Thank you, This is the key information I needed for further analysis in resolving this issue.

@heper: but look at this: http://www.zyxel.com/support/knowledge_base/kb_detail_8603.shtml there seems to be a way to tag vlan's by ip Because you can do something on a Zyxel switch doesn't mean you can do it on BSD or any other general purpose OS. Sure it's feasible to tag specific IPs to certain VLANs in theory, in practice to do so on FreeBSD means you're in for some kernel hacking.

Glad it solved out, now we all know more ;)

Thanks. I own the book, one of the best dead tree editions I own. It is well written and nicely illustrated. Thanks, Sean

A different subnet is not enough. It has to be on a different interface entirely.

OK, thanks!

If you wish, and if you understand the security concerns as raised by Derek Zeanah then you can have the configuration you want. All you have to do is to add rules into the PFSense firewall configuration to allow the ports you need through the server. Just make sure you add them in both directions. As Derek Zeanah said however, you should really have a firewall or other security appliance on the outer edge of your network, even if the server is supposed to be internet accessible.

pfSense uses pings to monitor the gateway for connection quality. The actual volume of traffic is very small. You can set it to monitor a different address on that interface, the modem for example, from the web interface: System>>Routing>>Gateways. Click the edit button next to WAN gateway and enter an alternative IP. You could try entering the WAN interface IP, I don't know what would happen though! Steve Edit: @cmb: It's for monitoring and quality graph. No way to disable it at this time short of hacking the source yourself.

You still need serial console access to the router to switch slices (or KVM on a full install) so it doesn't buy you all that much. If you have access via something like DRAC/ilo you can probably even reinstall remotely using an iso image.

If you also restrict by IP range then it may be sufficient. If your HTTPS port is open to the world, people can still see your pfSense login screen, which is undesirable. If you have packages installed, some package files are not protected by the pfSense login process so you could be exposing information you don't intend to be public. Using a VPN is always the best way.

questing bump, anyone?