:)Thanks wallabybob, I'll keep an eye on it …

Ah domain overrides are what I need! Thanks.

Thank you all for your wonderful ideas and for pointing out the public availability of our DNS servers. At one point, we were fine with recursion for various reasons but over the past year our servers have been hammered! Anyways, the problem was due to converting our DNS from FreeBSD to CentOS, adding IP aliases to the NIC, and not having the proper subnet assigned to those aliases. It was working fine on the old router system but since our colo made some routing changes and we implemented pfSense, the faulty subnet settings popped up. Again, thank you all!

The main thing if you do use a DNS forwarder (generally that's a good option as a secondary DNS in SBS environments and similar where you have only one AD DNS server), is make sure you're forwarding the AD domain to the AD DNS. If you have a typical full blown AD environment, it's best to point the clients straight to the AD DNS, but only because they'll register their hostnames in your AD DNS that way. As long as you have that domain forward in your DNS forwarder, AD works perfectly fine for clients using the DNS forwarder. It's just DNS name registration that wouldn't work in your AD in that case.

Hi, I've been looking around and I think that what I'm looking for might be simpler than what I asked for before does anyone knows if there is a way to run 802.1x Authentication on the LAN interface? Cheers,

@ttblum: How do you configure separate scopes in the pfSense DHCP GUI? New feature in pfSense 2.1 snapshot builds - see http://forum.pfsense.org/index.php/topic,53716.0.html

"If there are DNS entries in general settings, and I remove the WAN cable, local DNS is slow." Give example of this..  So If I query my local dns (pfsense) for a local address. C:\Windows\System32>dig @192.168.1.253 i5-w7.local.lan ; <<>> DiG 9.9.1-P3 <<>> @192.168.1.253 i5-w7.local.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49489 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;i5-w7.local.lan.              IN      A ;; ANSWER SECTION: i5-w7.local.lan.        1      IN      A      192.168.1.100 ;; Query time: 5 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Mon Oct 08 02:02:40 2012 ;; MSG SIZE  rcvd: 49 how is it slow if your wan is down.. So I unplug connection from cable modem - pfsense has NO wan connection, and C:\Windows\System32>dig @192.168.1.253 i5-w7.local.lan ; <<>> DiG 9.9.1-P3 <<>> @192.168.1.253 i5-w7.local.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45643 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;i5-w7.local.lan.              IN      A ;; ANSWER SECTION: i5-w7.local.lan.        1      IN      A      192.168.1.100 ;; Query time: 4 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Mon Oct 08 02:05:09 2012 ;; MSG SIZE  rcvd: 49 so asking for another address C:\Windows\System32>dig @192.168.1.253 current.local.lan ; <<>> DiG 9.9.1-P3 <<>> @192.168.1.253 current.local.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15888 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;current.local.lan.            IN      A ;; ANSWER SECTION: current.local.lan.      1      IN      A      192.168.1.220 ;; Query time: 5 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Mon Oct 08 02:05:49 2012 ;; MSG SIZE  rcvd: 51 This is all with pfsense wan disconnected, except for the first query..  So show example where your slow.

you have to allow 53 to your pfsense lan IP for clients to be able to talk to pfsense for dns.. Default rule allows all outbound traffic, if your going to restrict it - then you have to allow for atleast your clients to talk to pfsense on its IP on tcp/udp 53 so they can ask its dns forwarder to go lookup google.com for example Then the client will go to www.google.com on tcp 80 or 443 which you allow any on.

cmb: doh… yep my bad. Wasted bits…  :o I ran into the page a few moments ago... prompted my return to the forums. joako: thank you. I'm guessing it was too many brews that night. ;-) I really should have known I've used it quite regularly… an old-timers moment creeping in... bad post :D    Now that's a Marquee!    8)

what?? what is pfsense going to do if you put its wan and lan on the same segment?  Do you want it to be a bridge?  If your going to route with it, be with or without NAT.. It has to have its interfaces in 2 different segments. In your current setup pfsense is not going to do anything with IPs in the same network on its wan and lan interface. So why do you think you have issues with some websites?  If you put pfsense on your network on its wan interface - then from pfsense you would have to verify it can access the internet and resolve whatever fqdn you want to check.  But your not going to be able to do that from a client on that same network as the lan and wan interfaces of pfsense using pfsense as anything.

not really the way I would of gone about it that is for sure.  How about just lowering the lease so that they would be freed up after a client disconnected.  Default I believe is 24 hours.

Assuming it's dhcpd taking up 100% of the CPU, that would be an ISC DHCPD issue, not something we have anything to do with or any control over. If it's replicable I'd suggest reporting it to ISC.

@asura: thanks a lot and i really appreciate ur reply .. mayb i can try put host, domain and ip as below HOST       DOMAIN                   IP www       .movie-server.com     192.168.1.11 I am pretty sure for domain you would put "movie-server.com" without the leading "."

Worked like a charm once i set up a virtual host in apache with the new server name. Thanks walaby!

