H

When working with VLANs:

If you assign a VLAN on a parent interface, DON'T assign the interface itself.
(ie: vlan100 on rl0, vlan200 on rl0, vlan300 on rl0, rl0 itself NOT assigned).

Traffic leaving the pfSense is always tagged.
The switch should be apropriatly configured
–>accept only tagged traffic from the port going to the pfSense. Drop/block untagged traffic.
Traffic going to the pfSense should be tagged as well.
We dont assign the parent interface itself so untagged traffic will be dropped on the pfSense side too.

I dont see any problem with having VLANs on different parent interfaces.

I want to thank you guys for all the help. So far so good running perfect.

The message stopped.  It seems your trick worked. Thanks.

Well there you go sinac, you've got two answers now! Jimps is much easier than mine so I'd go with that.

Put the untrusted guest users behind captive portal on an OPT interface

Put the full access users on LAN

Segregate them with separate switches or VLANs.

If you don't want the full access users to get to porn and such, you'll also need to run squid+squidGuard and such. I'm not sure how well that plays with captive portal these days though.

@pablo:

I'm also wondering if there's any chance that it could be related  to the modem giving itself a LAN IP of 192.168.100.1 and my LAN being 192.168.0.xx…

Doubtful, as that describes my setup exactly.

Cheers.

@Itwerx:

Depending on your hardware and network configuration it's possible that there might be a more robust solution, but if it's just a single pfsense box with the multi-WAN being the only difference from a typical configuration, then yes, that should be fine.

You're right i've a single pfsense box for 2 wan, 1 lan and 1 DMZ plus another ethernet card connected to another pfsense box which serves only as a proxy server. Why I decided to use a second machine just for the proxy? Simple, is an old PC and in this way i can solve the problem of squid in multi wan configuration.  ;)

The script you posted displays the IP address displayed by the web server myip.dnsomatic.com. It doesn't make sense to me that the public web server myip.dnsomatic.com receives a connection from a private IP address and returns a response to that private IP address. Something is wrong with this picture!

Maybe your php command isn't executing the script you think it is. Do you get the same result if you specify the full path to the getip.php script in the php command?

Maybe your DNS is returning a different IP address for myip.dnsomatic.com from what I get on my system. If the correct getip.php script is being executed then it would appear your system thinks myip.dnsomatic.com is on the pfSense's WAN subnet - your TP-LINK router trying to be helpful? What do you get from the shell command: ping -c 1 myip.dnsomatic.com

On my system I see:
$ ping -c 1 myip.dnsomatic.com
PING updates.dnsomatic.com (208.69.38.210) 56(84) bytes of data.
64 bytes from 208.69.38.210: icmp_seq=1 ttl=50 time=204 ms

–- updates.dnsomatic.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 204.111/204.111/204.111/0.000 ms
$

2.0 has this, IIRC.

Any news on this topic? Just upgraded to version 1.2.3 and no luck.. my promised bounty from January 2007 didn't help :-)

Are there hidden options possible or is this a myth? We need SLP support (Option 78/79)

I can state with confidence that pfSense's DHCP server is as I had hoped. Seems fully compliant and once a lease has expired it will, in a top down fashion, reassign a long expired IP address to a new MAC.

Again, this was just a concern because I did have some high end appliances, (or alledgedly high end),  that simply would stop providing IP addresses once the IP database was full as all IPs in the range had been allocated even though they were expired.

Go figure!

Thanks!

John

In order for that to happen, you would have had to make a firewall rule on the WAN side to allow that traffic in to the pfSense box.

So the fix would be to remove those rules, or fix any overly permissive WAN rules you have. A screenshot of your WAN rules page would help more if you can provide one.

Now i have another strange problem. When i disconnect the cable from lan i dont get any ip from dchp on any of the other 4 ports.

Is there a way to fix this os is it a bugg?