DNS every few minutes for updates. If DNS is down, the IPs don't get put in the alias/table in pf. When DNS comes back, the IPs will be put into the table once they have been resolved.

hi! if you are familiar with coding, check my thread, if you can help me overcome my problem ı think ay can help you my:thread:http://forum.pfsense.org/index.php/topic,53655.0.html

I'd rather not add in host overrides, since there will be many servers eventually used and I don't want to have to manually add overrides each time a new one is brought up. This should be possible with dnsmasq - in fact I know it is since I have previously used it, but something in the pfSense distribution is preventing it :(

Your ISP is handing some options to you in the DHCP lease it seems, nothing to be worried about, usually stuff for their own equipment.

http://forum.pfsense.org/index.php/topic,36066.msg186013.html#msg186013 http://redmine.pfsense.org/issues/1682

That is right. DNS forwarder worked. Thank you very much for providing me the instructions!

Thanks for the reply Please if you want Emergence login interface on the network Unregistered users in the server and request password Login In other words, shows the server without service works And how to create an entry page If you create an accessible page where fabricators in pfsense files Using software such as ssh Also required password Root I want to change the password Root where in pfsense list

Sounds like I should just leave things well enough alone if everything is working.  ;D