thank you @nogbadthebad - I've found some entries for that so I'll see what it brings and report back

Thanks guys! When I turned IPv6 off on the interfaces the errors stopped..  ISP is having issues with IPv6 so we are disabling for now. Ill update if when turned back on the errors start again..

No, I did not - because I misunderstood the instructions Works now, huge thanks !

Yes you avoid a double NAT. Some IP traffic has the IP address in two locations in the packet, NAT will only change the header.

@Gertjan: PC's and other devices could have 'static' DSN addresses set up, so they will contact for example  "8.8.8.8", bypassing completely the local DNS authority (your pfSense). That makes sense and explains those queries, thx! @Gertjan: Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up. I do force all DNS requests to use pfsense only!

I use DUO Mobile (https://duo.com) and it works very well for our VPN users. Everytime a users tries to login, they will get a push notification to their phone which they have to allow before they can login. If your already using radius as the authentication server, you can implement the DUO radius proxy to send the push. Their service is free up to 10 users so I'd give it a try and see how you like it. I have been very happy overall. https://duo.com/docs/authproxy_reference

@Malad: Hi guys, I have this situation: I have a VLAN between two offices in a WAN link that must have access to the internet. A layer 2 tunnel with an ISP has been hired and the internet is accessed through it. The IP of the link is fixed and the VLAN also, all the configuration is done on the VLAN. In my pfSense it shows that the WAN is down. Any suggestions I would also like to know about documentation to implement a VLAN on a WAN link. Thank you all. Malad I'd confirm with your ISP if your setup with an MPLS or VLAN for your site. We had an offer from AT&T that has layer2 site to site capability that was cheaper than an MPLS but our VPNs are running smoothly for our needs. I would think they would use different ports on their edge device, WAN(No VLAN) Site-toSite(VLAN) but it could be done either way. If your sure your ISP is handing you Internet access through a VLAN then all you need to do is add the VLAN to pfsense and change your WAN network port to that VLAN. Go to Interfaces –> Assignment --> VLANs tab. Add the VLAN for your Internet connection(make sure to select the correct parent interface). Then go back to Interface Assignments and change your WAN Network Port to the Vlan you just added.

Try it and see how it works for you.  The method is correct.

I am working with No-IP support now, but I think it's because I had the No-IP app on my Iphone that it updated the DNS. I have removed the app. I thought the app was just to monitor my ip address didn't know it would make updates. Waiting to see what support has to say.

It depends. If you have created firewall rules for the lan interface then it is not inherited by vlans. But if you are running captive portal running then vlans will also inherit it. I think same goes true with squid (not very sure). I hope this helps. Ashima

https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

Lets all not forget that the IP database of location data - is far from perfect.. Having a bitch of time trying to get maxmind to update theirs.. A /24 off our /16 they kept saying was in Malaysia..  When clearly its in the US..  Tried for months to get them to correct via their forms with little luck, until it became moot when we no longer proxied data web traffic through that connection. As to what vpn service your using.. Unless you got one that allows you to pick your endpoint location and country and you did.. And just using it to mask your traffic from your local isp then sure the endpoint could be almost anywhere does not matter where the HQ of the company is, etc.  If your having a issue with your VPN ip now showing the origin country that you want for its IP, then you should get with your vpn provider.. Again - geoip information is not an exact science ;) This is not TV where they get an IP and lookup that is located in the bedroom of the house on 123 Street on the 2nd floor hehehehe

I've described it here two days ago: https://forum.pfsense.org/index.php?topic=146424.msg795676#msg795676

Some IPv6 & IPv4 multicast comming from the clients regardless of enabling IPv6. Also out of state traffic. https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection. If you don't want to see the IPv6 stuff create an IPv6 block any any and don't log. The default block rule logs everything.

Sounds to me like you don't really need VLANs. For your VPN clients you can simply use an alias consisting of a list of IPs to route over the VPN. You wouldn't need a VLAN for wifi either unless you wanted a separate Guest WiFi Network.

Hello guys, sorry it took soo long for me to respond, i hope i still can help someone by writing it down now. So this is how i did it. I created some firewall rules to allow the connections i wanted to pass, and doing so  logged DHCP requests and leases with the timestamps, for questions of readability and/or time saving issues, i forwarded this logs to a remote server using rsyslog, you can do this by enabling remote loging on pfSense. On the rsyslog machine i configured graylog to get inputs from rsyslog and pfSense extractors with regex, to filter out the information i really wanted without the overhead of information, than correlating information and i got what i wanted. NOTE: This is the way i did it, im still a noob so maybe there is some new ways or other ways to do this faster/better. Take care.

It was a misconfiguration of the equipment owned by my ISP. They corrected it and now everything works fine. Thanks for your help!

Boot into single user mode and update the driver by hand, petition the FreeBSD developers to include the driver. Add another NIC to the device, so pfSense does find at least one network interface.

Thanks.. Already posted in the proper forum part.

Thanks jimp, much appreciated! ;D