LAN port is 192.168.1.1, OPT1 currently is 10.10.20.1, Pfsense is 192.168.1.2 By "pfSense is you mean the WAN is?? If your LAN port is 192.168.1.1 then you would access the web gui by that address…  Where does the 192.168.1.2 come from?

Add a NAT Port Forward entry on every interface that you want to serve DNS to, forward tcp/udp port 53 to 127.0.0.1 from each interface address.

Unfortunately, when dealing with a windows domain, it's usually better to point DHCP and DNS at the windows server, and then configure the server's DNS service to use pfSense as its forwarder for DNS queries. There are several aspects of being part of a domain which will end up slower (especially login) if your DNS server on the clients is not also your DC.

Well something out there (perhaps the DNS server for mydomain.com) is answering the AAAA query: 13:04:07.910775 IP tiger.mydomain.com.62310 > router.mydomain.com.domain: 27878+ AAAA? panda.mydomain.com. (39) 13:04:07.924733 IP router.mydomain.com.domain > tiger.mydomain.com.62310: 27878 1/1/0 CNAME mydomain.com. (123) That means it asked for the AAAA record for panda, and got back that result is a CNAME for mydomain.com And then it asked for a AAAA record for mydomain.com, and AAAA for panda.dolcera.net… 13:04:07.924964 IP tiger.mydomain.com.55111 > router.mydomain.com.domain: 55178+ AAAA? mydomain.com. (33) 13:04:07.939512 IP router.mydomain.com.domain > tiger.mydomain.com.55111: 55178 0/1/0 (103) 13:04:07.939945 IP tiger.mydomain.com.62372 > router.mydomain.com.domain: 25705+ AAAA? panda.dolcera.net. (35) 13:04:07.953756 IP router.mydomain.com.domain > tiger.mydomain.com.62372: 25705 NXDomain 0/1/0 (97) …and got back an answer that they don't exist. Then finally asked for an A record for mydomain.com... 13:04:08.289062 IP tiger.mydomain.com.51172 > router.mydomain.com.domain: 23562+ A? mydomain.com. (33) 13:04:08.308518 IP router.mydomain.com.domain > tiger.mydomain.com.51172: 23562 1/0/0 A 98.xxx.xxx.xxx (49) …and got back what is presumably your WAN IP.

@XIII: Correct. You are welcome. I got this from the pfSense Docs/Book. You know I've skimmed through it but I never even thought about an Alias as I've never used them before.  Very handy.

Never thought of this. Don't know how the DC is set up and it is beyond my control. Will check if this works. Thanks for the reply. edit Just wanted to confirm that the suggested fix worked. Thanks again.

Enable DNS forwarder on pfSense and at bottom of web page Services -> DNS Forwarder add entry for server. Configure local systems to use pfSense as DNS. (This should happen automatically if local systems are using DHCP to get IP address and DNS.) If the server has a private IP address it won't be accessible from outside your local network unless you have done something to pfSense or your modem to make it visible (e.g. port forwarding).

@zboll: I really like pfsense so I do not plan on changing to linux distribution router anytime soon.  I am trying to set up a couple diskless computers and I would like to be able to plug them into my existing network.  I was wondering if I could use my pfsense box dhcp server to point the client to my LTSP server?  My LTSP server is running Debian Etch. My other solution to the problem was to just install another network card into my LTSP server, run a dhcp server, and plug it into a switch connected to the clients.  I would rather use pfsense dhcp server to avoid the extra hardware/cable needed. thanks, Zack I've found a nasty little solution, but it's better than nothing at the moment. This is completely unsupported and these changes will definitely be lost on any upgrade, maybe sooner. I'm running 1.2.3 Release so my line numbers might differ from yours, but around line 117 of /etc/inc/services.inc, you'll find a chunk of DHCPD options between "<< <eod" and="" "eod;".="" i="" think="" you="" can="" get="" away="" with="" plugging="" in="" your="" advanced="" options="" here.="" this="" is="" as="" yet="" untested="" just="" an="" educated="" guess="" so="" i'm="" not="" responsible="" for="" the="" results="" :)<br="">Hope this helps someone though.</eod">

Having two DHCP servers on the same network will not work. However, I don't think that static IP mappings from DHCP have to be within the same subnet, so you might be able to just run the DHCP server on the segment for normal clients and have the static IP mappings for the other IPs… But even if that could work, it's ugly. And really there is no good reason not to segment subnets on different interfaces/VLANs.

I don't know precisely enough what you are trying to do because you don't say the context from which x is "to be reached as the static IP" - the internet or systems downstream of your pfSense box. Here's a case where I have used DNS forward override. My configuration: Internet <–> ADSL Modem/Router <--> pfSense <--> LAN                                             /|                                             +-----> DMZ (OPT1) I want my web server on the pfSense OPT1 interface to be accessible from the internet. My ISP assigns me a dynamic IP address so I have registered a dynamic DNS name zzzz.dyndns.org. I have setup a port forwarding rule and static route on my ADSL modem so incoming (from the internet) accesses to TCP port 80 go to my web server downstream of pfSense interface OPT1. All my systems downstream of pfSense use the pfSense DNS forwarder as their DNS. On my local network (LAN) I couldn't access my webserver on the DMZ by the name zzzz.dyndns.org (because the Internet name server returns the IP address of my ADSL modem, which is the correct thing to do to get to my web server from the Internet) so I created an override entry in the pfSense DNS forwarder (host = zzzz, domain = dyndns.org, IP address = web server's IP address on the pfSense OPT1 subnet). Now all my systems downstream of pfSense get the OPT1 subnet address as the IP address of zzzz.dyndns.org while systems on the Internet get the most recently registered IP address of my ADSL modem.

I use ipblocklist to block ads and unwanted advertising. I can control which ad sites are blocked and which are not as well as being able to use public lists that block known ad sites. The easy part is there is no client side configuration required since pfsense handles the traffic at the fw level. Edit: windows 7 doesn't suck  :)

If a host is making a DHCP request, it doesn't have what it considers to be a valid IP, so gateways and other routing issues should not be germane.  I would do a packet capture during a slow DHCP cycle and see what shows up.

it's 1.2.3

Hi there, I'm posting because with the help of the guys down at #pfsense irc channel, i have fixed the issue. Actually the problem was our internal DNS server didn't know where to find www.acme.com. So we created a rule pointing www.acme.com to the external web server IP address. It started working right away. Cheers

I thought it was solved, but then I reopened my browser only to find that it does not work.  I had, for the time being, entered it as an entry under dns forwarder

I'll check the XP for a static IP this evening.

@bolerodan: Im curious if this has been fixed or figured out. I'll have to use a Dell Switch with PFSense very soon so its interesting to see some insight on Vlans with PFSense and Dell Switches Dell switches with VLANs work fine, my prior post may have implied otherwise, but that's limited only to span port functionality on the switch. I've done some deployments with over 100 VLANs on Dell switches. This isn't a general problem with Dell switches or pfSense, simply a configuration problem.

The reboot seems to have taken care of the problem. Many thanks. Heath

@machado: @wallabybob. How can do it? In web GUI: Status -> System Logs, click on DHCP tab. Do whatever it is you do to get the DHCP client to send a DHCP request, wait a minute or so then look in the DHCP log to see that the DHCP request has been received. The DHCP server logs the requests (including the source MAC address) and the responses it sends.