You could just add firewall rules to your wireless interface to allow it to access the internet. No need to swap LAN and OPT1 (unless I missed something). It looks to me that on my system the web server (lighttpd) will accept incoming connections to any address, not just the address of the LAN interface. Indeed I was able to connect to it from a system on an OPTx interface.

Thank you very much for this answer which is certainly going to help me.

Ahhh… ok, much thanks!  Sorry for the belated response!

In general it is recommended to NOT mix use of parent interface with VLANs. There are complications if bridges are involved. See the FreeBSD man pages for vlan and bridge.

Now i need to get some add-ons to do what i signed up for. Web filtering based on mac address - is this possible Web tracking - track what sites people have been on Squid - Is this easy to setup?

Awesome!! Thank you for the response. I'll give this a shot.

Not to dig too deeply into failure analysis, but I've found a huge difference between crap quality and good quality PS's. The crap capacitors dry out quicker, and the cheap bronze bearings in the fans (Another big failure point) gum up, dry out, and fail. After disassembling about 50 random failed PS's, Capacitors were the biggest failure, and the fans were often on the verge of failure, if not failed. When it fails, a crap PS can also take out the HD, MB, Memory, and even KB and mouse. I've seen it happen more than once. On the other hand, I wouldn't trust the most reliable drive in the world. Especially with modern drives, it's not a matter of if, but when.

i think i figured the issue out. I was following this url: [http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url] to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now. Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?](http://forum.pfsense.org/index.php/topic,4225.msg25915.html#msg25915/url] <br /><br />to forward traffic to a squid proxy (linux box with 10.10.171.40 address) , i removed the LB pool and delete the rule that the post recommends, rebooted the box and everything looks ok now.<br /><br />Back to the 2nd issue, how do I now forward traffic to the linux box running squid ?<br /><br />)

Doh!  OK, I think I may have found a problem. It appears that I had set my default allow all Non-LAN traffic to PASS rule too restrictive with just TCP as the protocol instead of any. Appears to be happily pinging and resolving hosts now.

The load balancing mechanism changes between 1.2.3 and 2.0 and since I have only used inbound load balancing in 1.2.3, I will restrict my answers to that. There is not a way within the load balancer to isolate specific connections to a specific server, connections are load balanced using a simple red robin setup.  The better way to solve this problem is to ensure that all your web servers are sharing their session state information.  There are a number of solutions for doing this which are off-the-shelf and fairly easy to configure depending on your needs.  I recommend spending some quality time with google to find the solution that best fits your needs. The load balancer will only work in a NAT'd solution.  You cannot use the load balancer in a bridged configuration.

@dreamslacker: @silvercat: Another issue is the public IP. Is having 200 users on a single public IP a problem? I don't think 1:1 will be possible from the ISP, but we might get a number of IPs available to us, is there a way to handle this intelligently? Not an issue with most games EXCEPT Battlenet games.  Blizzard has a lock on Bnet hosts for 6 hosts per IP.  Your gamers can game but hosting games are an issue.  Plus, you need to set different game ports and forward them for each game host. Using a Class B or Class A subnet would solve your problems with address space. With the right kind of money, ISPs can be very willing to offer help.  LOL..  Just last year, we had a Dreamhack over here where the ISP opened up a 40Gbps symmetric link direct to Sweden for us and provided all the network routers required so that we could have "LAN" games played between Sweden and Singapore. I doubt people are going to host games and expect their friends (those not in the LAN) to be able to connect - however I'm considering letting home users to be able to connect to the LAN from their homes using VPN, to be able to virtually participate! =) Ahh, the power of pfSense! @GruensFroeschli: We used pfSense for all the LAN parties i helped organise in the last 4~5 years. While we didn't use blacklisting / Proxying, we did use the Captive Portal. Generally we didn't allow any internet traffic except when someone needed it with a good reason. (eg update their antivirus software). For this we created a time-limited user (30 minutes). To solve the problem with people comming in, setting up their computer and just connect to the network, we used VLANs. We once had a problem with a samba virus infecting everyone. So we made it our policy to only allow people which have an up to date anti-virus and can show an active virus scan within the last 24 hours. We enforced this with VLANs. Every port on all switches were in their own VLAN. All ports in a public VLAN. The PVID is initially set to each ports private VLAN. On the pfSense we bridged all VLANs (as many VLANs as there are ports) and blocked all traffic on all VLANs with as destination something RFC1918 (but allow all destinations on the internet). After someone of the staff verified their computer and checked if they payed, the PVID of the port on the switch would be moved into the public VLAN. (For this we used a python script with pyCurl) This ensures that no communication with the local LAN (except the pfSense) is possible, but at the same time everyone gets an IP which will later actually be used and allows them to access the internet if they need to install/update their antivirus. Might be a bit overkill, but it ensured that we never had any virus problems again ^^" However if you're not familiar with VLANs i wouldn't suggest a setup like that to you. When is your party? I would suggest to set up a test network at least 3~4 weeks in advance with all your servers you're going to run and test everyting. Especially if you want to run the traffic shaper this will take some time to tweak until it runs the way you want. Otherwise, keep it as simple as you can. Since most people will come with their computer configured to get an IP via DHCP, you could set up a DHCP server to server the 172.16.0.0/16 subnet, but the actual network for the party will be 10.0.0.0/8. Assign the IPs to the people statically. Something like 10.Room.Row.Place/8 (eg, Room 1, Row 2, Place 7 would have 10.1.2.7/8) (This is actually the system we used before we used the pfSense). This has the advantage that you know out of the IP address the place where someone sits. For this we put on every place a small sticker with an explanation how to change their address, subnet, gateway, etc and what the IP of the current place is. I don't think we'll use such an extensive VLAN-setup for one. However I like the static IP idea. If you're too stupid to set up your IP manually, then chances are you're too stupid to keep your antivirus up to date, thus generate problems. We've decided to do this June 2nd, and the crew is planning to do a "bootcamp" prior to the event to test the equipment, setups, games, servers. Guess we'll be testing the new RC of pfSense 2 as well =)

The serial cable did the trick. Thanks a lot! /Hans