Configure your domain overrides through the webGUI. Go to Services->DNS Forwarder. Unbound makes use of the same host entries and domain overrides as dnsmasq.

Just wanted to say that it did come down to a hardware issue of some sorts. Not sure what is up with the PCI port for NIC I was using for the WAN interface but switch the interface assignment and I am able to view sites and download w/o issue. Thanks for the advice on the HW!

Sorry about being unclear. Clarifications:

LAN is vlan0, OPT1 is vlan1 I added pass all rules, meaning pass on any proto, any destination, on both LAN and OPT1 interfaces. The tcpdump was looking for DHCP protocol packets, I used this command: tcpdump -i <if>port 67 or port 68 The log excerpt was from the firewall log, forgot to say there was a green pass icon too. Sorry.

The DHCP-specific rules that I added (on both LAN and OPT1) was "PASS UDP from anywhere, to anywhere, port 67-68".

Again, excuse me for being vague, and thanks for your time.</if>

DNS from DHCP should be fixed with any snapshot from late Saturday on.

This is strange. If I enable and disable the WAN adapter in pfSense I get one IP, and if I dhclient I get another. I can do this back and forth. In fact, since the last few days of pfSense updates, my /var/etc/resolv.conf file hasn't been populating anything but the domain so I've lost connection via hostnames because of it. What in the world is causing this?

That is not possible to do on a single IP for almost any other protocol but HTTP. By the time a client hits your firewall, you firewall has no idea what hostname they used to get there.

To do it with HTTP on port 80, you can use a package like mod_security which can redirect based on hostname, because that is supported in the HTTP protocol.

Other protocols don't (including HTTPS, mostly) don't have a way to distinguish based on hostname, so you can only have one port forwarded per IP address.

I am trying to do something similar, because of the nature of https sites, I cannot block them with an external transparent squid, so I would like to block them with domain into pfsense.

I can redirect the hole domain into pfsense with the dns but there is not an option to redirect based on source ip.

Without using openDNS is there a way to acomplish this with pfsense?.

Thanks!!!

Silly question - but after you install Unbound, it wont start automatically as you need to then configure it which also requires disabling the DNS Forwarder (as per post-installation notes). The unbound logs will then start to be populated once you have configured and clicked 'save'.

Did you do this?

If they are on different domain names, you could add a domain override in the DNS forwarder settings that points the other side's domain name to an IP on other firewall of the other network, and vice versa.

The short names wouldn't work, but fully qualified names should.

Hard to say that with any exact numbers. The leases file can grow quite large with many leases (in /var/dhcpd/)

The arp tables don't take up much, but again the exact numbers are hard to say for that.

For the state table, 1 state is ~1KB of RAM, so with everything else on the ALIX you'd probably want to keep that under 100,000. If that much… more like 40-50,000 would probably be better, but that depends on what other things you have using RAM.

With this little hack it works for me:

/etc/dhclient-exit-hooks:
#!/bin/bash
if netstat -nr | grep -q '^default'; then
 # default route exists
else
 route add -host $new_routers -link em0: -interface      
 route add default $new_routers      
fi

Have a look at /usr/local/etc/unbound/unbound.conf, see if it has all your host entries in there? If not then let me know, pvt msg (if you don't mind) your internal host entries and unbound.conf. Want to make sure there are no funny characters that is potentially messing things up.

Hmm… If I turn off DNS forwarding (the clients get the actual DNS server IPs instead of the IP address of the pfSense machine as the DNS server IP) I can ping each other again, but it's responding with IPv6 addresses, not IPv4.  At least I can now communicate.

I'll leave it this way for now, but awaiting any solution.  When I get time, I'm going to reset everything and start over.  If that doesn't work, I'll just go back to my Linksys WRT54GS, chalk it up to either an unfinished software, or maybe just too complicated for me (I would have thought the default settings would at least be on parity on function with a SOHO router).

I'll probably repurpose the small PC as a server or a PC to test things with.

Looks like if I set interface type to "static" and set an IP address, than I can see this interface in DHCP server and enable it there.