Sounds like what you want is a smart/managed switch..  There is no reason to route this traffic over pfsense.. If you want your nas to talk to something else to copy its video too, then that something should be on same layer 2. I would agree you prob don't want all your other network stuff on this same network.  So you put your camera stuff on its on network/vlan ie layer 2.  Now be it you want to talk to this stuff from another network or allow it to talk to other stuff via layer 3 then sure that would route through pfsense. Having another nic in pfsense would allow for having multiple nics for your other networks so you don't have to put everything on a vlan sharing the same phy speed limitation of 1 nic..  But once you get switch that supports vlans pfsense could be used with just 1 nic, etc. Isolation/separation of networks is yeah good security practice.. I sure don't trust all this iot stuff to be on the same network as all my other stuff. So yeah they all get put on their own vlan.. They can talk to each other.. I let them talk to the internet - but they don't talk to any of my other local networks.  For example nest thermo and nest protect.  They are on their own wifi segment.  They have no access to anything else on my network.  Once I get a cameras setup it would be the same way, my directv dvr is on its own segment, etc.

I'd start as most do on the network. Physical layer. (unless you know there was some recent changes made to the network or PFSense). Check all hardware including the switch, pcs, cabling etc… for any issues. I'd start by checking the modem. If you have a static IP on it you can configure a NIC on a laptop to the static IP and connect it to the LAN of the modem. Remove all other connections and test the modem speeds on a laptop. If all is well reconnect it back to normal and move onto the next step. Bypass the switch and next test the PFSense box, plug the LAN from the PFSense into your laptop. Check the connection at this point. Is it slow or stable at correct speeds? If not the obviously the problem is with the PFSense box and not the remaining items on the LAN. If it is, then do the same troubleshooting method for the switch. Swap it out with spare for a test. Reboot the switch, do speeds return to normal then die out over time? etc.... Pinepoint the item causing the issues first. Then you can troubleshoot the cause. Just a side note about running PFSense in a Hyper-V. I just installed PFSense for my home network and reviewed online documentation that stated to use legacy network adaptors in the VM. When I did that I noticed I was getting very poor download speeds and other packet loss issues. I changed it back to the default adaptors and had no issues since. A lot of the online documentation and videos for setting up in Hyper-V are out-dated and incorrect for today's technologies and recent PFSense releases.

Are you able to share this package? Interested in the same thing.

yeah that is what it seems like to me as well.  I for now have just turned off logging of the auth.  Maybe I am just having a brain fart but I don't see a way to log just failures and not log good auth which would be better than no logging at all. While they are not doing it like every minute its does produce quite a bit of spam in the logs when you have 2 of them doing it every few minutes all night long, etc. Or be nice if you could set it somewhere on the phone to only do it say every hour or something when they are sleeping.  I will have to look through the iphone settings, but what is odd is not seeing it from the ipad and its on the same eap-tls network.  When I get a chance I will explore the difference in settings on the ipad vs the iphones.

We have generated them in a while and we stopped using them completely in 2.3.2. So if you're on 2.3.2 and working fine, you're ahead of the curve. Only a few people have had issues that we've seen. Most all of them easily solved by a client software upgrade or tweak in the settings.

@cmb: There almost certainly won't be a 2.3.3 release. There will be 2.3.2_x updates no doubt, especially since that's the end of the road for 32 bit. Hmmmm, Would have thought 2.6.4 would be more fitting end of the road for 32 bit. ;)

I would also appreciate any insight into logging from pfsense to security onion now that snortby is depreciated from the security-onion iso.

She was. She had a Masters and PHD related to computer systems security. We'd talk for hours after class since she mostly taught just a handful of high level courses. She taught 4 of my courses, server administration, securing servers, network design, and network security. Something like 5-6 credits per class and something I enjoyed, so easy As. GPA boost! I graduated with a little more than 2x my required credits for my major. I got to work with her husband who was head of IT security. Now my brother is working with him on a research project for AI learning intrusion detection. He's working towards a PHD in AI. My brother is leader("because no one else knows what they're doing") for like 4 different research projects at the same time while helping my University redesign their datacenter for their own personal cloud, while doing an intern project for programming a super computer. And he has exclusive access to the super computer and is allowed to pretty much program whatever he wants. He and I rarely talk, but when we do, it's a total geek fest. Not many people understand us. He's a lot more ambitious than I am.

Lol

Go to Firewall->Schedules. Add a schedule for the days and times that you want to allow access. Add a rule at the top of the rules for the interface that allows (pass) all traffic, click "Display Advanced" at the bottom of the rule settings, choose the schedule. After the pass rule, put a block rule that blocks the traffic at all times. During the schedule period the pass will be in effect. Outside of the schedule, the pass rule will be disabled and the block rule will be in effect. If you have no other rules on the interface, then you can omit the block rule at step (3), if you like. The default action is to block anyway.

@jdillard: article not found. Sorry about that…I had a problem where the article kept reverting to draft. When I re-published, it was the next day which chaged the url. Thanks mhab12, for posting the right link. Steve

With phil on this dns has nothing to do with ping at all..  When you say you can not ping IP, that points to you tried to ping the IP address, not resolve some name that never resolved.. I would want to do know what he is trying to use for dns in pfsense.  It default to using unbound that would actually try to resolve.. Did you change it to the forwarder?  You have a static IP on your wan that is rfc1918 and your asking it?  Do you have the block rfc1918 set? Your nat device in front of pfsense could be blocking dns to the authoritative servers which is what resolver does, your isp could be doing that, etc.

Thanks, that's half the problem solved.  If someone could make a suggestion as to best practices for storing/backup/recovery of custom scripts that would be much appreciated.

That board pictured would make a killer FreeNAS rig.