@BlueKobold: Here in Germany we are paying hard for electric power and a small firewall with using 40 Watt is at the cost of ~35 € per year and on top of this a modem is for ~40 € each year to pay for. 1. Private or personal WLAN (WiFi) can be secured by FreeRadius Server and using certificates! 2. The guest WLAN (WiFi) can be secured by using the Captive Portal with vouchers 3. With OpenLDAP all wired or cabled devices will be able to secured inside of the LAN 4. Snort can protect the DMZ or inspect the LAN Ports for getting an alarm if something occurs 5. With squid and SquidGuard all devices in the DMZ are not really or directly connected to the Internet! So where is now the security issue to switch after 6 - 8 hours the firewall out or take it off? If you might be thinking your PC is out or off and not running and the modem alone will be taking of electric power this must be surely unable to enter in your network and entering your PC! If you are afraid of an intruder you should better turn of the  entire WiFi part in pfSense and on top of this the modem and your PC too, so someone must be entering your apartment to get in touch with your network or PC. After the first security protocol (WEP?) was cracked, I became wary of wi-fi anything. After the WPA was hacked, any remaining trust was over. Now I hear WPA2 was compromised by 'Wi-Fi Protected Setup', and a quick Google search (using search terms 'wifi wpa hack') insures I will never be using wi-fi, bluetooth, or anything similar. My thought on saving power is anything is better than nothing. Will my turning of lights, TV, or whatever when I leave a room prevent blackouts? Probably not, but I see no good reason not to….and since I been doing this my lightbulbs last about three weeks longer than before. Aside from power saving, there is the security aspect. Turning off the PC and disconnecting it from the router insures no attacks via the internet. Turning off the router, and disconnecting it from the internet guarantees it will not be attacked via the internet. Someone said that if I turn off and disconnect the router I would have to re-configure everything when I turn it on...if true, that would definitely be a good reason to leave it on! Still would want to airgap the PC though.

The NAS IP should be on a network that is 192.168.2.0/24 and be set to DHCP or a static IP in that network. The .1 address should be reserved for the interface gateway for eth2. Then do the rules to allow to access it from your LAN ips or the 192.168.1.0/24 network.

Yes, just a port-forward with LAN as the interface instead of the usual WAN.

The quoted format is for the local log, not remote logs. Syslog always assumes the hostname from the source IP address or hostname, NOT from the log message data itself. Your server should be classifying the sources by their IP address/hostname in some way, it shouldn't care about the message content identifying itself. "filterlog" is the name of the daemon that made the log message.

Any help/pointer from anyone? -S

pound - a great reverse proxy. On pfSense it needs to be installed manually, from freeBSD repos. It has no dependencies and the binary is also vers small.

Enable client isolation on access point.

Thanks for your reply! @BrightEyesDavid: 2. I'm thinking wifi access point 2 would be for guest internet access, where they can only get internet access and not access any of the other devices on wifi access point 1 or the switch; is this possible? Alternatively, would it be possible to achieve the same effective result with only one access point, where only certain devices would be allowed to send/receive from other devices on the home network but all devices would have internet access? Edit: I just remembered the SG-2220 has wireless options; could I achieve the same result using its own wifi? @mauroman33: 2. Yes, if the switch supports VLANs. Regarding using VLANs for isolation, I think I heard that VLAN-based separation/isolation is not as secure as using separate interfaces because the VLAN tag on the end of each packet can potentially be faked. Is that right, or is a VLAN means of separating groups of devices reliable in this situation? Does the SG-2440 have four separate interfaces (one for WAN, other three for LANs in my case), or are all/some of the ports on the same interface? @BrightEyesDavid: 3. I'd like to run a couple of internet-accessible services on a home computer (webserver and mumble server). I only want the associated ports to be reachable on that particular computer - not other devices. Can I configure pfSense so that all incoming traffic on certain ports (80, 443, etc.,) only get routed to a certain computer attached to the switch (which is attached to the SG-2220), whether using IPv4/NAT or IPv6/no NAT? 4. Also, can I effectively isolate this internet-accessible computer from my other computers (in case of compromise via website software, for example), perhaps with the exception of port 22 for SSH access from one or two of my other computers? (And is this a fairly safe/sensible approach? The SG-2220 has just the one LAN interface.) @mauroman33: I think there will be no problems about number 3 and 4, although it's better to wait for someone more experienced. Okay, thanks. I would have thought that 3 in particular is something basic for pfSense as it seems similar to what a typical NAT router does when it forwards ports. By the way, I've started watching this Comprehensive Guide To pfSense 2.3 video series which seems helpful, and I think I'm going to learn a lot and hopefully find out more about things related to my questions.

fixed. thx

Thanks Mr. Derelict - that was shutting the gate after the herd of cattle had bolted  :) The Squd thingy seems to be working fine … I've deliberately taken a step backwards and I'm using a single AP now.  I'll close this thread now and I'm going to ask some more questions in the wireless forum.

