My friends.

cmb u are right, the results are the same, i was doing the wrong test.

The results are the same using dig.

Thanks cmb for clarifying this, I appreciated  :)

The VPN randomly started working.  I'm not gong to ask any questions and just go along with it  ;D

Thanks again for all your help.

This problem was solved, thanks to a bounty I paid (well worth the money).  See:  http://forum.pfsense.org/index.php/topic,18378.msg94747.html#msg94747

If you can email me a backup of your config (cmb at pfsense dot org) and reference this forum thread, I'll see if I can replicate that using your config.

Thats it. That solved the issue.
Thank you very much.

Regards,
Marc

@Bern:

Have you set up a static route on your pfSense machine to your office's LAN?

IIRC you have to do this with IPSec tunnels. Route it through the LAN interface of pfSense.

@joel.baxter:

Deny unknown clients:
If this is checked, only the clients defined below will get DHCP leases from this server.

This only affects the DHCP server.
The pfSense will communicate with devices not on the list below.
–> You can configure a device with a static IP and it still can use the pfSense to access the internet.

@joel.baxter:

Enable Static ARP entries:
Note: Only the machines listed below will be able to communicate with the firewall on this NIC.

Here you essentially write the ARP table by hand.
Only devices on the list can communicate with the pfSense.
If the device is not on the list it cannot access the internet even if the IP gateway configuration is correct.

@joel.baxter:

Can we just the Range to zero addresses or it should be the full Available Range?

What do you want? Set the range of availlable DHCP-addresses to 0?
I'm not sure if this works, but you can just set the range to the netID
(example: subnet:192.168.0.0/24 pfSense 192.168.0.1/24
DHCP-range start: 192.168.0.0, end 192.168.0.0)
I dont know how this will behave, but you can enter it like this in the webGUI.

@joel.baxter:

If we do want to reserve a small range of addresses to be assigned without having to input a MAC, how would we do that? Is there a way to set these so that they have access to the internet but no access to internal resources?

Just let the DHCP run.
If you do this you cannot have the above two options.
Why dont you add another interface for "guests"?
You cannot control with the pfSense what within your network can access what.
Traffic flowing only over the switch never reaches the firewall rules of the pfSense.

Create a static route for one of the DNS servers pointing to the second WAN gateway.

Are you using the packet capture mechanism to verify that it is indeed not sending any more discover messages?

I have re-created the entry in dyndns, and disconnected/reconnected from ADSL, and now it works fine.

I deleted all lease files, and it works again. I do not know what went wrong, but cleaning did the trick.

Hello, sorry for the delay.
I'm using static Ip's only because i have to. I'm trying to have a normal Lan, on which the servers are defined with a static IP (the IP is given by pfsense) and every other computers receive and address from the DHCP. The server is configured correctly. The problem is when a user with a dynamic address try to ping, or try to connect to a SQL database using the hostname of the server, he is redirected on an opendns server, whereas a user configured with a static IP (with the exact same configuration than the one forwarded by the dhcp server) can reach the server.

I don't understand this process.

My not having Internet depends on the DNS configured in the dhcp server. It is said that if dns forwarder is enabled one must use the interface's Ip. However if i do this i can not reach the internet, whereas if i configure a real DNS, i access the internet.

Did you uncheck the option to allow override from DHCP servers?

Figured it out. Here's how…..

To register the SRV entries you need to use the RAW record type but it needs to be in a specific format. So here's an example

Original Entry from the domain control is...
_ldap._tcp.my.domain.com. 600 IN SRV 0 100 389 dc.my.domain.com.

using a SRV record creator such as the one at this site = http://www.anders.com/projects/sysadmin/djbdnsRecordBuilder/
scroll down to the section "djbdns / tinydns SRV"

you need to fill in the form so for the example above we would use.

Service:   _ldap._tcp.my.domain.com
Priority:      0
Weight:      100
Port:              389
Target:      dc.my.domain.com
Time To Live:    600

Then press "Build SRV Record" and a windows pop's up containing the raw string....

:_ldap._tcp.my.domain.com:33:\000\000\000\144\001\205\002dc\002my\006domain\003com\000:600

Now you just need to enter this in to PSsense Tindy DNS server as a raw record, so....
Record Name = _ldap._tcp.my.domain.com
Record Type = raw
Record Data = :_ldap._tcp.my.domain.com:33:\000\000\000\144\001\205\002dc\002my\006domain\003com\000:600

Then that should be it done.

If you have windows box's you can test it, open a command prompts
nslookup
set type=srv
server "your dns servers ip"
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com

RESULTS in .........................

_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com
SRV service location:
          priority      = 0
          weight        = 100
          port          = 88
          svr hostname  = dc.my.domain.com

Hope this helps someone.
Keith