Untag the port for the PC on 116.

It sounds like you should just remove the layer 3 configuration from the switch on that VLAN which will revert it to simple layer 2.

Tag that to pfSense and configure that VLAN interface with whatever services (DHCP, etc) and firewall rules that you want.

It is very important, however, to know who is routing for what. is pfSense doing the routing or is the switch.

That diagram I posted covers both scenarios.

If you assign an interface in Interfaces > (assign) to eth0 that will be untagged traffic on eth0.
If you assign an interface in Interfaces > (assign) to VLAN 100 on eth0 that will be tagged VLAN 100 on eth0.
Your switch should be configured accordingly.

Thank you very much for the reply kapara!

I have found these settings before and did not add them because this was on boot, not per device.  If I unplug the MIFI device and plug it back in, will this command rerun?

Thank you!

One more thought on this - as I was able to build rrdtool with all the needed libraries … and I have those (shared) libraries in another folder. Is there an easy way to have pfSense / FreeBSD add another folder / path to the library search?

Thanks!

Hello,

disable the packetfilter: pfctl -d
flush nat settings: pfctl -F nat

Reference: pfctl-manpage

Correct. It was after both of those books. It is in the current book you can get via pfSense Gold.

You're welcome !

Glad to be of Help

Please edit the "Title" of your first post and add [Solved] tag  ;)

thanks for the link, good thread!

-Chris

@Derelict:

There is no "client isolation" in pfSense. It is a layer 3 firewall. It cannot keep 192.168.1.100 from talking to 192.168.1.101 on a /24 network. pfSense will never even see the traffic between them in that case.

That isolation must be done in Layer 2 - the switching/access point layer.

Your unmanaged switch is going to be useless there as well.

What you need is to connect all your access points to a managed switch with some capabilities similar to Cisco's private VLAN edge or protected port feature. This allows you to configure it so ports 2 through 10 can all exchange traffic with port 1 but not with each other. You would put your access points on ports 2 - 10 and pfSense on port 1. Other switches might be able to be configured using asymmetric VLANs or uplink ports.

In addition, all of your access points will need to have a wireless client isolation feature to keep clients from talking to each other on the AP itself. That is a fairly standard feature.

This all scales fairly well for one Layer 3 network but gets a LOT more complicated where multiple VLANs/Networks are concerned.

Potential google terms in italics.

Thank you, this really helped. I might just replace the switch as it is fairly old already.

In the DNSBL tab add the domains to the custom list at the bottom of the page of any DNSBL group.

how is the modem configured? and how is the pfsense configured?
have you tried to have a computer directly connected after the modem and see if it gets ip?

@ibby1570:

I was just reading a news story about how hackers have found an exploit in the firmware of a modem manufacture.

How would pfSense protect against a compromised modem since there is no way to put a firewall before the modem?

are you talking about the Puma 6 models?

here is what I tried so far:

disabled nat, disabled dhcp server, disabled wifi and then changed it from route mode to bridge mode. if ONT is directly connected to an old laptop or with my pfSense box:
–- (without setting vlan) it can get the ip without issues BUT internet speed is reduced to around 2mbps up/down speed.
--- setting vlan to 1030 and it will not get any dhcp IP
--- creating/providing a MAC clone on the WAN side does not get an IP (MAC's I have found on doing telnet on the ONT)

But when I tried to reboot the ONT, doing the above things "WONT" work anymore.
When I tried to see DHCP logs, it seems it is not able to get IP addresses.

Calling my ISP for information regarding bridging and how it works gets me to nowhere :(
Any other hints/help?

Thanks and best regards,
gratis.obake

Just Change the "Destination" from "*" (ANY) to the Modem IP address… ;)

You don't need to use "*" (ANY) in all your rules.... You can have "more strict" rules to get better/speciffic control of the traffic.

Thank you for the suggestions.

@Rorinson:

@Gertjan:

As said : Your pfSense NIC detects cable removing.
This means : some one is ripping out the WAN cable - or the NIC (Realtek => may day …. ) is bad or the NIC on the other side is bad.

@Jailer:

Sounds like a realtec NIC crapping out under load.

Hi there,

Thanks very much for the response both!

As I said, the cable is fine - It only happens when large downloads are going on.  I've even replaced the cable to rule out a cable issue too.

So it may be the card can't handle the load then.  Is there any way I can confirm this?  Some test I can perform?

I guess I could just replace the card with an Intel card but before I do that it'd be good to check this is the problem.

Use iperf between your pfSense and another LAN host.

No one? Maybe someone can upload me the file and I put it back in place