I have added a new interface (called DMZ for now). Except for the IP address, it is identical to the LAN interface.
I can ping 8.8.8.8 so getting out but nothing resolves so it sounds like DNS. But my DNS works on the LAN.
I can ping a url from the pFsense diagnostic page
But not from a VM
The VM gets the correct IP so that appears to be correct. Is there possibly something that needs to be set on Xen Orchestra?
I’m guessing you didn’t alter the DHCP configuration, so the firewall’s interface address in that network is used. In the DNS resolver settings, if the listen interface isn’t set to any, you have to select the DMZ interface.
192.168.10.11 is an IP address of the firewall?
Also, can you verify with resolvectl status that your machine uses the correct DNS server?
No, it is for Pi-Hole but it works on the lan interface. I have also tried leaving it blank in the DHCP settings so that it uses pfsense.
Are you saying it doesn’t work when set the DNS to the DMZ interface IP?
I think the next step is to look at the logs on pfsense and see where the block is happening or not happening.
I am guessing that I use the below and then filter on the ip of the client machine
I would have thought that there would be some traffic which makes me think the issue might be on the XEN side
What is strange is that I can ping an external ip but there is still nothing in the logs.
You need to ping with a hostname so you can see the DNS request being blocked.
The moment I enter something like ping google.com, I get “ping: google.com: Temporary failure in name resolution” and I can’t see anything in the logs; or I am looking in the wrong place
You’ll probably want to do a packet capture.
Apologies for the late reply; a dislocated shoulder has slowed things down a tad 
Things were just no making sense so rebooted everything and reinstalled the VM os. I can now ping FQDNs but still not browse to them. I then decided to check the status of the NICs on the XEN host and I noticed that while eth3 is live, it is reporting as not connected
Even though it is connected (as reported in the XCP-ng console
I plugged a physical machine into the DMZ VLAN, got the correct IP and could browse.
So my conclusion is that I must have done or forgot something on the XEN/XCP-ng side.
Set the mode to DHCP and the port now reflects connected but nothing changes.
So what I basically have is that physical machines connect to my 192.168.30.0 network just fine and can brownse the internet while VMs connect and ping URLS successfully but won’t browse the internet or resolve urls when trying to do updates.
