Gateway monitoring for Status>Gateways and quality RRD graph.

Depending on the direction of the traffic and NAT that may not be visible. Blocks that happen on WAN with INBOUND traffic will have NAT applied before they reach the firewall rules. If the logs show that traffic with the WAN IP address as the destination, then there was no NAT involved. If you are blocking outbound it gets a bit trickier, outbound NAT applies before the rules as well so you can't see a local source there, just the WAN IP address. If you want to see local addresses you have to block inbound on a local interface

not exactly, but depending on the requirements you could use https://doc.pfsense.org/index.php/Interface_Bridges it would be better todo this on your switch, because computers are horrible switches

From what you've given, it looks like your IP address ranges all fall within the same IPv4 subnet. For example, if your address blocks were 10.20.28.0/16, 10.20.29.0/16, and 10.20.30.0/16… The /16 in all of these examples means an address range of 10.20.0.1 through 10.20.255.254. So if you set a LAN address of 10.20.0.1 on your pfSense LAN interface, you can use that as the default gateway for all of your various address ranges, as long as they begin with 10.20. So as doktornotor said, there's nothing unusual that you need to do to make this work. This is normal IPv4 networking.

In principle, something like this would be possible, but I personally wouldn't go this route as you'd be double-NATing in every instance. In this scenario, you're treating the firewall like an upstream router, which it really isn't. Assuming your clients are all located locally, you'd still be better off having their own networks directly connected to separate NICs (or virtual NICs) on your PFS and routing them out on their own separately assigned external IPs through the firewall. Otherwise, if they decide to use their own routers, assign them their own external IPs and connect them directly through your pipe to your upstream ISP router. This is just my own opinion, of course.

System: Advanced: Miscellaneous: PowerD

Sounds like scroll lock gets enabled within the VM somehow. If you'd hit the up arrow before turning scroll lock back off, it'd scroll up the console. On older ESX versions in particular (though may be applicable to all), one thing to watch out for is not having a disconnected virtual CD drive. Either connect it (just set to 'client device' is fine), or remove the drive from the VM.

This is mabey too late, but I recently tried to let PfSense send syslog to Graylog2 and yes the syntax is not right! I don't know if you added the right extractors for Pfsense. I have made a copy of all of my extractors http://hastebin.com/oqahihewim.pl it iwll make the logs from Pfsense easier but not complete! plz let me know if you have found a better solution ;)

Just a small note, when you get back in - 172.16.2.1/12 is a little on the large size for a home network LAN. You're allowing for some 4 million devices in your home LAN. Try setting that to something like 172.16.2.1/24 (allowing for a much more reasonable 255 devices) and you may find you're no longer running out of memory on your SG-2220 as well.

If you want to use full 10Gb/s link capacity,you must use clear freebsd and ipfw/netmap :)

Mikrotik acts like a switch now(they call it bridge). Bridging ports together will ain't more problems then it help and not only tended to MikroTik routers. any clue? The cheapest Switch I know that is supporting LAG (LACP) is the Netgear GS108Tv2 (GS108T-200GES) you could try out to get one and connect the pfSense box and the NAS over a LAG (LACP) to it. It is a real Switch and not bridged ports from a router, this will driving you not nuts and no port flapping, no packet loss and no connection loosing or break.

@cmb: What does the config diff look like between those revisions? when I enabled ntop the difference in the config was the addition of ntop the rule that was missing in the gui list (and not in effect)  was still in the config. In the past when the end user had the problem they tried rebooting and the rule still didn't appear I re added it manually when it happened to me, live site with un happy people

nothing to add sadly other than I share the sentiment, the whole IGMP discovery is a PITA if you have subnetted network. I just spent a couple of weeks learning/debugging the multicast stuff used by Apple's devices and Ciscos L3 switches/pfsense. I still think it primarily works by black magic rather than science!  :-\

Yes they are Macs. I installed that package and enabled it but something does not appear correct? I ran: avahi-browse --all and got back: Failed to create client object: Daemon not running EDIT: Never mind even though I enabled it and restarted pfSense, the service was not actually running. I started the service and it is now working. Thanks so much, I did not know this was a package on pfSense! This will most likely solve my other issue of not seeing a homebridge that was running on my wired LAN!!

Thanks for all your input. I am starting to understand the required configuration now. But, it appears there might have been some confusion with what I originally requested. So I decided to put them on a diagram. Attached is a simple diagram (I hate to call it a network diagram) that shows the exact setup I have in mind.  I will try to walk you through with what I am describing in that diagram. Before we get started: I plan to use https://store.pfsense.org/HIGH-AVAILABILITY-SG-4860-1U-pfSense-Systems-P47.aspx as the HA PFSense firewall. OR I might use https://store.pfsense.org/XG-1540/ My Data Center (DC as noted in the diagram) said they will provide one uplink connection with /29. I am hoping to get a second uplink (cross connect?) from them with another /29.  My DC said I can buy more IP addresses as necessary (more on this below). My idea is to connect these two uplink connections provided by the DC to the two managed switches (I like to call them the core switches).  The "core swiches" will be interconnected to provide redundancy between them. 2)  There will be some servers connected directly to the "core switches" with direct Internet access (software firewall). These servers will have public IPv4 assigned to them. I will buy additional /27 or /26 addresses and assign them to these servers as necessary. One connection from each core switch will go into the WAN link of the above PFSense HA device. There will be another two managed switches that will be connected to PFSense LAN link(?) and these switches will split the connections to each server with dual NIC on them. So, the idea is if one of the switch dies the server doesn't loose any network connectivity. Again, these servers will also have public IPv4 assigned to them. I will buy additional /27 or /26 addresses as necessary and assign it to these servers. These additional IP addresses are the ones that need to protected by PFSense. Having said that I am open to any other ideas or suggestions you might have for the network hardware redundancy that I am trying to achieve in order to keep the network downtime minimal. Thank you again. [image: Diagram.PNG] [image: Diagram.PNG_thumb]

why? because its easier.