The design you showed would work, but I always try to remember KISS - Keep It Simple, Steve!  ;D There's no real need for segmenting your LAN into VLANs.  VLANs should be used to segment network traffic.  If you have a small office, with ten or fewer PCs and a server or two, then you don't need to use VLANs.  VOIP phones would be another matter but I don't see any of those on your drawing. Instead of what you drew, I would connect the firewall, all the PCs, the server and the wireless configuration manager (if it is NOT also a WAP) into the Cisco.  Don't bother to set up VLANs, just let everything connect on the default VLAN (NOTE: if your office is bigger than it appears from your drawing, there is an arguement to be made about setting up a VLAN and letting the default VLAN alone, unconfigured, so that no one can connect a device to your network without you configuring the port, but if this is a small office and you control access to the patch panel/switch, that is not an issue).  This has the advantage that you don't have to configure anything and if the switch loses its configuration you don't have to reload from a backup. The wireless access points (and by extension, the devices that connect to them) I would put in an umanaged switch that connects back to an OPT interface on the pfSense firewall that serves as your DMZ.  This protects your network a little more than connecting your wireless devices directly to your internal LAN. Run DHCP from the firewall.  Everything routes out through there and it routes everything not directly connected to the Internet. Here is a diagram of how I would do it: [image: Drawing1.jpg] [image: Drawing1.jpg_thumb]

If you have GW's already created, then this should do Create 2 aliases where you have bunch of hosts like hosts1 : 192.168.1.10-192.168.1.30 hosts2 : 192.168.1.31 - 192.168.1.60 and create firewall rules: pass * from hosts1 any to any any with gw1 (advanced option you can find it) pass * from hosts2 any to any any with gw2 This configuration has no failover at all.

Happy SysAdmin Day !!!  :D

If you use search, you'll find some answers. but here is shorten outcome: use separate boxes as best security practices says so. Look freenas if you like mediaserver

At least ISP should be blocking private ip-areas and they should have protected dhcp services. Nevertheless that is always bad idea, unless you're having a router connected to public ip-area.

@jimp: If you have your own AS, you can do provider-independent routing with BGP, so you aren't tied down to a single upstream. In general that's the reason. Though probably not with just a /29, anything smaller than a /24 is highly unlikely to make it in the global BGP routing table as many providers will filter out smaller routes than that.

哎 pfsense官方论坛看不懂中简体中文，呵呵 google翻译下 Hey the pfsense Forum to see do not know in Simplified Chinese, google translation

Once 2.1 is done we'll start on 2.2. So help get 2.1 finished and then it'll be time to move on. :-)

Install the nmap package, then go to Diag > nmap Fill in your LAN subnet, pick the LAN interface, select ARP for the scan type, and fire away Things will only show up in your ARP table if you try to talk to them, so unless you do some kind of ping/arp scan you won't see devices like that.

I have finally tracked down a Draytek Vigor 120 which has the pppoa to pppoe bridge.  Pfsense now connects directly to my isp using the modem in "dumb modem" mode. The TPLink will be getting auctioned at the earliest convenience!

You can check the whole thread at http://lists.freebsd.org/pipermail/freebsd-stable/2012-June/thread.html#68110

Great to hear. You can edit first post and add to subject [SOLVED]

Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook, and hundreds of Linux how-to articles. She's the former managing editor of Linux Planet and Linux Today. I think that says volumes as to why there's no mention of pfSense in her article.

+1 to that! Cheers, Keith

[oblig ref="So I Married an Axe Murder"] Excuse me, miss? There seems to be a mistake. I believe I ordered the large cappuccino. [/oblig]

You just need to enable captive portal, setup your firewall rules accordingly, and ensure layer 2 isolation. To separate the guest network from the hotel's internal network, most commonly use VLANs, or in larger hotels, completely separate physical networks (and at times a separate firewall entirely on the hotel internal network, though that's not strictly necessary, some hotels require running that way as policy). Detailed info in http://pfsense.org/book on captive portal and VLANs in general. We're very experienced with these kinds of networks (several hotel Internet providers use a rebranded pfSense for their captive portal), would be glad to assist via commercial support, link in my signature. No, our captive portal section has no relation to Untangle. :P They're late to that game, we've had that capability for many years longer and I'd estimate we have nearly as many installs running captive portal as they have total installs.

95-98,7% is not good enough if charged 179$…............ IMHO! You can get unlimited backup for only 5$ a month on backblaze...... @countryipblocks: There are a few other "free services" available, but you might have to settle for 30-60% accuracy instead of 95-98.7%.