That is exactly how you do it.  You will want to make sure you have your username / password for the PPPoE account handy.  I forgot to jot it down before I reconfigured my Q1000 and had to make a call to CentruryLink.  Once I had the login info, it took less than 5 minutes to get everything up and running. I've had my Q1000 playing nice with PfSense for quite a while now.  You should be quite happy once it's setup!

"Expert" is subjective.  Depends on your needs. I agree with previous poster. You should just post your needs. Some of them them may be outside of what pfsense does - or not.

so you want users using pfsense as their dns to resolve host.example.org to 192.168.1.99 that is a simple host override in either the forwarder or resolver depending on which one your using. if you want example.org you could do that to with example being the host and org being the domain - see attached screenshot of my resolver overrides, and then my queries for them to pfsense. The higher response times are because I am via vpn connection to my home network, that has to bounce off proxy in texas, then back to chicagoland while I am in chicagoland. [image: overrides.png] [image: overrides.png_thumb]

@muswellhillbilly: @chris4916: Technical solution to your concern with proxy configuration client side is WPAD  8) Or use a proxy.pac file for the same purpose (auto client configuration). We use this at my office (230 users) and it works fine. To be more accurate: this is not WPAD or proxy.pac WPAD does nothing more than providing in a (more or less) standard way access to… proxy.pac WPAD RFC (unfortunately still draft as far as I know) describes how to push to devices information that will permit to load an use proxy.pac file

I applied the tweaks mentioned here to my Pi and it has really improved the stability of the time system on my pfSense box. I will be trying a newer version of the Pi than my very old v1 to see if that improves the USB - Ethernet delay. The left side scale (+1 to -1 ms) is showing all the items except the Disp. The Disp is on the left side (+5 to +40 ms) scale. The disp is still high enough that if it is shown on the same scale it swamps the other data. [image: ntp-chart-june-16-16.png] [image: ntp-chart-june-16-16.png_thumb]

If you're not up to the latest version, there were some past issues with no Internet connectivity and the update checking tying up all of PHP which killed the GUI.

https://blog.pfsense.org/?p=2090

sudo route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.1 works like a charm so apparently pfsense2 receives the packets returning from 192.168.1.23 and cannot send them to the pfsense1 although a lan to lan full allowing rule is in place not nice but efficient :-) also I use a config pusher so in case of more machines I can still push that rule (I guess, gonna check that out) thanks for your wonderfull support everyone

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense Or if you prefer video tutorials: https://www.youtube.com/watch?v=28dmUzOGI50

Thank you!

yes /27 in a firewall would match those IPs..  If your network was actually a /24 and you used 10.11.193.0/27 in a firewall rule - that rule would trigger on IP .1 to 31 If you used .32/27 it would trigger on .32 to .63, etc..  Yes you can use cidr in your firewall rules and they can be subnets of your actual network..  So sure if you always set your infrastructure IPs .1 to .31 on that network then you could use x.x.x.0/27 as a firewall rule to trigger on those IPs This is very common practice to use specific IPs in a segment for specific sorts of things, which then yes makes creating firewall rules that match on those IPs easy to do with cidr..  Depends on the location but many will reserve the first part of a new IP range for static and the end as well.  And only use the middle ranges for normal dynamic clients in that segment, etc. If you break at common subnet blocks then yes it makes easy to write firewall rules based on those borders.

In 2.3 and newer versions, the update system is pkg-based, changing the available update methods. Upgrades are performed either under System > Update in the webGUI, or option 13 at the console. Manual updates are no longer available, and systems must be Internet-connected to update. https://doc.pfsense.org/index.php/Firmware_Updates#Version_2.3_and_newer

Ok well this work first enable watchdog and select the services to notifice late go to System – Advance -- Notifications and in E-Mail put your direction and this is all. done.

Thanks this work for me too.

I think I have found the issue. It was rather simple. I have mistakenly assigned VLAN20 to the LAN interface and not to the opt1 interface. [image: pfsense_int_vlan.png] Once I assigned the vlan20 to opt1 the windows machine received its ip address from pfsense

@KOM: If he was the victim of a DNS-AMP attack, nothing would change just because he changed DNS on his gateway or client, and any of his LAN clients doing excessive lookups also wouldn't care which DNS server was selected for use by pfSense.  There was something weird going on but I doubt it was a DoS attack. That's the "stopped just by coincidence, but that's unlikely" part. Given that, it's more likely some client on his network is issuing queries that cause some remote server being targeted to send or receive a large amount of traffic. TWC's DNS server takes part, Google's much better than most if not all ISPs at limiting the impact of or blocking DNS amplification.

Glad that worked.

@extacy1: Thanks to this post https://forum.pfsense.org/index.php?topic=31580.0 That post was dated "2010". Google - gmail - did change some - if not all - procedures. @extacy1: Basically changed email server from smtp.gmail.com to alt1.gmail-smtp-in.l.google.com and set the port to 25 E-mail Server:alt1.gmail-smtp-in.l.google.com SMTP Port of E-Mail server:25 Uncheck  "Enable SMTP over SSL/TLS" or "Enable STARTTLS" I used this : https://support.google.com/a/answer/176600?hl=en (the original, up to date doc from gmail about gmail :) ) Works great using port 465 - SSL on, etc. ( Secure SMTP Connection Enable SMTP over SSL/TLS ) and "smtp.gmail.com" as the smtp server address. I also entered my gmail login and password. Of course, if gmail doesn't know about "pfsense" or the IP your are 'sending' from, you might run into th" "was this you ?" gmail protections schemes. But that's nothing new. I guess, if you need to use "alt1.gmail-smtp-in.l.google.com" you have some DNS issues.

It looks like this was caused by a route push from my OpenVPN Client. I set "don't pull routes" and that resolved it. I have a DNS leak I still need to fix now but I'll raise a new thread for that in the appropriate forum :)