VPNs / tunnels would create more hassle then solve, you'd end up getting calls from parents on what's wrong and you end up providing at home support. If you setup a proxy, I'd personally suggest having a separate box / virtual machine to handle it, since it can be compromised / attacked / overloaded. But a proxy would be the easiest solution. Apple has an enterprise utility where you can create profiles for iDevices, you'd then just email or create a website for you or the kids to click and install the profile. Within the profile you can set and lock in proxy settings. I'm sure you have an iPad (to support it, gotta have one), hopefully you have some time to sandbox it and iron out any issues.

Yeah, I have seen others with this issue involving captive portal, but as I stated above I only have lusca-cache, squidguard, and the widescreen packages installed. I've never even used captive portal. If there is nothing to worry about that is fine, I just wasn't sure if this was a side effect of the upgrade to 2.0.3 or if there was something else going on malware related, or something similar on the network.

Thanks for the ideas. I may format my pfsense box and start from scratch, I have a few other tests I can try.

Not sure if you can have a VLAN on the interface outside of the LAGG, that's probably up to the switch more than anything. You can have VLANs on LAGG interfaces just like any other interface, just add them under Interfaces > (assign) on the VLANs tab. Once you have the LAGG interface defined, it shows up as a choice for a VLAN parent.

Hrm… must be a problem with my chrome then. I'm not going to stress over it as my Fire Fox works fine. Just thought maybe it was a bug. It did cost me some time troubleshooting thinking it was pfsense's fault, or a problem with the hardware in the pfsense box.

2.1 development has been significantly longer than some because of the introduction of IPv6. A massive task! Although 1.2.3 - 2.0 was not quick.  ;) Steve

@stephenw10: Probably something at BT's end. If you are on their entry level tier (option 1) they may have switched you to CGN (carrier grade NAT) which could have caused some issues somewhere. http://www.thinkbroadband.com/news/5818-bt-retail-in-carrier-grade-nat-pilot.html Steve Thanks mate but I highly doubt it was something to do with BT. I am on their business service with a static IP and for them to compromise their service that they provide to me would be a pretty big mistrust issue. I think it was something to do with how the firewall was treating packets and the fact that the firewall had just been running for a couple of hours.

Thanks! I will just wait for the next snapshot then. :)

"But I have explicit rules to allow pfSense:22 and it works fine -" on your vlan2?  Again without seeing your rules I can not even guess to what your issue(s) are or are not.

Ok, I'll have to wait until tonight so I can grab the full log. (It was in the middle of occuring when I tried to login to verify the namecheap dns settings for the other topic >.< )

I think more information is required. Is the Netgear in the same subnet as the LAN on pfsense? Yes, you can setup an IP Alias with the same IP as the netgear. If it is on a separate subnet, then you will only need to create FW rules to allow it and NAT rules so that traffic going out to the WAN is natted. Traffic between the 2 subnets should be automatic. Personally, I would force default GW change, but this could be done for a slower transition. Those that are DHCP should transition over to the LAN IP by default.

Each network (LAN and OPT1) need to be a completely different IP subnet - e.g. keep LAN as 172.20.2.0/24 (pfSense LAN IP 172.20.2.83) and make OPT1 172.20.3.0/24 (pfSense OPT1 IP 172.20.3.83). Otherwise the routing will get very confused about where packets need to be delivered. An "allow all" rule is automatically put on LAN by default. Other interfaces have all incoming connect requests blocked. So yes, you have to add pass rules on other interfaces to let any traffic happen (e.g. as you say, put an "allow all" rule on OPT1, just like LAN).

I toke the machine to my network and no crash at all. I replace the box with same hardware profile in another  environment and 2.0.3 version, still crashing. Then return to 2.0.1 version, but still crashing. Very strange problem. I send crash reports every day, hoping someone helps. May  9 14:14:52 sec kernel: Fatal trap 12: page fault while in kernel mode May  9 14:14:52 sec kernel: cpuid = 1; apic id = 01 May  9 14:14:52 sec kernel: fault virtual address      = 0x10 May  9 14:14:52 sec kernel: fault code          = supervisor read data, page not present May  9 14:14:52 sec kernel: instruction pointer = 0x20:0xffffffff807cad25 May  9 14:14:52 sec kernel: stack pointer              = 0x28:0xffffff803bca43a0 May  9 14:14:52 sec kernel: frame pointer              = 0x28:0xffffff803bca43f0 May  9 14:14:52 sec kernel: code segment                = base 0x0, limit 0xfffff, type 0x1b May  9 14:14:52 sec kernel: = DPL 0, pres 1, long 1, def32 0, gran 1 May  9 14:14:52 sec kernel: processor eflags    = interrupt enabled, resume, IOPL = 0 May  9 14:14:52 sec kernel: current process            = 22984 (openvpn) May  9 18:03:32 sec kernel: Fatal trap 12: page fault while in kernel mode May  9 18:03:32 sec kernel: cpuid = 0; apic id = 00 May  9 18:03:32 sec kernel: fault virtual address      = 0x21 May  9 18:03:32 sec kernel: fault code          = supervisor read data, page not present May  9 18:03:32 sec kernel: instruction pointer = 0x20:0xffffffff807cad1b May  9 18:03:32 sec kernel: stack pointer              = 0x28:0xffffff80395ab4b0 May  9 18:03:32 sec kernel: frame pointer              = 0x28:0xffffff80395ab500 May  9 18:03:32 sec kernel: code segment                = base 0x0, limit 0xfffff, type 0x1b May  9 18:03:32 sec kernel: = DPL 0, pres 1, long 1, def32 0, gran 1 May  9 18:03:32 sec kernel: processor eflags    = interrupt enabled, resume, IOPL = 0 May  9 18:03:32 sec kernel: current process            = 12 (irq260: em2:rx 0)

@stephenw10: By default filtering is on the bridge member interfaces and not the bridge interface itself. If you are hoping to the use the interfaces like a switch, as you would on a soho router, you probably want one set of firewall rules to apply to all the bridged interfaces. Hence the system tunable change. If you don't do that then you need to add rules to each interface in the bridge. It deppends how you are using the bridge. You can also have filtering both places if you want to. Steve Ok, yes, then I would want to make that change. Sounds good.  Thanks for the explanation.

First thing you are going to need to do is figure out how many IPs you are going to need per VLAN. Once you do that then you will create the VLANs on your Pfsense router and give them IPs and setup your rules. Then you will create the VLANs on your switches. I would think about how many users you have today and how many you think you might have tomorrow. Then make a network diagram and post it here that way people can help you better.