I doubt anything is being blocked, but you haven't provided much information to go off. It could be bad traffic shaping, possibly IPv6, or you just have a slow connection compared to what they're used to. It could very well be a configuration issue (dependency management is a fun game to play) on their local machine, for instance: https://github.com/bower/bower/issues/2014 I've had issues with git being slow before, and it turned out to be an ipv6 issue and I had to use the -4 flag until it was resolved (although I've slept since then and don't remember how it was resolved). happy troubleshooting!

Very informative!  Thank you!

Sending your config via e-mail is highly insecure and a questionable practice. There are much better ways to accomplish regular backups: https://doc.pfsense.org/index.php/AutoConfigBackup or https://doc.pfsense.org/index.php/Remote_Config_Backup But that's a topic for new different thread.

Thanks. I'll disable pfsync until you have a fix out. Seems to be the lesser of two evils and only connection-oriented sessions (RDP, ssh and such) will have to be manually reconnected on a failover which is tolerable. Thank you for the quick assistance! Lars

@johnpoz: So when you mean they can no longer resolve stuff or can not access public IPs and resolve just fine?  My guess would be your using multiple dns servers one that can resolve public, and other than can not - like your AD server maybe? The machines can not access public IPs, but resolve just fine… I still can ping any URL, while no page are showing, giving timeout error. Just the pfSense is the DNS Server. @johnpoz: On these clients try and resolve www.google.com via either ping?  Or nslookup or dig or whatever your fav dns query tool is.  Does that not work?  What dns is pointing to - nslookup or dig will tell you that. If they do resolve try pinging something on the outside say 8.8.8.8 does that not work? I can ping and resolve google.com and 8.8.8.8 or anything outside…. Nslookup return the pfSense IP.

This issue stopped for a while and it just started again today. Sep 15 15:39:27 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:39:27 xinetd 9901 readjusting service 6969-udp Sep 15 15:39:27 xinetd 9901 Swapping defaults Sep 15 15:39:27 xinetd 9901 Starting reconfiguration Sep 15 15:39:26 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:39:26 xinetd 9901 readjusting service 6969-udp Sep 15 15:39:26 xinetd 9901 Swapping defaults Sep 15 15:39:26 xinetd 9901 Starting reconfiguration Sep 15 15:39:26 check_reload_status Reloading filter Sep 15 15:39:26 php-fpm 63247 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:39:26 php-fpm 63247 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:39:25 check_reload_status Reloading filter Sep 15 15:39:25 check_reload_status rc.newwanip starting sk0 Sep 15 15:39:25 php-fpm 63247 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:39:24 kernel sk0: link state changed to UP Sep 15 15:39:24 check_reload_status Linkup starting sk0 Sep 15 15:38:03 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:38:03 xinetd 9901 readjusting service 6969-udp Sep 15 15:38:03 xinetd 9901 Swapping defaults Sep 15 15:38:03 xinetd 9901 Starting reconfiguration Sep 15 15:38:02 check_reload_status Reloading filter Sep 15 15:38:02 php-fpm 63247 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:38:01 kernel sk0: link state changed to DOWN Sep 15 15:38:01 check_reload_status Linkup starting sk0 Sep 15 15:31:42 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:31:42 xinetd 9901 readjusting service 6969-udp Sep 15 15:31:42 xinetd 9901 Swapping defaults Sep 15 15:31:42 xinetd 9901 Starting reconfiguration Sep 15 15:31:41 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:31:41 xinetd 9901 readjusting service 6969-udp Sep 15 15:31:41 xinetd 9901 Swapping defaults Sep 15 15:31:41 xinetd 9901 Starting reconfiguration Sep 15 15:31:41 check_reload_status Reloading filter Sep 15 15:31:41 php-fpm 39526 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:31:41 php-fpm 39526 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:31:40 check_reload_status Reloading filter Sep 15 15:31:40 check_reload_status rc.newwanip starting sk0 Sep 15 15:31:40 php-fpm 56830 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:31:38 kernel sk0: link state changed to UP Sep 15 15:31:38 check_reload_status Linkup starting sk0 Sep 15 15:28:30 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:28:30 xinetd 9901 readjusting service 6969-udp Sep 15 15:28:30 xinetd 9901 Swapping defaults Sep 15 15:28:30 xinetd 9901 Starting reconfiguration Sep 15 15:28:29 check_reload_status Reloading filter Sep 15 15:28:29 php-fpm 56830 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:28:28 kernel sk0: link state changed to DOWN Sep 15 15:28:28 check_reload_status Linkup starting sk0 Sep 15 15:18:29 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:18:29 xinetd 9901 readjusting service 6969-udp Sep 15 15:18:29 xinetd 9901 Swapping defaults Sep 15 15:18:29 xinetd 9901 Starting reconfiguration Sep 15 15:18:28 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:18:28 xinetd 9901 readjusting service 6969-udp Sep 15 15:18:28 xinetd 9901 Swapping defaults Sep 15 15:18:28 xinetd 9901 Starting reconfiguration Sep 15 15:18:28 check_reload_status Reloading filter Sep 15 15:18:28 php-fpm 91971 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:18:28 php-fpm 91971 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:18:27 check_reload_status Reloading filter Sep 15 15:18:27 check_reload_status rc.newwanip starting sk0 Sep 15 15:18:27 php-fpm 34083 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:18:25 kernel sk0: link state changed to UP Sep 15 15:18:25 check_reload_status Linkup starting sk0 Sep 15 15:15:48 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:15:48 xinetd 9901 readjusting service 6969-udp Sep 15 15:15:48 xinetd 9901 Swapping defaults Sep 15 15:15:48 xinetd 9901 Starting reconfiguration Sep 15 15:15:47 check_reload_status Reloading filter Sep 15 15:15:46 php-fpm 34083 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:15:45 kernel sk0: link state changed to DOWN Sep 15 15:15:45 check_reload_status Linkup starting sk0 Sep 15 15:12:25 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:12:25 xinetd 9901 readjusting service 6969-udp Sep 15 15:12:25 xinetd 9901 Swapping defaults Sep 15 15:12:25 xinetd 9901 Starting reconfiguration Sep 15 15:12:24 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:12:24 xinetd 9901 readjusting service 6969-udp Sep 15 15:12:24 xinetd 9901 Swapping defaults Sep 15 15:12:24 xinetd 9901 Starting reconfiguration Sep 15 15:12:24 check_reload_status Reloading filter Sep 15 15:12:24 php-fpm 69749 /rc.newwanip: rc.newwanip: on (IP address: 192.168.1.1) (interface: LAN[lan]) (real interface: sk0). Sep 15 15:12:24 php-fpm 69749 /rc.newwanip: rc.newwanip: Info: starting on sk0. Sep 15 15:12:23 check_reload_status Reloading filter Sep 15 15:12:23 check_reload_status rc.newwanip starting sk0 Sep 15 15:12:23 php-fpm 69749 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:12:22 kernel sk0: link state changed to UP Sep 15 15:12:22 check_reload_status Linkup starting sk0 Sep 15 15:10:06 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 15:10:06 xinetd 9901 readjusting service 6969-udp Sep 15 15:10:06 xinetd 9901 Swapping defaults Sep 15 15:10:06 xinetd 9901 Starting reconfiguration Sep 15 15:10:05 check_reload_status Reloading filter Sep 15 15:10:05 php-fpm 69749 /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.1.1 ) Sep 15 15:10:04 kernel sk0: link state changed to DOWN Sep 15 15:10:04 check_reload_status Linkup starting sk0 Sep 15 14:51:47 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 14:51:47 xinetd 9901 readjusting service 6969-udp Sep 15 14:51:47 xinetd 9901 Swapping defaults Sep 15 14:51:47 xinetd 9901 Starting reconfiguration Sep 15 14:51:46 xinetd 9901 Reconfigured: new=0 old=1 dropped=0 (services) Sep 15 14:51:46 xinetd 9901 readjusting service 6969-udp Sep 15 14:51:46 xinetd 9901 Swapping defaults Sep 15 14:51:46 xinetd 9901 Starting reconfiguration ```. I wonder if something on the network is causing this. Anyone else experiencing this?

Well yeah stun is going to try and transverse your nat ;)  Which I take is something you don't want it to do ;)  There is a way to disable webtrc in chrome browser, you could try doing that and see if that reduces your hits.. Guess your other option is just not log it..  You could still allow for dns and or quic, etc.  but all other unknown UDP just drop it in the bin without logging.