(Not related to the printer/FreeNAS topic) - you do not need all those "extra" rules on each interface, with source=SOMEOTHERnet destination=THISnet - nothing will ever match those, because traffic arriving from THISnet will have source in THISnet (not in SOMEOTHERnet)

You have general pass-all rules at the top of each net, good for getting the printer/FreeNAS working. But you also have rules down the bottom that direct general traffic to a gateway (those rules will not have any effect just now, because the top pass-all rule will be matching all the traffic). But if you do remove the top pass-all rule at some point, then all the traffic is going to get dire cted to a gateway or gateway-group. That will mess up access to the printer/FreeNAS. So you will need a rule at the top with source THISnet, destination LANnet to pass "local" traffic between subnets without pushing it to a gateway.

Your rules should work OK (and they do, because you can do other stuff between subnets). So you really need to setup your printer to have the pfSense LANnet IP address as its gateway - you have to do that somewhere on the printer setup screen or whatever.

yup its that easy - worth also thinking about using pfblockerng to maintain the lists which allows use of AS numbers which can be helpful for larger sites etc.

Hi, new to this as well. Im going to try this next weekend hopefully.

https://forum.pfsense.org/index.php?topic=110177.0

See the post in the middle by treer.

1.  This forum is for general discussion and not for posting problems.  For errors with the Zabbix package, please look at the Packages forum.

2.  Have you configured it with Server IP, Active Server IP and hostname?  I noticed that it timed out for me until I specifically told it which interface to listen on (LAN instead of all).

anything with enough network cards & other hardware that runs pfSense. (check the pfSense store or the hardware section of the forum)

So you want to stop someone from causing problem by purposely setting a dupe IP for your gateway?  Yeah use a NAC/NAP to prevent such people from getting on your network.

I don't even have to set a dupe to cause problems, just need to flood the network with gratuitous arps pointing to the wrong mac for the IP, or answering arps very quickly with the wrong info, etc.

There is nothing you can do on pfsense to stop this if that is your question.. Since pfsense has nothing to do with traffic that happens on the network of a specific segment it might have an interface in - it is just the gateway off that segment and yeah it can firewall traffic it sees on its that interface for somewhere else.

On a host level you could setup static arps for your gateway or any other IPs on your network, so if someone was giving out bad info you wouldn't pay attention to it, etc.

Indeed boxes accelerating (kind of) protocols like SMB are not increasing bandwidth but are, assuming you have one on each side  ;), sending back local ACK to fight against latency.

Some protocols, like SMB, have been written to work on LAN only and are very verbose, requiring frequent ACK between client and server. By handling ACK at the border of each LAN (faking in fact remote client or server), these boxes are still very useful, whatever bandwidth, if you have network with significant latency.

OpenVPN peer-to-peer seems to be the right answer.
What you need to add to above answer is the need for dynamic DNS stuff so that despite dynamic IP on site B, you can still know how to reach it  ;)

How about put in some kind of mini game that is trivial to win.  Game of pong or 1 level of tetris?

That explains it, I added an interface, thanks.

Sounds like what you want is a smart/managed switch..  There is no reason to route this traffic over pfsense.. If you want your nas to talk to something else to copy its video too, then that something should be on same layer 2.

I would agree you prob don't want all your other network stuff on this same network.  So you put your camera stuff on its on network/vlan ie layer 2.  Now be it you want to talk to this stuff from another network or allow it to talk to other stuff via layer 3 then sure that would route through pfsense.

Having another nic in pfsense would allow for having multiple nics for your other networks so you don't have to put everything on a vlan sharing the same phy speed limitation of 1 nic..  But once you get switch that supports vlans pfsense could be used with just 1 nic, etc.

Isolation/separation of networks is yeah good security practice.. I sure don't trust all this iot stuff to be on the same network as all my other stuff. So yeah they all get put on their own vlan.. They can talk to each other.. I let them talk to the internet - but they don't talk to any of my other local networks.  For example nest thermo and nest protect.  They are on their own wifi segment.  They have no access to anything else on my network.  Once I get a cameras setup it would be the same way, my directv dvr is on its own segment, etc.

I'd start as most do on the network. Physical layer. (unless you know there was some recent changes made to the network or PFSense).

Check all hardware including the switch, pcs, cabling etc… for any issues.

I'd start by checking the modem. If you have a static IP on it you can configure a NIC on a laptop to the static IP and connect it to the LAN of the modem. Remove all other connections and test the modem speeds on a laptop. If all is well reconnect it back to normal and move onto the next step.

Bypass the switch and next test the PFSense box, plug the LAN from the PFSense into your laptop. Check the connection at this point. Is it slow or stable at correct speeds? If not the obviously the problem is with the PFSense box and not the remaining items on the LAN.

If it is, then do the same troubleshooting method for the switch. Swap it out with spare for a test. Reboot the switch, do speeds return to normal then die out over time? etc....

Pinepoint the item causing the issues first. Then you can troubleshoot the cause.

Just a side note about running PFSense in a Hyper-V.

I just installed PFSense for my home network and reviewed online documentation that stated to use legacy network adaptors in the VM. When I did that I noticed I was getting very poor download speeds and other packet loss issues. I changed it back to the default adaptors and had no issues since. A lot of the online documentation and videos for setting up in Hyper-V are out-dated and incorrect for today's technologies and recent PFSense releases.

Are you able to share this package? Interested in the same thing.

yeah that is what it seems like to me as well.  I for now have just turned off logging of the auth.  Maybe I am just having a brain fart but I don't see a way to log just failures and not log good auth which would be better than no logging at all.

While they are not doing it like every minute its does produce quite a bit of spam in the logs when you have 2 of them doing it every few minutes all night long, etc.

Or be nice if you could set it somewhere on the phone to only do it say every hour or something when they are sleeping.  I will have to look through the iphone settings, but what is odd is not seeing it from the ipad and its on the same eap-tls network.  When I get a chance I will explore the difference in settings on the ipad vs the iphones.