That is not possible to do on a single IP for almost any other protocol but HTTP. By the time a client hits your firewall, you firewall has no idea what hostname they used to get there. To do it with HTTP on port 80, you can use a package like mod_security which can redirect based on hostname, because that is supported in the HTTP protocol. Other protocols don't (including HTTPS, mostly) don't have a way to distinguish based on hostname, so you can only have one port forwarded per IP address.

I am trying to do something similar, because of the nature of https sites, I cannot block them with an external transparent squid, so I would like to block them with domain into pfsense. I can redirect the hole domain into pfsense with the dns but there is not an option to redirect based on source ip. Without using openDNS is there a way to acomplish this with pfsense?. Thanks!!!

Silly question - but after you install Unbound, it wont start automatically as you need to then configure it which also requires disabling the DNS Forwarder (as per post-installation notes). The unbound logs will then start to be populated once you have configured and clicked 'save'. Did you do this?

If they are on different domain names, you could add a domain override in the DNS forwarder settings that points the other side's domain name to an IP on other firewall of the other network, and vice versa. The short names wouldn't work, but fully qualified names should.

Hard to say that with any exact numbers. The leases file can grow quite large with many leases (in /var/dhcpd/) The arp tables don't take up much, but again the exact numbers are hard to say for that. For the state table, 1 state is ~1KB of RAM, so with everything else on the ALIX you'd probably want to keep that under 100,000. If that much… more like 40-50,000 would probably be better, but that depends on what other things you have using RAM.

With this little hack it works for me: /etc/dhclient-exit-hooks: #!/bin/bash if netstat -nr | grep -q '^default'; then  # default route exists else  route add -host $new_routers -link em0: -interface        route add default $new_routers       fi

Have a look at /usr/local/etc/unbound/unbound.conf, see if it has all your host entries in there? If not then let me know, pvt msg (if you don't mind) your internal host entries and unbound.conf. Want to make sure there are no funny characters that is potentially messing things up.

Hmm… If I turn off DNS forwarding (the clients get the actual DNS server IPs instead of the IP address of the pfSense machine as the DNS server IP) I can ping each other again, but it's responding with IPv6 addresses, not IPv4.  At least I can now communicate. I'll leave it this way for now, but awaiting any solution.  When I get time, I'm going to reset everything and start over.  If that doesn't work, I'll just go back to my Linksys WRT54GS, chalk it up to either an unfinished software, or maybe just too complicated for me (I would have thought the default settings would at least be on parity on function with a SOHO router). I'll probably repurpose the small PC as a server or a PC to test things with.

Looks like if I set interface type to "static" and set an IP address, than I can see this interface in DHCP server and enable it there.

Change the DNS registration from crm to myserver. If you have a pfSense box which runs the DNS forwarder and you want then (and only them) to see myserver as the backtranslation of the IP address then I suspect it might be sufficient to add a mappin in the DNS forwarder to say myserver has the specified IP address (or enable Register DHCP leases in DNS Forwarder on the Services -> DNS Forwarder page).

Yes, hosts obtained from DHCP registering should resolve from any internal subnet.

@johnea: If you really do need to edit the generated rules, you will have to edit /etc/inc/filter.inc which generates the ruleset. Would this also apply to other webgui supported services such as dhcpd? Yes, there would likely be a service dependent file to be edited.

@mhby87: It's working to open web in LAN. Do you mean that on a system on the LAN you can open web pages on the server in the DMZ specifying by hostname or by IP address? @mhby87: My web cannot open in WAN using Domain Name (web only can open with IP). I think this problem from setting at pfSense Rules and NAT. I try to forward port 53 (DNS) to WAN, but still not working I'm not sure what you are reporting here. Do you mean that when you try to access the web server on the DMZ from the Internet it succeeds if you use the IP address (which IP address? the static IP address of the pfSense WAN interface?) but not the the host name? Which host name? Is it a hostname registered with public DNS? What does the browser report when the access fails?

FYI- on 2.0 when setting that up the rules are added for 519/520 automatically.

I have pfsense and a windows domain also . Here is my setup in pfsense  I only allowed certian ports out like http https imaps smtps pop3s B/C I did that I setup another rule that has my servers ip address in it allowing them to use port 53(dns) pfsense runs dhcp with my active dir servers as the dns on my active directory servers the forwarders are set to opendns.orgs dns servers