I may take a look at that. What I'm really trying to achieve is redundant DHCP + DNS + DDNS, but looking at TinyDNS it seems as though the DDNS part is an add on.  I haven't looked into it enough to figure out how the DDNS component works. I suspect that I will just use two other servers on the network to set this up, but it would be really nice if this were possible with pfSense.

Just in case noobs like me find this: I setup syslog for remote on a linux box (by adding a '-r' flag in its config), then in pfSense 1.2.3 I went to Status->System Logs->Settings, entered in the linux box's IP, and checked 'Everything'. If you check 'Everything' and another box, you'll receive two of the same message.

Thanks Brother i have done it and it is working very fine…. Regards Ahsan Abid

yes i understand thank you

Thank you for the advice. I'll look at hardwiring something in /etc/inc/. I realize that mixing subnets is not the ideal situation, but I hesitate to buy extra hardware to accommodate the 10 or so visitors per year who come to the office and ask if they can hook up their laptop. I also think it's rude to say "NO you can't hook up your laptop," since they let me hook up my laptop when I visit their office. Assigning visitors an IP address on a different subnet with stricter rules is a cheap and easy way to avoid problems like visitors being able to browse our samba shares. It also would prevent problems like we had when a temp that we hired to help us with filing happened to have a torrent client running in the background on his laptop, and we got a DMCA notice because of an illegal download. Since only 5 or 6 ports are open from that subnet to WAN, the torrent client wouldn't have worked. I know it won't stop the NSA or a malicious hacker, but that's not the kind of people we invite into our office anyway.

@wallabybob: After a bit of experimentation I discovered pfSense will let you assign the same IP address to two different MAC addresses but the hostnames have to be different. In pfSense I assigned the IP address associated with my netbook's wired interface to the wireless MAC address on my netbook and disabled and enabled the wireless interface and it successfully got the IP address I had previously associated only with the wired interface's MAC address. I can put up with two different names for the same IP address. Now my automatic backup will run regardless of whether the netbook is online through the wired interface or wireless interface. Nice.  I'll have to try it when I get home.

Really NO-ONE really ever needed this?

Configure your domain overrides through the webGUI. Go to Services->DNS Forwarder. Unbound makes use of the same host entries and domain overrides as dnsmasq.

Just wanted to say that it did come down to a hardware issue of some sorts. Not sure what is up with the PCI port for NIC I was using for the WAN interface but switch the interface assignment and I am able to view sites and download w/o issue. Thanks for the advice on the HW!

Sorry about being unclear. Clarifications: LAN is vlan0, OPT1 is vlan1 I added pass all rules, meaning pass on any proto, any destination, on both LAN and OPT1 interfaces. The tcpdump was looking for DHCP protocol packets, I used this command: tcpdump -i <if>port 67 or port 68 The log excerpt was from the firewall log, forgot to say there was a green pass icon too. Sorry. The DHCP-specific rules that I added (on both LAN and OPT1) was "PASS UDP from anywhere, to anywhere, port 67-68". Again, excuse me for being vague, and thanks for your time.</if>

DNS from DHCP should be fixed with any snapshot from late Saturday on.

This is strange. If I enable and disable the WAN adapter in pfSense I get one IP, and if I dhclient I get another. I can do this back and forth. In fact, since the last few days of pfSense updates, my /var/etc/resolv.conf file hasn't been populating anything but the domain so I've lost connection via hostnames because of it. What in the world is causing this?

That is not possible to do on a single IP for almost any other protocol but HTTP. By the time a client hits your firewall, you firewall has no idea what hostname they used to get there. To do it with HTTP on port 80, you can use a package like mod_security which can redirect based on hostname, because that is supported in the HTTP protocol. Other protocols don't (including HTTPS, mostly) don't have a way to distinguish based on hostname, so you can only have one port forwarded per IP address.

I am trying to do something similar, because of the nature of https sites, I cannot block them with an external transparent squid, so I would like to block them with domain into pfsense. I can redirect the hole domain into pfsense with the dns but there is not an option to redirect based on source ip. Without using openDNS is there a way to acomplish this with pfsense?. Thanks!!!

Silly question - but after you install Unbound, it wont start automatically as you need to then configure it which also requires disabling the DNS Forwarder (as per post-installation notes). The unbound logs will then start to be populated once you have configured and clicked 'save'. Did you do this?