Unless you use AON and enable static port, pf will rewrite the source port with its own randomness. What you're seeing is exactly what I previously mentioned - illustrating that stddev is not a measure of randomness, but merely an indicator. It's random either way you do it.

ok - I have running dnsmasq 2.45 with pfsense 1.2! extract dnsmasq and libc.so.7 from the actual 1.2.1 snapshot. mv */libc.so.7  /lib chmod 444 /lib/libc.so.7 killall dnsmasq mv dnsmasq /root mv */dnsmasq  /usr/local/sbin chmod +x /usr/local/sbin/dnsmasq /usr/local/sbin/dnsmasq the place where you have put the extracted modules (ftp …) dnsmasq -v Dnsmasq version 2.45  Copyright (C) 2000-2008 Simon Kelley Compile time options IPv6 GNU-getopt BSD-bridge ISC-leasefile no-DBus no-I18N TFTP This software comes with ABSOLUTELY NO WARRANTY. Dnsmasq is free software, and you are welcome to redistribute it under the terms of the GNU General Public License, version 2 or 3. That's it - TX for your support! this is the main difference between 2.45 and 2.43-release-candidate-3:     Don't attempt to change user or group or set capabilities     if dnsmasq is run as a non-root user. Without this, the     change from soft to hard errors when these fail causes     problems for non-root daemons listening on high     ports. Thanks to Patrick McLean for spotting this.     Updated French translation. Thanks to Gildas Le Nadan. version 2.44             Fix  crash when unknown client attempts to renew a DHCP             lease, problem introduced in version 2.43\. Thanks to             Carlos Carvalho for help chasing this down.     Fix potential crash when a host which doesn't have a lease     does DHCPINFORM. Again introduced in 2.43\. This bug has     never been reported in the wild.             Fix crash in netlink code introduced in 2.43\. Thanks to             Jean Wolter for finding this.     Change implementation of min_port to work even if min-port     as large.     Patch to enable compilation of latest Mac OS X. Thanks to     David Gilman.     Update Spanish translation. Thanks to Christopher Chatham. version 2.45             Fix total DNS failure in release 2.43 unless --min-port             specified. Thanks to Steven Barth and Grant Coady for             bugreport. Also reject out-of-range port spec, which could             break things too: suggestion from Gilles Espinasse.

I am trying to setup DHCP-relay over IPSec. A simple sketch of my situation can be found here I have configured two subnets on the main-pfsense (PfSense1), one for LAN (172.16.2.0/24) and one for DMZ (172.16.1.0/24). PfSense1 and PfSense2 are linked together with an IPSec-tunnel over internet which is working properly. Clients from PfSense2 can connect to clients/servers in LAN/DMZ of PfSense1 and vice versa. My DHCP-server runs on DMZ and relays requests to clients in LAN (PfSense1). Now I want my DHCP-server to relay requests over the IPSec-tunnel to clients of PfSense2. My questions: 1. I am not sure how to config a static route from PfSense1 to PfSense2 while running two different subnets. Which of the subnets have to be configured in the static route? 2. My DHCP-server runs in DMZ but the TS wants me to configure the LAN-interface in the static route…which of the interfaces do I have to use? 3. Do I have to use the DHCP-relay option under "Services->DHCP relay" and if so, on which PfSense-box do I have to configure this? At this moment I have configured the following static route (which isn't working) on PfSense1: Interface: DMZ Network: 172.16.3.100/32 (ip of remote PfSense2) Gateway: 172.16.1.100 (ip of PfSense1)

Have you tried just releasing and renewing the DHCP lease on the client?

It's still off.  No conflicting addresses.  I ran the 90 to foot cable myself from the fron to the back of my house.  I have not had any issues. If I unplug it and leave it unpluged for 30 seconds it comes right back up no issues.  It seems to be more of a issue when I connect to my dell gb switch.  I thinking can't auto-neog correctly.  As long as it is connected to my 450-T it's better. RC

Thanks for the reply Sh4. Unfortunately that doesn't exactly do what I want. Anyone who connects should be able to get a DHCP lease, but only those with a DHCP lease should have access across the WAN.

Make a capture/sniff on the DHCP ACK message and check lease time. It should be 1 minute in your case (as the renewal time is usually lease_time/2). On the other hand, the IP adress 192.168.0.1 seems not to be a public ISP address. Check your half-modem configuration.

I'm also trying to forward all http(s) requests for domain [x.com] to a single designated LAN IP (regardless of [sub-domain].x.com) and have not been successful. I would expect that leaving the host field blank or using something like a * wild-card would do the trick, but no go.

Hi! A client (or server) use the gateway when they whant to send packets to another net and not their own. Your clients trying to access the 192.168.1.x net will pass the gateway in the 172.16.1.0 net. The gateway must have knowledge where to send packets outside its own network. Configure your gateway device so it has knowledge about where to send packets with destination outside its own net. This is usually achived by adding a static route entry. This applies for all of the networks you mention. Hope this helps, /UrbanSk

solved, it wasn't a DNS problem, but a problem with my routes

Well, the resolution was simpler than I expected. I had the campus network folks look at the switch logs, and it appears that DHCP was being blocked at the switch port.  They made that port "dhcp trusted" and all works as it should. That's what I was hoping for – for such a simple configuration, it didn't make sense that I would have to set up VLANs in the firewall, since everything on the LAN side was on the same VLAN, and everything in the WAN side was on another.  I figured it should have been just like a physical network as far as all the hosts (and pfSense) were concerned.  But this was the first time I had dealt with a firewall that even understood VLANs, so I wasn't sure. :) Thanks for the help!

In "System" –> "General Setup" --> "DNS servers" i setup the DNS i use. But the resolv.conf first line contains a line that i suspect to slow the resolution : "domain local"... I would like to have my resolv.conf containing only my dns. Thanks !