What your saying makes no sense if you don't have rule on lan interface to block access.  I have plenty of boxes outside my dhcp scope.  So example my lan network is 192.168.1.0/24, pfsense lan interface is on 192.168.1.253 dhcp scope is 192.168.1.210 to .219 So for example my linux box at 192.168.1.7 can query pfsense for dns. dig i5-w7.local.lan ; <<>> DiG 9.8.1-P1 <<>> i5-w7.local.lan ;; QUESTION SECTION: ;i5-w7.local.lan.               IN      A ;; ANSWER SECTION: i5-w7.local.lan.        1       IN      A       192.168.1.100 ;; Query time: 2 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Fri Sep 21 11:11:19 2012 And here is windows box on .100 also outside the scope C:\Windows\System32>nslookup Default Server:  pfsense.local.lan Address:  192.168.1.253 > www.google.com Server:  pfsense.local.lan Address:  192.168.1.253 Non-authoritative answer: Name:    www.google.com Addresses:  2607:f8b0:400f:801::1012          74.125.225.177          74.125.225.179          74.125.225.178          74.125.225.180          74.125.225.176 So I would verify that you did not typo the dns server?  Do you have more than 1 dns server listed on the clients on your lan? I have more boxes outside my scope than inside to be honest, and have no issues - are these boxes on a different interface/vlan connected to pfsense, so different firewall rules than lan?  Is there anything between them and the pfsense lan interface, another firewall, local firewalls on the clients? Are you running say unbound, where you could of set ACLs on which IPs can query it?

@techmed: Thanks a lot. I've been looking at wildcards as well. I don't need granularity per se, I just want to have those rules in place to ensure that google isn't over ssl. I'll look into URL rewriting with squid The dnsmasq override solution works fine with the caveat that your overrides will quit working if the address of nosslsearch.google.com ever changes. With that in mind, I wrote a little hack to keep it up to date. The attached php code will udpate the ip address in the override to the nslookup ip address of a domain specified in the overrides description field. For the override rules for www.google.com, google.com, etc, you can set the description field to "ip=nosslsearch.google.com" and every time this script is executed it will lookup the ip address of 'nosslsearch.com" and update it in the override (if it has changed). I'm planning to just run the script from cron every half hour or so… Apologize up front if this isn't the most elegant php code. I don't claim to know php - I just hacked this together looking at the gui code for services_dnsmasq.php. /*         update_hosts.php Process the config settings of the dnsmasq service and set the host override IP addresses to values that we lookup using nslookup. If the description in the host override contains the string ip=domain (such as ip=nosslsearch.google.com) then lookup the domain value and put it into the ip address field */ require("config.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); if (!is_array($config['dnsmasq']['hosts']))         $config['dnsmasq']['hosts'] = array(); if (!is_array($config['dnsmasq']['domainoverrides']))         $config['dnsmasq']['domainoverrides'] = array(); $a_hosts = &$config['dnsmasq']['hosts']; $a_domainOverrides = &$config['dnsmasq']['domainoverrides']; $write_it = 0; $i = 0; foreach ($a_hosts as $hostent) {         /* If the description starts with "ip=", then we want to lookup the           domain specified         */         $descr=ltrim(strtolower($hostent['descr']));         $str_part=explode("=",$descr);         if ( $str_part[0] == "ip" ) {                 /* Pull the domain out (second part of 'ip=domain')                 */                 $ret_val=0;                 $out_array=array();                 $check_domain=$str_part[1];                 echo "Checking override address for {$hostent['domain']}\n";                 echo "should be set to resolution of {$check_domain}\n";                 /* Try to lookup the domain and get an address back for it                 */                 $tmp=exec("nslookup -timeout=2 " . $check_domain, $out_array, $ret_val);                 $str_part=explode(" ", $out_array[4]);                 if ($str_part[0] == "Address:") {                         $lookup_addr=$str_part[1];                         echo "nslookup of {$check_domain} returned {$lookup_addr}\n";                         /* If the address is different than the IP alread stored for this                           override record, then update it                         */                         if ($lookup_addr != $hostent['ip']) {                                 echo "{$hostent[ip]} != {$lookup_addr}\n";                                 echo "updating address {$hostent['ip']} ---> {$lookup_addr}\n\n";                                 $hostent['ip']=$lookup_addr;                                 $a_hosts[$i]=$hostent;                                 $write_it=1;                         }                         else {                                 echo "{$hostent[ip]} == {$lookup_addr}\n";                                 echo "skipping address update...\n\n";                         }                 }                 else {                         echo "unable to resolve {$check_domain}\n";                         echo "skipping address update...\n\n";                 }         }         $i++; } /* Only rewrite things if something actually changed */ if ($write_it > 0) {         echo "writing config\n";         write_config();         $retval = services_dnsmasq_configure();         /* Relaod filter (we might need to sync to CARP hosts)           don't know if this is really necessary or not         */         filter_configure(); }