Soon we will be upgrading the connection so our ASA will send traffic to a switch port connected to the WAN interface of our PFSense box.  The LAN interface is connected to a wireless AP. The traffic to that switch port will be tagged with a VLAN ID so we can keep traffic separated. i'm unsure as to what you mean there? do you mean ASA > pFsense > Wireless only? if you are using vlans, the pfsense port will need to be configured with the vlans in use. generally, the pfsense port would include all the vlans that you are using as in most cases it's the router and it has to route traffic on the vlans to other networks eg the internet etc the switch behind pfsense is usually where you configure what ports are members of what vlans. For example Pfsense: WAN PORT = untagged > internet LAN PORT = vlan2 = PRIVATE, vlan3 = PUBLIC The LAN port is plugged into say PORT 24 of the switch. Switch: PORT 24 = member vlan 2(private) & 3(public) PORT 1 = member vlan 2(private) = plug private PC in here PORT 2 = member vlan 2(private) = plug private PC in here PORT 3 = member vlan 2(private) & vlan 3(public) = plug wireless access point in here Wireless access point: SSID = PRIVATE = vlan2 SSID = PUBLIC = vlan3 the above setup will allow anybody connecting wirelessly on the PRIVATE network to connect to all of the PRIVATE pc's because it is on vlan 2 and also go to the internet if you have configured pfsense to do this. Anybody connecting wirelessly via SSID PUBLIC (vlan3) will be isolated from the PRIVATE network (vlan2) and will go out to the internet if you have that configured. It's also worth remembering to put a rule in the firewall to prevent inter vlan traffic ie block if source is vlan & destination is vlan.

Thanks a lot sir

VLAN IDs are site-specific. You can route between them with multiple phase 2s on IPsec.

Hey podilarius! Unfortunately my /29's are not consecutive…..they're all over the place actually.  :-[

Darnitol, you are the man!!! Works like magic, thanks a million.

there isn't a "pretty" status file but you can see /tmp/apinger.status (or /var/run/apinger.status on 2.0.3 and 2.1)

The same things that cause deterioration of any kind of network connectivity. Line problems, equipment problems, excessive usage, amongst other possibilities. Need more info on specifically what you're seeing/why you're asking to narrow it down to anything useful.

port 1, 2 and 4 r on different vlans so untagged is fine and port 3 is tagged meaning trunk port. i tried wireshark and its the pfsense mac only that goes to isp, cisco switch has its own mac in between for Ethernet packets but the isp is detecting the pfsense mac based on pppoe encapsulation which linksys gateway is this and how is it to be used?

@Reiner030: What usage has your firewall if you have all WAN and LANs (DMZ?) on the same side of your firewall ? It's like you put a crash wall in front of your house that no car can drive in and hurt you… But you are waiting for cars on the street side and not in the house? ;) i have since this post added all my firewall rules back in place, as i was suffering from the system locking up i started stripping things apart back to bare config… the public/24 is solely used for my wireless clients, i block all ports to prevent residential clients from hosting servers (Vlan CPE = net access), if they want to host then they have to upgrade their access to a business class at that point i open all ports to their ip from wan side.... Wireless ISP....

I imagine it's something like this –------ WAN1 ------(ISP GW) --LAN ---pfsense                       -------- WAN2-------(linksys or similar GW)------(same ISP GW as WAN1) I read this too and I think you need at least one intermediate GW so that both WAN1 and WAN2 do not point to the same GW IP address. In this case WAN1 will point to Linksys as it's gateway with address different from the ISP GW. The linksys will then be configured to point to the ISPs gateway. Disable NAT in the Linksys or whatever intermediate gateway you use if that is possible. Is this really a limitation in 2.0.2? I thought it only applied to 1.x releases. I'm having trouble getting dual WAN working myself and this may be part of the reason why, but in my case disabling WAN1 so that there is only one one WAN and one GW doesn't help. If you ever get dual WAN to work please share you configuration.

i am by no means a pro/expert… but my first thought was are u using auto NAT or Manual NAT? if manual nat, you need to add mapping...

My SlingBox has the same issue.  Will only talk to the local subnet and won't route. I got around this by adding a NAT rule to hide all the traffic coming from other networks behind an address local to the slingbox.

Ping something else like Google's DNS servers (8.8.8.8).

In case anyone is interested, I have solved this problem.  Here's what the story was: There were 3 interfaces on the Ubuntu box: eth0 - Base NIC - No VLAN - No IP address configured eth0.2 - VLAN 2 - 192.168.124.21 eth0.3 - VLAN 3 - 192.168.125.21 The Avahi daemon (Bonjour) was sending the broadcast packets to all 3 protocols.  To my surprise, they were being sent out the base interface, despite the fact that it had no IP address. I solved the problem by creating new portgroups on the vSwitch which were dedicated to VLAN 2 and 3 respectively.  I then created new NICs in the Ubuntu VM to attach to each of these.  Now everything is working as expected.

All three networks are advertised on the same wire. In the end, I have two network drops that are both the same.  What I plan on doing is setting up two PFSense boxes to be in fail over mode.

Thanks for the note, I am very careful with how I secure/segregate the networks.

There isn't one yet, but we've looked at it before. If you are already familiar with BIRD, you can always install the FreeBSD package and configure it all by hand outside the GUI.