If you have a decent L3 switch you can accomplish this without going the Long Distance. And the other benefits from doing that is freeing the pfSense box for more or other activities on top you will be able to get a second feet to stand on, if the pfSense box is failing normal work inside of the LAN can be done within, so no interrupt for all employees will be there. And all with wire speed. Just setup routing between vlans and limit the traffic with ACLs on your switch. QoS, ACLs and MacSec are often here your friends to get a better balanced network load and flow, gaining the security up and be able to regulate the packet flow. Then the traffic moving between hosts in VLAN100 and VLAN200 never need to hit your edge router. Only if there are not servers inside of the DMZ, that must be touched from the LAN side. At that point you could get rid of the VLANS in your pfsense setup and use a "transit network" to connect your L3 switch to pfSense. Good point, I use it also in that direction. If you need a good L3 switch for SOHO use the cisco SG350 is great.  Lots of features. Cisco SG350 series or the D-Link DGS1510 will be fine and really cheap to get.

with Pfsense 2.2.4 Please try out the latest version of pfSense 2.3.4_p1 or give Version 2.4 BETA a try. You cold easily go back by re install and backup and config playback.

Assuming there devices are apple products I might suggest putting restrictions on their devices specifically. Settings->General->Restrictions. Similar functionality with Mac OS… In terms of pfSense, I would go back again and look at the "Scheduling functionality" in your rules. Setup a specific VLAN for your kids(You need an AP that is VLAN capable) I just got pfBlocker working and love the customizable functionality Turn off IPv6...I have it turned off on my firewall(I think?) As already suggested use OpenDNS...I believe there are "Parental Control OpenDNS IPs) Good luck... Sean (I have less then a year into pfSense...big learning curve but what you seek is very possible)

Thanks for your reply. From your message the following bumped into my head… @helge000: Did you set up these vlans in KVM / qemu using linux bridging? AFAIK you need to 'untag' and bridge each VLAN as a single network and expose them to your VM as single network. Otherwise the tags might just get discarded. Linux bridging will then do 'the right thing'. Ignore this if you are using openvswitch or similar, more fancy setup on your hypervisor I do not have openvswitch or nothing similar, I havedone nothing like that, I just have the thee bridges defined on my host as the following: The loopback network interface auto lo iface lo inet loopback The primary network interface #auto eth0 #iface eth0 inet manual auto br0 iface br0 inet static         address 192.168.2.10         netmask 255.255.255.0         network 192.168.2.0         broadcast 192.168.2.255         gateway 192.168.2.13         bridge_ports eth0         bridge_stp off         bridge_fd 0         bridge_maxwait 0         # dns-* options are implemented by the resolvconf package, if installed         dns-nameservers 192.168.2.13 8.8.8.8         dns-search localdomain auto br1 iface br1 inet manual         bridge_ports eth1         bridge_stp off         bridge_fd 0         bridge_maxwait 0 auto br2 iface br2 inet manual         bridge_ports eth2         bridge_stp off         bridge_fd 0         bridge_maxwait 0 How do I have to configure them so they support vlans?

even with the 4 ssid limit, you could prob still get 8 rooms on 1 AP via using different ssid per band - putting the farther rooms on 2.4 and closer rooms to the AP on the 5ghz band and use different ssid/vlans.. The only drawback to this would be your actual layout of rooms and types of walls, etc. Lets us know how it turns out! If you end up doing this and it works out good - be a perfect thing to post on unifi as case study ;) Keep in mind I do not believe they have back ported the 8ssid thing to the older previous to 5.6.x line yet.. And there might be restrictions on which AP support it as well. Do you have a drawing, or could you sketch up real quick a basic layout to look to see placement of the AP?  Worse case is you need to use more AP and have less rooms per AP.  But with the ability to create different wifi groups and different ssids and vlans you should be able to do it all under 1 site on the controller.

Could it simply be a DTMF issue? http://community.polycom.com/t5/VoIP/FAQ-Phone-unable-to-send-DTMF-to-an-IVR-system-or-how-to/td-p/4237 "If you are unable to send DTMF Signals to a IVR or Voice Mail System you may need to change the method or the payload type. Please liaise with your SIP Platform Support in order to gather this Information. Changing from SIP Inbound (RFC2833) to SIP INFO (RFC2976) must be done with a Configuration File loaded from a Provisioning Server."

