That could do it. Yes try one of the 2.1.1 snapshots. Go to System: Firmware: Updater Settings: Check the box for a different URL and enter the appropraite URL for your box (32 or 64bit) http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/amd64/pfSense_RELENG_2_1/.updaters/ http://snapshots.pfsense.org/FreeBSD_RELENG_8_3/i386/pfSense_RELENG_2_1/.updaters/ Check the box to allow unsigned images, only the releases are signed. Steve

The packet capturing when you select Filter "All" was fixed up by this commit - https://github.com/pfsense/pfsense/commit/6901d6af97920f816b4dfc1b6d7efebda0bd7633 - and will be in 2.1.1. Try and see if it helps for your situation, transparent mode.

@phil.davis: Normally the "DMZ" is just another ordinary LAN, that happens to have some servers to which public port/s are forwarded from WAN1, WAN2… The DMZ does not have an upstream gateway to the internet on its own subnet. The upstream gateways are on WAN1, WAN2... through which the internet is reached. So do not put a gateway on the DMZ interface. You cleaned it up by going back to a previous config - that works! For others, if you do not easily have a good previous config, remove the gateway specified in the DMZ interface, then go to System->Routing, select the real WAN as the default gateway and delete the DMZ_GW. General rule: If an interface is to an internal LAN (i.e. usually with private IPs) then do not put a gateway. If an interface has an upstream device that is the way out to the internet, then it is a WAN and should have a gateway set. Phil, Sound good! I did see a DMZGW listed under GATEWAYS but I did not find a way to remove it. I will definitely keep this in mind. Thanks for the quick response and heads up!

I'm going to get the most available, but I'm not sure yet what that is. I've been trying to find different options. My goal is to have equipment that can handle a high amount of bandwidth, even if it's not available, so that when it becomes available, we can just connect a better connection. Everyone is interested in building the best possible arrangement, within reason of course. Thank you for your response!

You will have to use VLANs to do that. Put a VLAN switch in place of the ordinary switch (hub) on the first floor. Then you can have 3 VLANs and trunk them on 1 cable back to pfSense. If you are happy to run 100Mbps VLAN trunk to pfSense, then a 100Mbps 8-port VLAN switch is not so expensive.

Yeah why not?  VM is just like any other copy of pfsense running on actual hardware.  But comes down to your connection - is this VM running on the workstation your using on the lan?  If so then really kind of completely pointless to vpn to yourself, etc. Are you setting up the firewall rules to allow your vpn traffic?

Thank you,  Just what I needed. :)

Yup if you don't have smart switches, if you get the mac of this rouge you can look up the maker via a mac vendor lookup site - just google for one. Also - I would change your pfsense lan IP to something else vs .1 for quick fix.  Also IMHO, using .254 and .1 if your going to use 192.168.1.0/24 as your network is prob not a great idea because lots and lots of devices default to these.  So someone brings in a switch, or a soho router, etc. and plugs it in and bam you have a conflict with your gateway device.

Turned on IGMP Snooping on my Zyxel GS1910 switch and on my DAP-2553 Wireless AP. I haven't seen the problem come up yet. So far so good. Thanks for your help, everyone.

pfSense cannot do this in it's default setup. You need a reverse proxy that can read host headers. I believe there are more than one available as a package for pfSense though I've never set this up myself. Have a search through the forum for 'host headers'. Steve

In many ways you want the IDS to see all the traffic hitting the WAN of your firewall. That way the IDS can look for patterns in the hits to match against known attacks etc. Steve

@gnius: 2. control access to LAN machines and NAS of radius-using users What exactly do you mean by that? If you are talking about controlling what is accessible based on login credentials then things get complex. The easiest way to this would be to add another NIC to the pfSense box to connect the AP to. You would still probably have to add VLANs between the AP and pfSense box to separate the two wifi user groups onto different interfaces. Since you're running dd-wrt on the AP that should be possible. You may be able to it just using what equipment you have depending on how your unmanaged switch handles VLAN tagged packets. If it passes them with tags intact then you could do it two VLANs from the AP to the pfSense box. Steve

Sure, CPE's are in router nat mode but I seperate lokal networks with routers… routers are basics of networks, should it be problem ?  

I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file. Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach? Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.