Eh.  Doesn't matter any more.  I decided to not push my pfSense boxes and instead bought some L3 switches (Dell PowerConnect 6248) for each of my racks.  LAN routing & DHCP relaying is now being handled by them.

Here's a basic setup in pfSense:

Go go Services and then Dynamic DNS.

Check the "Enable" checkbox in the Dynamic DNS header.
  Service Type: DNS-O-Matic
  Hostname: all.dnsomatic.com
  MX: <leave blank="">Wildcard: Check
  Username: <your dns-o-matic="" username="">Password:</your></leave>

Click save.

See the DNS-O-Matic documentation for more details.

A DynDNS tip
If you have multiple hostnames mapped to the same IP address with DynDNS and you're using DNS-O-Matic to keep them up to date, list all of the hostnames as a comma-separated list in the host field of a single service entry in DNS-O-Matic. For example, create a single DynDNS service entry in DNS-O-Matic, enter your DynDNS username and password, and then your list of hosts: myhost1.homeip.net,myhost2.dyndns.net,myhost3.dyndns.net. I have found this to be much more reliable than creating a separate service entry for each hostname because it updates all of those hosts at once instead of one at a time. This is specific to the DynDNS update API.

Unfortunately you have not provided much information to work with. Please elaborate on "internet disconnected". For example, complete the sentence "I did … and I saw ... but I expected to see ...". That might help narrow the problem field a little.

The scheduled rules approach should work.

That said, if you want to continue using your cron method your best option is to killall -9 dhcpd before restarting it, that way it won't ever be running when you run it from cron.

thank you both.
I will do it this afternoon, and post the result later.
Thanks again for the very quickly response.
;)

We have noticed the exact situation on our firewall.

Network :
–--------

DNS (.4)  <--------------> (LAN) PFsense bridged (WAN) (.2) <---------> Internet

The "DNS query" is send from the DNS through our firewall. The source packet is like "natted" from IP address .4 to .2. (natting has not been activated on our firewall)

Is this a bug ? Or a setting ?

http://doc.pfsense.org/index.php/Unable_to_Access_Some_Websites

@jimp:

There is no bug.

I configured a VM in this manner, testing Deny Unknown clients and Static ARP, and it worked as expected.

If you have "deny unknown clients" checked and you are still getting an IP on machines not listed on the DHCP server page, you might have another DHCP server on your LAN or some other misconfiguration. It's also possible you need to reboot the router after checking static ARP, as a machine may have still been in the router's ARP cache and I'm not sure if that gets flushed when switching to static ARP.

well, it seems you are right, after i reboot pfs and all switches … it seems that now works fine, it still gives IP address, BUT  it does not pass any traffic ;)

I think what you're looking for is a static route.  Something like:

interface:  lan
network:  your-remote-net/netmask
gateway:  your-lan-ip

Just confirmed it in a VM setup…

set deny unknown clients, and I can't pull an IP address from pfSense, but I can set a static IP. Then if I set static arp, I can't even talk with a hard coded IP address. Just as expected.

Check all of your DHCP settings on every tab. Ensure that your DHCP ranges are set to the proper subnets for each interface.

As a followup to my own post, apparently the DNS forwarder (dnsmasq) does not work with a DHCP failover configuration.  In a DHCP failover configuration, both DHCP servers are actively issuing leases and dnsmasq only sees the leases issued by the local host.

I do not see a solution to this problem.  In fact, the dnsmasq man page doesn't even seem to indicate that this mode of operation is possible (i.e. registering leases provided by a separate DHCP server process).

I am by no means an expert on DHCP failover; however, the ISC dhcpd.conf manual page states the following:

The  failover  protocol  allows  two  DHCP  servers  (and  no more than two) to share a common address pool.   Each server will have about half of the available IP addresses in the pool at any given time for allocation.   If one server fails, the other server will continue to renew leases out of the pool,  and  will  allocate  new addresses out of the roughly half of available addresses that it had when communications with the other server were lost.

Thus if one server fails, the second should still issue new leases from half of the address space.  Whether or not this is working correctly in pfSense, I cannot say.

I gave up on using DHCP failover with pfSense as it will not work with dnsmasq/DNS Forwarder.

Thanks for the reply. The point of this is that I can plug my laptop into the cable for gigabit speeds when I want, but I don't lose connections when I decide to go wireless. When the cards have different IPs and I disconnect the cable, I lose all the connections for a while even though the wifi is already connected.

I do have an update though; it seems that this was not the problem that is causing the connection to be dropped. I only had one connection on all night and still it got disconnected. There were no more such messages in the log, since I only had the wireless connection on, so something else must be going on. Any ideas where to look?

Have a look in the DHCP log: From the web GUI, Status -> System logs then click on the DHCP tab. Depending on how long your system has been up and how many DHCP requests have been serviced you may see the startup messages from the DHCP daemon (dhcpd). You should see "action" records like

Jan 18 19:37:45 dhcpd: DHCPDISCOVER from 00:12:7b:46:e7:65 via vr0
Jan 18 19:37:45 dhcpd: DHCPOFFER on 192.168.211.240 to 00:12:7b:46:e7:65 via vr0
Jan 18 19:37:45 dhcpd: DHCPREQUEST for 192.168.211.240 (192.168.211.173) from 00:12:7b:46:e7:65 via vr0
Jan 18 19:37:45 dhcpd: DHCPACK on 192.168.211.240 to 00:12:7b:46:e7:65 via vr0