You could try out to set up all in VLANs and then you may configure it out with switch ACLs if a managed switch will be there in use.

Not the main topic but i don't want to open a new thread. I did build a DCF77 radio receiver for a view bucks with a Arduino. It is now connected to the motherboards serial port of my Hyper-V 2016 server. I did install the Meinberg Driver and there NTP package on the Hyper-V 2016 server. On the other windows PCs I use the NTP package. I have in pfSense now 10.1.0.2 + Prefer. Is there something in Services > NTP > ACLs i need to set if i don't want do use pfSense as timeserver? Does "Service - Disable all except ntpq and ntpdc queries (noserve)" disable the timeserver? Some images in the attachment if somebody want to see it. [image: Hyper-V.jpg] [image: Hyper-V.jpg_thumb] [image: Workstation.jpg] [image: Workstation.jpg_thumb] [image: pfSense.jpg] [image: pfSense.jpg_thumb]

The corresponding port on pfSense could also be considered a VLAN "trunk." It would look something like this:  

I think you're on target there buddy. Assign VLANS via PFsense, and configure switch trunk ports and access ports as you desire. As far as I can see, you're golden. Good luck. Take your time, and as a rule, if it does not appear to be working after you configure, as a first step, reboot / restart.

^ exactly.. But I would suggest you move to current vs 2.3.2 - current is 2.3.4..

Thank you for your explanations. I think my way of thinking is still to much connected to terms like NAT where the IP of you wan interface is probably the most important one. Will take some time for me to change that way of thinking i guess. ^^ Thank you. Dennis

Untag the port for the PC on 116. It sounds like you should just remove the layer 3 configuration from the switch on that VLAN which will revert it to simple layer 2. Tag that to pfSense and configure that VLAN interface with whatever services (DHCP, etc) and firewall rules that you want. It is very important, however, to know who is routing for what. is pfSense doing the routing or is the switch. That diagram I posted covers both scenarios. If you assign an interface in Interfaces > (assign) to eth0 that will be untagged traffic on eth0. If you assign an interface in Interfaces > (assign) to VLAN 100 on eth0 that will be tagged VLAN 100 on eth0. Your switch should be configured accordingly.

Thank you very much for the reply kapara! I have found these settings before and did not add them because this was on boot, not per device.  If I unplug the MIFI device and plug it back in, will this command rerun? Thank you!

One more thought on this - as I was able to build rrdtool with all the needed libraries … and I have those (shared) libraries in another folder. Is there an easy way to have pfSense / FreeBSD add another folder / path to the library search? Thanks!

Hello, disable the packetfilter: pfctl -d flush nat settings: pfctl -F nat Reference: pfctl-manpage

Correct. It was after both of those books. It is in the current book you can get via pfSense Gold.

You're welcome ! Glad to be of Help Please edit the "Title" of your first post and add [Solved] tag  ;)

thanks for the link, good thread! -Chris

@Derelict: There is no "client isolation" in pfSense. It is a layer 3 firewall. It cannot keep 192.168.1.100 from talking to 192.168.1.101 on a /24 network. pfSense will never even see the traffic between them in that case. That isolation must be done in Layer 2 - the switching/access point layer. Your unmanaged switch is going to be useless there as well. What you need is to connect all your access points to a managed switch with some capabilities similar to Cisco's private VLAN edge or protected port feature. This allows you to configure it so ports 2 through 10 can all exchange traffic with port 1 but not with each other. You would put your access points on ports 2 - 10 and pfSense on port 1. Other switches might be able to be configured using asymmetric VLANs or uplink ports. In addition, all of your access points will need to have a wireless client isolation feature to keep clients from talking to each other on the AP itself. That is a fairly standard feature. This all scales fairly well for one Layer 3 network but gets a LOT more complicated where multiple VLANs/Networks are concerned. Potential google terms in italics. Thank you, this really helped. I might just replace the switch as it is fairly old already.

In the DNSBL tab add the domains to the custom list at the bottom of the page of any DNSBL group.