Hey, thanks for all the replies folks. I can go either way - already have an isolated DMZ for my chinese cameras - but I think I'll use VPN for external access and disable that NAT rule altogether. I have been leaning in this direction - the only reason I have not done it is that it another thing I have to teach my wife to do on her phone - make sure she has a VPN session up - when she is attemping to access an internal resource on my network. I'll do some reading on setting up the vpn server feature on pfsense... Romany

So does Anyconnect indicate that its down? If it does not than you that implies there something else going on. I would suggest you go to a DOS prompt and have a constant ping going to some internal address at your business (ping xxx.somecompany.com -t) and leave it pinging. When the problem comes back - see if your pings are still sucessful. If the internal host is no longer pingable than that confirms you have some type of loss of connectivity. You can also bring up your Anyconnect window - click on the "gear head" symbol - and go to statistics. You should see send and receive frames incrementing. I run Anyconnects for days thru my firewall and never have issues....

Did you disable checksum off-loading in System > Advanced > Networking? You can probably configure a mirror port on the switch to send all the packets going to/from the ISP to a capture device. Steve

Hi Sorry for the confusion. The diagram is just the current setup and how i would like it to work as it looks like my only option. I am not saying that the iphone MAC address is passing through 2 routers. I would like to however know how it is possible that companies like purple wifi and wifi spark can get it to work like the way in the diargram https://purple.ai/?utm_source=google&utm_medium=cpc&utm_campaign=764304889&ppc_keyword=purple%20wifi&gclid=EAIaIQobChMIx_z_j7mI3gIVCZ3VCh29KwZIEAAYASAAEgK-I_D_BwE https://www.wifispark.com/ What type of server would they be using, windows, linux, cloud based?. When i tested with purple wifi, my iphone mac address was passing through me router and then through purple wifi's router then onto their server. Unless it was carried out another way. Im just looking for a free open source way of achieving this as i have over 2500 AP's which can be costly if i go with purple wifi. Thanks

The sha256 file is a text file containing the expected checksum. The checksum of that txt file is not expected to be the same. Steve

thanks man I solved XDDD

@grimson Thanks for your time, but I usually don't trust people enough to send screen shots. I usually don't want anyone to know 'anything' about my firewall settings. But it's solved so unfortunately I'm afraid you've wasted your time. Sorry for that. I tend to not respond to anyone I really don't want to help, so as to alleviate such "wasted time," if in fact I decide to deem it such. Though I usually don't see helping someone as wasted time. We each decide for ourselves what is and is not wasted time, as such we each should act accordingly. I would hope that everyone understands this fact, because it'll usually yield more happiness during ones lifetime. Have a good one my friend! And thanks again for your time!

OK, I got it working! Here is what I did, Found the needed script, it's at https://svn.nmap.org/!svn/bc/3320/nmap/scripts/make-mac-prefixes.pl Downloaded the latest file from the IEEE, at http://standards-oui.ieee.org/oui.txt Ran said script ... :-). It's perl make-mac-prefixes.pl oui.txt nmap-mac-prefixes And it works - thanks for the help! Would it make sense to include this latest file in pfSense somehow?

I want to setup multiple OpenVPN servers using a common CA, with the ability to revoke users from a central location.

An Ethernet connected modem is by far the best way to do this. If the delay is simply in the USB modem booting you can set a longer boot delay in pfSense to allow for that. Maybe use: https://www.netgate.com/docs/pfsense/hardware/boot-troubleshooting.html?highlight=kern%20cam%20boot_delay#booting-from-usb You can also add 'ue' to the list of interfaces to ignore in the mismatch check but that's an ugly workaround. Steve

Are you elsewhere when you do that? If you do that from your local LAN, it's normal.

@swmcl_pf -- I powered off by momentarily pressing the power button and then re-powered. The system says it is doing a backup or re-install in the background. This is the same as before. The process finished and I confirmed the message as read. I then did a backup. I'm not entirely convinced that it was doing anything in the background at the time of my post but I am happy that the backup has been completed. Case closed ?

in the interface options section just change the snaplen to something only a few bytes vs the default of the whole thing.. We really just need to see the headers we don't need all the data to troubleshoot what is going on.

@johnpoz Thank you so much. I will do the changes by monday and let you know. Once again thanks for your time. Lokesh Kamath

@hiranuk said in Wifi MAC authentication: behind another router. As I said if there are any routers in between the access points and pfSense, you will never see the original MACs. MAC addresses are only valid on the local link. The Ethernet frames, which carry the IP packet have the MAC addresses. When those frames reach a router, the IP packet un-encapsulated and forwarded via a new Ethernet frame and the original frame is discarded. All you'll see at pfSense is the MAC address of the last router the packet passed through.

It was already in Hybrid mode. I duplicated the NAT for WAN to WAN2 but it didn't help.[image: 1539361353333-wan2nat-resized.png] Edit: Clarification

Ahh, Thanks for the reply. I'll open it up and see what's going on and probably end up swapping the CPU. Thanks again for the input!

Thank you very much.

Thanks very much. It's looking good now.