Support subscriptions are sold on a yearly basis only. For those who need help but elect not to get a subscription, we have multiple resources available to the public/community (including this forum) where questions may be asked. Answers are provided by the community at no cost.

The internal names, wan and lan, are just that, internal. You can rename them. The only thing that is hardcoded is that the anti-lockout rule is on the second interface and cannot be moved. It would be hard for us to change that at this point as so many users are expecting it. Steve

you should insist with your help desk. tell them to call this adrianc and suggest them to install/check php mcrypt this can't be a pfsense box problem did you try with your phone with 3g/4g/lte connection or only wifi ? if it does not work with your cell phone service provider you have proof it's not the pfsense

Ah, that would do it! I would have suggested that but in your screenshot above you already had an allow all rule on the OpenVPN interface that would have passed that. The first version of pfSense that supported the SG-1100 was 2.4.4p1 and the differences to p3 there is minor. It definitely would not have helped here. Steve

@akuma1x the PoE switches are serving Aruba WAPS as well as VoIP phones and cameras. The switches will not be maxed out maybe 20% utilized for each one.

@stephenw10 said in Intermittent timeout to Google: @JKnott We have seen users with a subnets set to /2 or /1 where large parts of the internet are unreachable. That would affect just about everything, not just Google. The OP said other sites weren't affected. A little testing, perhaps with trace route might help. BTW, I have plenty of experience with users causing their own problems.

@Asit-Kumar-Manna 100-150 users over wifi on their phones, let's see... Here's what I would do with that. You're going to need the Ubiquity access points, like you already said. I would get the cloud controller for sure. That will make managing these really easy. You will need POE switches to power these, and some spares ready to go in case of a switch failure. What kind of network size are you doing - is this in a couple of buildings, or over a large campus? I see you say college campus, but is it really big? You're going to need to wire up (most likely fiber runs) all the access point locations/drops back to your firewall somehow, if it isn't already done. The pfsense box I would use would be at least the XG-71001U, and depending on how critical the network is, maybe even the HA (2x 71001U) dual option. https://www.netgate.com/solutions/pfsense/xg-7100-1u.html https://www.netgate.com/solutions/pfsense/xg-7100-1u-dual.html Jeff

No, that will not accept the multicast ARP replies if you need that. That requires the system tunable to be added. If you just need to clean the logs then you can try that check box. I'm not sure I've ever done so for multicast ARP, we hardly ever see that (because it's invalid ). Steve

@stephenw10 Nice! Thanks man, thats exactly solved my problem!

A lot of that could be explained by a bad subnet mask somewhere. If the VMWare host are statically assigned and others use DHCP that could be the difference. Ultimately I would start a ping and run packet captures to see where it's going. Steve

Some nostalgia from 11 years ago. Same problem then, just scaled.

@ljr said in Connection trouble after switching ISP: I eventually got thru to an engineer, who said they ran out of 10.0.0.0/8 space. WTF. The same thing happened with Comcast, IIRC. They couldn't manage their network, without segmenting it, even with all the RFC 1918 addresses available. Their solution was to move to IPv6. Rogers provides IPv6, but they still have to support IPv4. I hope you're running IPv6, as it will help you avoid that sort of problem.

@stephenw10 Thanks a lot for your awnser !

These other systems are VMs in VBox connected to the internet network only? I would expect to setup the pfSense VM with two NICs; the WAN NIC should be bridged to the real NIC so it gets an IP in the local subnet. The LAN NIC should be internal only so other VMs can connect out through it. Steve

So solved it myself. As I had "NAT" as WAN adapter I changed it to "bridged adapter" and it's working fine.

@krishan said in How to pass a private ip 172.X.X.X in WAN.: LAN is on 24 and WAN is on 32 /32 is a subset of /24... There are exactly 256 /32s in a /24 block. Why would your WAN IP be in the same range as your LAN subnet? That is an invalid configuration. Is that assigned to you by your ISP's DHCP server (aka carrier grade NAT) or is it just an IP you pulled out of your arse? If it's the former, change your LAN range. If it's the latter, read a few networking books...

Yes, it will change the subnet for all devices connected to the LAN. You need to change it though, you cannot use WAN2 with the subnets overlapping like that. I suggest changing it from the console if you can as that gives you the option if setting the new dhcp range at the same time and you won't get locked out. Steve

@pwrobot said in pfsense blocking personal email web sights without any rules configured: ERR_SSL_BAD_RECORD_MAC_ALERT Google for that error points to 3rd party antivirus, etc.. None of which has anything to do with pfsense!!

@ton11797 You can't change the MAC for VLANs. The MAC address is determined by the hardware, though it is possible to change it, when configuring the port. VLANs have the same MAC as the native LAN. If you really need to have 2 connections via PPPoE, I suppose you could add another NIC and use a managed switch to create the VLAN. There are cheap managed switches that will do that, though you should stay away from TP-Link, as some models don't handle VLANs properly.