But you can ping the pfSense interface address? Something's not right there then. Do you actually see the phones in the DHCP lease table? I'd try running a packet capture or at least checking the state table when pinging from the phones to see what's actually being sent. Steve

So I finally got around to doing some testing with my setup. To quickly summarize: (2)ESXi hosts (9) total NIC's to use Want to setup different networks to keep them separate (work, dev etc.) I have done quite a bit of reading on vmware networking (still wrapping my head around it) and setup some distributed switches and port groups, per this thread. I deployed pfsense as a VM and added the interfaces that I attached to it in Vcenter (LAN, DEVVLAN, DEVHOME). I configured IP's on the interfaces, I can reach pfsense just fine from my PC, but having problems with the VM's attached to specific networks to get a IP from pfsense DHCP server. My PFSense has three interfaces: LAN: 192.168.55.1 DEVLAN: 10.0.3.1/24 DEVHOME: 10.0.2.1/24 I am testing with one VM right now, attached to the DEVVLAN. Before I go to far down the rabbit hole, any suggestions on where to start troubleshooting? I tried to manually assign a static IP to my test VM, but I can not ping the gateway off the pfsense box on that interface (10.0.3.1 in this case.) Thinking through this, I have not done any configuration on my 24 port switch, so to my knowledge, the ports the esxi NICs are plugged into are still native 1. My brain is hurting right now, so going to take a step back and rest. I appreciate all the help. Cheers, TCG

I switched the config to http There is your problem. Never do that. Keep it on HTTPS. Beyond that it's a browser issue local to your PC.

Today. :-) https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html

Mmm, not sure why you would do that. Just leave it disabled for an always-on connection. That how to is for a much older version. The setting is still useful for cellular connections where you are using expensive data just being connected for example. Steve

@stephenw10 Thanks for your response. I do have the package installed.

@rico I had a similar issue. Thanks for your advice!!

@viragomann said in Bridging two networks: So I assume you have a setup with LAN configured and accessing the web configurator via LAN. As far as I know a restart was necessary after that to get it work. I tried both - accessing from this "LAN" interface and from other interface. I also tried assigning bridge to "OPT2" instead of "LAN" as you suggest and did reboot pfSense, but that didn't help. @derelict said in Bridging two networks: Did you then move your management device to OPT1? That would be the only port on "LAN" at that point. Yes, it supposed to be accessible via 192.168.1.x, but I can't access nor ping it. Could problem be that one of these two LAN networks is at virtual port (between pfSense VM and host machine)? I also tried adding only 1 physical port to this bridge, but still can't access it.

To expand on @heper: Yes, pfSense will do this.

What version of pfsense are you using?

So after further digging, I found that my Unifi system in its previous update automatically turned on "Wireless Meshing" between 2 of my 50 WAPs. Both are hardwired, so there is no need for meshing, so no problems occurred the first 3 weeks after the update (therefore I never suspected it), but if one WAP gets overloaded with traffic and misses its heartbeat, it creates a temporary wireless bridge to reconnect and then creates a network loop. For some reason the switches RSTP setting isn't picking up the loop and its making its way all the way up the food chain to the pfSense box since the wireless bridge resides on a VLAN and needs routing through to the LAN. Since I took off the Wireless Meshing setting, everything has cleared up. I'm hopeful that this was the root of the problem and the peacefulness continues. I'll keep you guys informed and I appreciate all the help!

finally after 30 minutes in shell mode he was able to do the update and went up normally and now I can access the dashboard ... thanks everyone!

Yup. And if you find anyone bypassing your GPO somehow, grab a wrench and go pay them a visit.

Hi Steve. Thanks for your reply. To be honest, I might need some help with this one as I didn't get the redirect settings in SquidGuard to work. I am able to get SquidGuard to block unwanted sites (e.g. ad sites, porn sites, etc.); but, for some reason, the "Use SafeSearch engine" checkbox never worked for me - I had to add a couple of entries in DNS Resolver to force safe search for Google and Bing. When I remove those DNS Resolver entries, uncheck the "Use SafeSearch engine" box and try to create my own "Safe Search" rewrite, it doesn't work. E.g.: Rewrite Rules: Target URL: google.com Replace to URL: forcesafesearch.google.com Opt: Redirect For some reason, this causes the URL to become forcesafesearch.google.com to be forcesafesearch.forcesafesearch.google.com. If I try using the IP address, the system comes back with www.<ip address>. To say I'm doing something wrong would be an understatement. I apologize for my lack of knowledge, but I'm still learning and any suggestions you can provide would be greatly appreciated. Thank you.

@mascot said in How to set TTL?: In this case my only option to have same TTL with "pf scrub" is to set it to maximum value of 255? (Side question: are there any downsides of having TTL=255?) Also, shouldn't there be possible some workaround to avoid looping? Like router somehow recognizing and ignoring packets if they are in a loop? Also, maybe for FreeBSD there is something like "iptables mangle" for Linux? Well, as I mentioned, on IPv6 255 indicates a packet that's intended for the local LAN only. Will a router pass it? Also, recognizing packets it's seen before, that would require saving the packets it already sent and then comparing them with any new packets. That might keep a router a bit busy. Also, if a router sees a packet with 255, the assumption can only be that the previous router decremented from 0 and sent it on, violating the rule that says packets with or decremented to 0 must be discarded. You're trying to defeat the entire purpose of MTU, which is to prevent a packet from being sent forever around a loop.

If can do if you run the Squid web proxy. Squid can send it's logs to a syslog server. Steve