@Derelict: There is no "client isolation" in pfSense. It is a layer 3 firewall. It cannot keep 192.168.1.100 from talking to 192.168.1.101 on a /24 network. pfSense will never even see the traffic between them in that case. That isolation must be done in Layer 2 - the switching/access point layer. Your unmanaged switch is going to be useless there as well. What you need is to connect all your access points to a managed switch with some capabilities similar to Cisco's private VLAN edge or protected port feature. This allows you to configure it so ports 2 through 10 can all exchange traffic with port 1 but not with each other. You would put your access points on ports 2 - 10 and pfSense on port 1. Other switches might be able to be configured using asymmetric VLANs or uplink ports. In addition, all of your access points will need to have a wireless client isolation feature to keep clients from talking to each other on the AP itself. That is a fairly standard feature. This all scales fairly well for one Layer 3 network but gets a LOT more complicated where multiple VLANs/Networks are concerned. Potential google terms in italics. Thank you, this really helped. I might just replace the switch as it is fairly old already.

In the DNSBL tab add the domains to the custom list at the bottom of the page of any DNSBL group.

how is the modem configured? and how is the pfsense configured? have you tried to have a computer directly connected after the modem and see if it gets ip?

@ibby1570: I was just reading a news story about how hackers have found an exploit in the firmware of a modem manufacture. How would pfSense protect against a compromised modem since there is no way to put a firewall before the modem? are you talking about the Puma 6 models?

here is what I tried so far: disabled nat, disabled dhcp server, disabled wifi and then changed it from route mode to bridge mode. if ONT is directly connected to an old laptop or with my pfSense box: –- (without setting vlan) it can get the ip without issues BUT internet speed is reduced to around 2mbps up/down speed. --- setting vlan to 1030 and it will not get any dhcp IP --- creating/providing a MAC clone on the WAN side does not get an IP (MAC's I have found on doing telnet on the ONT) But when I tried to reboot the ONT, doing the above things "WONT" work anymore. When I tried to see DHCP logs, it seems it is not able to get IP addresses. Calling my ISP for information regarding bridging and how it works gets me to nowhere :( Any other hints/help? Thanks and best regards, gratis.obake

Just Change the "Destination" from "*" (ANY) to the Modem IP address… ;) You don't need to use "*" (ANY) in all your rules.... You can have "more strict" rules to get better/speciffic control of the traffic.

Thank you for the suggestions.

@Rorinson: @Gertjan: As said : Your pfSense NIC detects cable removing. This means : some one is ripping out the WAN cable - or the NIC (Realtek => may day …. ) is bad or the NIC on the other side is bad. @Jailer: Sounds like a realtec NIC crapping out under load. Hi there, Thanks very much for the response both! As I said, the cable is fine - It only happens when large downloads are going on.  I've even replaced the cable to rule out a cable issue too. So it may be the card can't handle the load then.  Is there any way I can confirm this?  Some test I can perform? I guess I could just replace the card with an Intel card but before I do that it'd be good to check this is the problem. Use iperf between your pfSense and another LAN host.

No one? Maybe someone can upload me the file and I put it back in place

@Derelict: Sounds like you created an asymmetric routing situation and the NAT made the traffic same-subnet. I don't think so. The two subnets are physically separated and they both have one single gateway to each other (the pfSense box). Am I missing something?

For anyone that could need this, statistics can be easily extracted with a PHP script calling into this function (hope it is ok to link to pfSense source code): https://github.com/pfsense/pfsense/blob/bafd63b5d95054adcf97720a716e027cad0b17d4/src/etc/inc/gwlb.inc#L402

@johnpoz: Here does this help Yes! Thank you.

there was a long time bug about this that seems to have been https://redmine.pfsense.org/issues/3494 But it was rejected, turn off logging of bogon if you don't like the spam it seems is the correct course of action.

Or something like wireless client isolation and Private VLANs… You are looking for layer 2 isolation. pfSense is a layer 3 firewall.