Ok , I'll try

FYI, the Foundry X448 I bought is actually full PREM version with L2, L3-Base & L3-Full.

So let the switch route between all the VLANs or the entire network to free up the load from the pfsense
box able to realize more for you, might be then also a way able to march on or am I wrong with that!?

New to this forum, but have been using pfsense for a while, but no expert..

It doesn´t matter at all, but that said, like mentioned before, snort and suricata are not set it up and forget it packets!
It´ll be more on the need to fine tune more and more and also get new rules for that will be a work for itself.

I'm just looking for best practice regarding hardening pfsense and snort, without using all my time on false positives.

We all do! But again it is not a plug and play packet, it can help much and bringing you to running wild too,
if there is a DMZ with opened ports and forwarded protocols it might be the best bet to positioning it there,
if you are not really sure how to use it, I suggest you to get a small amount of books about your favorite
IDS/IPS system such snort and suricata are. That will narrow down the entire time you spend on it.

We have a 2.3.5 release coming in the next couple days that has security and other fixes.

Would not suggest bridge unless you have no possible other recourse.

Devices do not need to be on the same layer 2 to use plex..  I access my plex server from any vlan/network I want to allow it from by opening up 32400 from that network to the plex servers IP.. Then just access your plex server direct via its local name or IP.

If you just want your wireless to be on your lan network - just plug your AP into your switch that your lan is connected to.

i used pfsense version 2.2.1.

:o

https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

Once again I seem to have found an answer:

https://www.linuxquestions.org/questions/linux-networking-3/server-on-multiple-vlans-server-not-responding-to-pings-from-non-local-subnets-819880/

Now I just need to understand it.

It has to do with traffic being dropped when leaving on a different interface than they arrive at.  I tried to work around a router on a LAN segment issue - but this will also not work.  I will need a dedicated router to make this work :S

So I have noticed mine crashing too, and then vmware thinks its down, but its kind of up? This is with a new install too, and if I power off via esxi gui, and then unregister it and re register it, and remove the SATA host in the edit options, it seems fine…for a bit. I gave it 4 cpu, and 4gb memory.... still happened a few times before I gave up. This was all in one night :s.

Heeeey, this is related: https://forum.pfsense.org/index.php?topic=137628.15
TLDR: 2.4.1 fixes it.

Hi.
Anyone any ideas on this ?

Thanks

Sloved.
Nothing to do with pfSense setup.
It is the SG300 managed switch setup, change to an access port with default vlan1. Speed back to normal.

Yes, in the WAN Interface.
The changes you made there interfere with the Gateway.

That makes sense.

Thanks all!

Guy, like I already said I did a factory reset and used almost all default options except for a few (seemingly) inconsequential options like timezone etc…

I also said that there was an issue with port labels on the device and interface numbering not matching which meant I was using the wrong ports (LAN and WAN reversed) at first but now I swapped them to the correct position but still had some issues.

I dont find it a challenge to change LAN address or many other options, but blindly changing options when you dont know how they work is a bad idea. I was confused with some of the options worked like DHCP on LAN. I didnt see seperate DHCP option, that makes sense to me now. Thanks @Grimson for the DHCP explanation.

Te reason it did work with laptop connected irectl but not over network was bit silly, laptop was connecting to wifi from ISP router before firewall an desktop I tried had static ip (192.168.0.50) when pfsense used 192.168.1.1, so no wonder it didnt work.

Will try changing the ISP router ip next so my static ip's dont have to change when used with pfsense.

Hey.. thx for the picture. Great hint with the defined alias for the rfc1918 area.

Let me get a bit offtopic:
I have some virtual machines on my ESXI. One of them is for indexing my documents and to provide a search engine,
I were finally able to get searchdaimon running. Searchdaimon is unfortunately quite outdated and it seems,
that the devs are not working on this project anymore. The forum has been taken by bots.
I dont know any powerful opensource/lightweight alternative for this purpose.
Even i update centos to 6.9 in the VM and tried to get a clean system, so it will a good thing, to block any traffic to the 'WAN' (any) in this described way..

I'm up and running!!! I realized after a Youtube video that I needed to use Rufus not Unebootin for my ISO to work properly. I just want to say thanks for everyones help. ;D