The problem is that I'm trying to connect to the Web GUI (or SSH) through the WAN. I´ll consider that VPN should here the right way to realize such an Action! It is safe for you and not able to trace or use for others from outside! From the LAN side it is a totally different thing, there are normally not intruders and so you might taking the VLAN1 as you management VLAN for the admin because its the default VLAN and all devices are inside of that one. Another thing, if your pfSense box own a IPMI port I would consider to use that port to manage the pfSense firewall over that IPMI port.

So easy?! -.- And I found nothing on the web. Thanks a lot.

After a while trying diferent settings i get it to work, it's not the best way to do this but the only i found. In the SSL Man In the Middle Filtering i changed from "Splice Whitelist, Bump Otherwise" to "Splice All" and now IE in windows XP is browsing with the proxy settings, as i said before it's not the best way but the only i get working, and the sites that are forbidden don't show the custom message but an ssl error and it's not accesible, in the end the result it's the same. Thanks everyone for the help. cheers

From what I can see in my logs, the "syslogd: exiting on signal 15" is usually associated with a reboot/restart but there may be other circumstances.  For example, the old postfix package used to cause a syslogd restart whenever the package config was reloaded. It's not something I've really worried about though.

And by your reply, it's clear you completely missed the point of what I said, while simultaneously proving my point. I hope you find a book that fits your level of IT learning ability.

Install Squid& SquidGuard and create for each user and device an account and then you can better allow what to use through that proxy server. Together with OpenDNS it will be a nice service and prevention. If this might be not enough, you could try out pfBlocker & DNSBL + TDL, for sure your memory (RAM) system should be high enough but using then snort with AppID rules you may get closer to your goal. Or more expensive it could be nice to install a deep packet inspection device behind the pfSense firewall this might be then more time to fine tune it but with the most effect all. Or a combination of some of this things could be the real deal breaker.

Squid is probably breaking the HTTPS cert chain if I was to guess.

Hi I've got the same problem. Yesteday I instaled PFSense on OpenStack and, since the DHCP config has failed for the WAN, I had to set the IP Address (also Netmask and Default Gateway, of course) manually. The weird thing is that I'm able to ping and reach Internet sites and external IPs, but my PFSense instance filters all incoming connections. I tried also some scans with nmap but it returns always the same message: "All ports are filtered". Could you please help? Maybe the problem is related to the basic firewall which has not been configured correctly due to the DHCP error at boot. Thank you in advance

Thank you very much for taking the time to comment.  After rereading what I posted, I realize I posted it to soon.  There is definitely information missing and some of the sentences seem to be incomplete. Ok, as for your post: I have 6 other firewalls that are in a CARP configuration and they are humming along with zero issues (knock on wood).  I have mine setup with a bi-directional state sync.  It has made my fail overs and fail backs seamless. The reason these two units are NOT in a CARP setup is simply because this pfSense is directly connected to the ISP equipment and we only have one supplied port from them.  I realize simply putting a switch in front of the gateway would allow us to CARP the two pfSenses together but I don't have an extra one to do this.  It is our gateway router. Why I don't have ready access to the backup gateway??  That actually was not accurate.  I have physical access and console access to the firewall BUT since the configuration is IDENTICAL to the primary, I don't have GUI access to the unit. So it's my understanding then that transferring the sync state across to the backup is a waste of time.  But syncing configuration changes from the primary to the standby will work. Again thanks for your time. Dino

@johnpoz: yes.. ;) Ok, thank you very much.

@BlueKobold: Debian Linux on a small Raspberry PI 3.0 or on a Netgate Minnow TurBot and OpenLDAP on top or with nice graphical user interface (GUI) together with TurnKey Linux. TurnKey Linux & OpenLDAP Packet Radius Server 3.0 is announced to be coming as a packet for pfSense directly! The Captive Portal with voucher system will be able to be used for guest WiFi. So I need additional hardware?

No. Just managed layer 2. Any "web smart" switch should do fine. As long as it properly supports 802.1q.