We don't use ipfilter, we use pf which has done source port randomization by default for 8 years. ipfilter is finally catching up.  :)

So the rest of the settings do sync though?

No, this isn't a possible solution using DHCP unless you have multiple MAC addresses.

I've seen them support some FreeBSD coding before so who knows :)

http://forum.pfsense.org/index.php/topic,7001.0.html

System -> General Setup
add the two OpenDNS ip's and untick "Allow DNS server list to be overridden by DHCP/PPP on WAN"
Then add a static route for each OpenDNS ip, using 1 of them for wan and 1 for wan2.

Unless you use AON and enable static port, pf will rewrite the source port with its own randomness. What you're seeing is exactly what I previously mentioned - illustrating that stddev is not a measure of randomness, but merely an indicator. It's random either way you do it.

ok - I have running dnsmasq 2.45 with pfsense 1.2!

extract dnsmasq and libc.so.7 from the actual 1.2.1 snapshot.
mv */libc.so.7  /lib
chmod 444 /lib/libc.so.7
killall dnsmasq
mv dnsmasq /root
mv */dnsmasq  /usr/local/sbin
chmod +x /usr/local/sbin/dnsmasq
/usr/local/sbin/dnsmasq

the place where you have put the extracted modules (ftp …) dnsmasq -v

Dnsmasq version 2.45  Copyright (C) 2000-2008 Simon Kelley
Compile time options IPv6 GNU-getopt BSD-bridge ISC-leasefile no-DBus no-I18N TFTP

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

That's it - TX for your support!

this is the main difference between 2.45 and 2.43-release-candidate-3:     Don't attempt to change user or group or set capabilities     if dnsmasq is run as a non-root user. Without this, the     change from soft to hard errors when these fail causes     problems for non-root daemons listening on high     ports. Thanks to Patrick McLean for spotting this.     Updated French translation. Thanks to Gildas Le Nadan. version 2.44             Fix  crash when unknown client attempts to renew a DHCP             lease, problem introduced in version 2.43\. Thanks to             Carlos Carvalho for help chasing this down.     Fix potential crash when a host which doesn't have a lease     does DHCPINFORM. Again introduced in 2.43\. This bug has     never been reported in the wild.             Fix crash in netlink code introduced in 2.43\. Thanks to             Jean Wolter for finding this.     Change implementation of min_port to work even if min-port     as large.     Patch to enable compilation of latest Mac OS X. Thanks to     David Gilman.     Update Spanish translation. Thanks to Christopher Chatham. version 2.45             Fix total DNS failure in release 2.43 unless --min-port             specified. Thanks to Steven Barth and Grant Coady for             bugreport. Also reject out-of-range port spec, which could             break things too: suggestion from Gilles Espinasse.

I am trying to setup DHCP-relay over IPSec.
A simple sketch of my situation can be found here

I have configured two subnets on the main-pfsense (PfSense1), one for LAN (172.16.2.0/24) and one for DMZ (172.16.1.0/24).
PfSense1 and PfSense2 are linked together with an IPSec-tunnel over internet which is working properly. Clients from PfSense2 can connect to clients/servers in LAN/DMZ of PfSense1 and vice versa.

My DHCP-server runs on DMZ and relays requests to clients in LAN (PfSense1).
Now I want my DHCP-server to relay requests over the IPSec-tunnel to clients of PfSense2.

My questions:
1. I am not sure how to config a static route from PfSense1 to PfSense2 while running two different subnets. Which of the subnets have to be configured in the static route?
2. My DHCP-server runs in DMZ but the TS wants me to configure the LAN-interface in the static route…which of the interfaces do I have to use?
3. Do I have to use the DHCP-relay option under "Services->DHCP relay" and if so, on which PfSense-box do I have to configure this?

At this moment I have configured the following static route (which isn't working) on PfSense1:
Interface: DMZ
Network: 172.16.3.100/32 (ip of remote PfSense2)
Gateway: 172.16.1.100 (ip of PfSense1)

Have you tried just releasing and renewing the DHCP lease on the client?

It's still off.  No conflicting addresses.  I ran the 90 to foot cable myself from the fron to the back of my house.  I have not had any issues.

If I unplug it and leave it unpluged for 30 seconds it comes right back up no issues.  It seems to be more of a issue when I connect to my dell gb switch.  I thinking can't auto-neog correctly.  As long as it is connected to my 450-T it's better.
RC