The "INCORRECT BLOCK COUNT"shouldn't be there. At least, I do not have these messages. ** /dev/ufsid/54ca20c41b3d50b0 (NO WRITE) ** Last Mounted on / ** Root file system ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts UNREF FILE I=2006402  OWNER=root MODE=100666 SIZE=0 MTIME=Apr  9 07:29 2018 CLEAR? no UNREF FILE I=26324042  OWNER=root MODE=100555 SIZE=684072 MTIME=Dec 12 20:49 2017 CLEAR? no ** Phase 5 - Check Cyl groups 27679 files, 300300 used, 74373502 free (3758 frags, 9296218 blocks, 0.0% fragmentation) Do a fsck after rebooting - use the console access, before pfSense kicks in, so fsck can do its magic.

What switch(es) do you have?  If your wanting to isolate devices via network/vlan then its kind of must for these switches to be vlan capable.  They do not have to be expensive to do this $30 can get you an 8 port gig switch that does vlans. Sure you can isolate your networks via different hardware, dumb switches on different interface to your firewall.  But vlans make it possible for devices in the same room to be on different networks using the same switch. Per your like a pro comment - first step would be switches that do vlans.. You make no mention of what make and model your switches currently are.

that patch was pushed to master back in feb of 2017… What version of pfsense are you running that you would manually put in that patch?

By default vpn providers pushes the default route to the clients, so that all upstream traffic is routed over their vpn. So if you computer tries to connect to the vpn this won't work, cause the connection request will come already from inside the vpn. But if you don't establish the vpn on the computer there should be no trouble with that and traffic should be routed over the vpn.

I finally found out what was causing the crash…seems my motherboard was dying, and today it went belly up!

I figured it out. Static Mode needs to be set to disable on LAG1 on the Netgear to enable LACP.  ::)

I'll second chpalmer. I have WAN firewall rules for the SIP and RTP ports my two phones (one Panasonic, one Polycom) use when the connection is originating from my VoIP provider's IP address ranges, and I've never had any issues. I'm fortunate that my provider has a support article detailing the address ranges they use, so I was able to set them up. I'm also fortunate that the two phones don't have overlapping default RTP port ranges… though I could probably adjust them anyway. I did have to change the SIP port for one of them though. :)

thank you @nogbadthebad - I've found some entries for that so I'll see what it brings and report back

Thanks guys! When I turned IPv6 off on the interfaces the errors stopped..  ISP is having issues with IPv6 so we are disabling for now. Ill update if when turned back on the errors start again..

No, I did not - because I misunderstood the instructions Works now, huge thanks !

Yes you avoid a double NAT. Some IP traffic has the IP address in two locations in the packet, NAT will only change the header.

@Gertjan: PC's and other devices could have 'static' DSN addresses set up, so they will contact for example  "8.8.8.8", bypassing completely the local DNS authority (your pfSense). That makes sense and explains those queries, thx! @Gertjan: Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up. I do force all DNS requests to use pfsense only!

I use DUO Mobile (https://duo.com) and it works very well for our VPN users. Everytime a users tries to login, they will get a push notification to their phone which they have to allow before they can login. If your already using radius as the authentication server, you can implement the DUO radius proxy to send the push. Their service is free up to 10 users so I'd give it a try and see how you like it. I have been very happy overall. https://duo.com/docs/authproxy_reference

@Malad: Hi guys, I have this situation: I have a VLAN between two offices in a WAN link that must have access to the internet. A layer 2 tunnel with an ISP has been hired and the internet is accessed through it. The IP of the link is fixed and the VLAN also, all the configuration is done on the VLAN. In my pfSense it shows that the WAN is down. Any suggestions I would also like to know about documentation to implement a VLAN on a WAN link. Thank you all. Malad I'd confirm with your ISP if your setup with an MPLS or VLAN for your site. We had an offer from AT&T that has layer2 site to site capability that was cheaper than an MPLS but our VPNs are running smoothly for our needs. I would think they would use different ports on their edge device, WAN(No VLAN) Site-toSite(VLAN) but it could be done either way. If your sure your ISP is handing you Internet access through a VLAN then all you need to do is add the VLAN to pfsense and change your WAN network port to that VLAN. Go to Interfaces –> Assignment --> VLANs tab. Add the VLAN for your Internet connection(make sure to select the correct parent interface). Then go back to Interface Assignments and change your WAN Network Port to the Vlan you just added.

Try it and see how it works for you.  The method is correct.

I am working with No-IP support now, but I think it's because I had the No-IP app on my Iphone that it updated the DNS. I have removed the app. I thought the app was just to monitor my ip address didn't know it would make updates. Waiting to see what support has to say.

It depends. If you have created firewall rules for the lan interface then it is not inherited by vlans. But if you are running captive portal running then vlans will also inherit it. I think same goes true with squid (not very sure). I hope this helps. Ashima

https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall