We have a staff WiFi and want to add a guest WiFi. Do we have to buy a VLAN-capable managed switch, or can we use a spare pfSense eth port? The WLAN APs should be having VLAN support, so you could set up a VLAN for private (staff) one and a guest network. If there will be a domain or AD/DC managed network at the worksplace you could also high up the security for the entire network, by using something such as; LDAP Server or role on MS Windows Server for wired devices Radius Server or role on MS Windows Server or Linux Server for all WiFi devices (staff) Captive Portal on the pfSense for all WiFi clients (guest network) VLANs with his own subnet –192.168.1.0/24 staff WiFi -- 192.168.2.0/24 for guests WiFi -- 192.168.3.0/24 printers -- 192.168.4.0/24 PCs -- 192.168.5.0/24 servers and so on..... Current cfg: -pfSense 2.3.2 -Netgate 6-port, Port1:GW1/Comcast, Port2:GW2/AT&T, Port3:LAN/172.16.30.1 Would be nice to know now your budget here in that game play! -24-port unmanaged GbE switch, LAN Would be able to get a Cisco SG200-24P or Cisco SG300-24P switch likes you are able to pay or need it. The SG300 is a layer3 switch that is able to route the VLANs by it self and mostly with wire speed! -(4) EdiMax CAP1200 APs, (1) is the array controller and (3) are APs within the array, Staff WiFi Are they VLAN capable? -Windows Server DHCP server, 172.16.30.20 serving 172.16.30.x (can use pfSense's DHCP if rqd) Would be nice to see some other security roles on that server! -8-port GbE PoE switch for the APs, unmanaged. Connects to the (4) CAP1200 APs and to the 24-port LAN switch And also here you might be able to handle that traffic with a smaller variant of that named above switches I was guessing! SG200-10P or SG300-10P. Steps to add an isolated Guest WiFi ???? Create on the pfSense some VLANs and also on the Switch and then on the WiFi APs! They must be tagged between the pfSense and the Switch and also between the Switch and the WiFi APs, because there should be holding then even 2 VLANs each for a WiFi location one for the staff and one for the guests. -Cfg EdiMax CAP1200 APs for STAFF VLAN10 and GUEST VLAN20 (choose tagged opt, yes??) There are two available scenarios: You will need VLAN capable Switch and WLAN APs Connected over a PoE Switch that is capable of VLANs You will need only VLAN capable WiFi APs You might connecting the WiFi APs directly to the pfSense appliance Please not the VLAN1 is the default VLAN on many switches so it should be for the admins only! It would be also making many sense to activate the client isolation for the guest and staff WiFi VLAN because then all devices are not able to have a look on the other devices inside of that VLAN. -8-Port PoE AP switch, move eth that was going to 24-port LAN switch so now goes to Netgate eth Port4 Is that PoE Switch VLAN capable? Are the WiFi APs multi-VLAN capable? There would be two common ways to go, pending on what the switches and WiFi APs are able to do and also based on your budget. 1. pfSense is routing the entire VLANs and you may only need a layer2 Switch 2. The Switch is routing the entire VLANs and the pfSense is holding the Captive Portal for guests and the Windows Server has a radius server role installed that is securing the WiFi clients for the staff. For sure there are many other ways out there to go with but this both might be the most common ways. Get a SG200-24P (Layer2) pfSense is routing then the VLANs or SG300-24P (Layer3) the switch it self will then routing the entire VLANs and connect them all to that switch!

You make an interesting argument - and I'm not saying you're wrong. It is not only an argument, this is more pending on the circumstance that this both IDS systems are doing not the same thing!!! One is watching and sniffing in the network or the network traffic it self and the other one is watching on the host OS of an Server, PC or other devices watching their registry, file system or other elementary or urgent points in that OS. However, your definition of a "router" vs a "server" seems at odds. What here should be better matching is perhaps something such as TripWire or something else similar to that but not a Host IDS (HIDS). One thing is OS related and the other one is network related or pointed. The Server has an OS that is perhaps hardened the firewall or router OS (firmware) must be hardened. For example: what is the difference between a pfSense device running an OpenSSH endpoint vs a server running the same thing? pfSense is a firewall distribution (but here working likes a firmware of an network device) and let us say CentOS & SoftEtherVPN are an OS & Software. Their fore what you are asking for should be matching more well this software or perhaps able to realize combined installed on an appliance; fail2ban DenyHost TripWire How do you make the judgement in this case as to which device warrants an OSSEC agent? Its not me, you should perhaps read the statements and jobs that the software coder where telling their clients and perhaps too you could read about the differences NIDS and HIDS. OSSec getting started

Btw. my PPPoE IP starts with 79 and the GW starts with 217. Might this be the reason Edit: Just got an IP from the 217 subnet so, this is not the reason. Also I can't ping the GW at all when I'm not connected to a VPN. Any further help ?

Thanks again for the replies everyone. I'm learning a lot (and reading Mastering pfSense to try to get the best out of it). I'm currently considering upgrading the APU2C4 to a Dell PowerEdge T20 (Xeon E3-1225 v3), which should handle our line speed for VPN easily. The APU handles our 200Mbps ISP speed (no VPN) without even breaking a sweat, just a few % CPU, but it'd be nice to offload the VPN to the router/firewall rather than having multiple locally connected clients at home.

Cool thanks! I stopped it then started it again. Now it seems ok!

Purchased from them via Amazon.ca.  No issues at all.

If you add the suggested firewall rule then you should be able to access the WebGUI from WAN.  If you're already forwarding 80/443 then you can't use it for your WebGUI and expect to get to it.

If your account doesn't have access to the factory images you can use the CE install images on that without any issues. Even if it's got a CF at this point in time I'd use the serial memstick to perform a full install on there. An SSD would be a better fit but that will still work on CF. Primary reason being that NanoBSD is not available on pfSense 2.4 so you'll have a smoother upgrade path now if you make the switch when you're already planning for some downtime.

Hi, Still having this issue.. Has anyone fixed this or is it addressed in a newer release? Currently running: 2.3.2_Release Thanks.

The activity on 2.4 has been drowned out on those graphs by the madness of commits that were necessary to get 2.3 going with the new GUI. 2.3 was a massive undertaking on the frontend of things, 2.4 has been more backend work and cleanup. If you look at  https://redmine.pfsense.org/projects/pfsense/activity there is plenty of activity every day (and that doesn't include the ports or src repos). Plus as we near 2.4-RELEASE things slow down in some areas as we hit a wall of harder bugs that take more time to fix but result in fewer rapid commits. A good chunk of the tickets assigned to 2.4 are in a feedback state waiting for people to respond and confirm the bugs are fixed. As usual some tickets assigned to 2.4 will be pushed forward if they are not going to make it into 2.4 as well. And undoubtedly there are some bugs in the 'new' state that have been addressed or are otherwise invalid but haven't been caught and closed yet. If you want to see the percentage of tickets closed on 2.4 rise, go look at tickets in the feedback state and test them, and respond on the tickets.

Yes the problem was in SSD.I replaced it and know all it's working fine.Thank you very much!

Thanks @JeGr I didn't know about this load-balancer option in pfsense. And you are right about the LAN VIP. :)

nice Brother! hahaha!! i think you made a Super Pfsense Server.  ;D  8)

@PiBa: You would enable that option if you 'need' the client-ip of the actual client for logging/permissions/other and cannot accomplish that by other means like x-forward-for header or proxy-protocol. Its certainly usefull, but causes some trouble as well.. (there is a warning message with it for a reason ;) ) Ok thank you. Everything is setup now the way we want it. Just a new cloud infrastructure coming as well. Then back to my usual programming day job ;) Thanks again for your help :)