I'd frankly start with the allow rule scheduling, results with scheduling block rules are not exactly convincing for some people due to dangling states.

Found it! I have two WAN connections, and the failover rules were misconfigured. Instead of keeping all local traffic, it was sending anything not in its own /24 out the DSL line. I fixed it by using an alias for my local VLANs instead of the incorrect "network" match. All better now, thanks.

Not unless you've configured the ladvd package.

I don't fully understand what you're trying to do, or what exactly "I can't put them it the right vlan" means, but what I can say is that with a WIFI router with DD-WRT installed it's possible to create multiple VAPs (Virtual Access Points) with tagged VLANs on one or more routers. Combine that with a switch that can do VLANs, and you can setup multiple separate WIFI networks that can be managed with pfSense.

@zarje: IPv6 is kinda strange in some ways compared to IPv4 but thanks for helping me solve this! Is it that IPv6 is kind of strange compared to IPv4, or that IPv4 made us think of things in a strange way? ;) In a LOT of ways, IPv6 makes much more sense to me than IPv4.  You have an interface.  It has it's own address in the world.  Nothing else has that address.  It's kind of like your physical home mailing address. Compare that to IPv4 and "192.168.1.1".  I bet there are more interfaces in the world with that single address than there are unique IPv4 numbers.  That would be like trying to send something via the ground postal service addressed to only "over there." In my opinion, IPv4 required so many hacks (and they are hacks) to make things work how we want, that we've grown accustomed to those hacks, and now we try to apply those same ideas to IPv6 where they aren't needed (and don't work.) I still believe that a proper daemon with kernel hooks could monitor ICMPv6 to watch for the MAC addresses of devices that announce usage of an IPv6 address (via ICMPv6 NDP NA and NS messages) and somehow use that information along with ARP and reverse DNS lookups to find the hostname of every used IPv6 on a local network. In fact, I had written something like that (and injected the information into unbound's config files) but it wasn't a daemon that monitored ICMPv6, but instead just ran every 30 minutes or so.  In that time, many IPv6 addresses would expire from the NDP table, or the IPv6 would expire very quickly after I logged it (but before the process ran again to clean up the data.)  I'll admit that I had a few other bugs, but because of the above issues, I abandoned my effort.  It was a fun exercise and I proved to myself that it was feasible. As others pointed out to me, even if I had perfected the program, it STILL would suffer from some flaws due to some devices apparently randomizing their MAC addresses!  (I haven't seen that in my home or work, but I believe others who say it's done.)  It also couldn't ever recognize an IPv6 address if it never sees the address to begin with.  (Of course, if it never sees the address, then there isn't any traffic using the address, so it really doesn't matter.) Oh, and even with the above program, assuming it was working PERFECTLY, you'd still be experiencing the same problem (because pfsense refreshes it's alias tables on a schedule… so it might take quite a bit of time before it'd notice a new ipv6 address associates with a given hostname.) However, ALL that being said...  pfsense is still one of the better router/firewall/UTM type programs for dealing with IPv6.  Most others either completely ignore that IPv6 exists, or they have barely half-baked hacks that kind of support very specific cases of IPv6 (such as only supporting static IPv6 /128 addresses) (Can you tell that I'm passionate about this subject? ;)) Take care Gary

Are you sure you reverted EVERYTHING back from jumbo frames? Also on the NAT side, nothing fancy, just static NAT mapping off the WAN for anything in rfc1918 private space. What do you mean by static NAT mapping? You might want to backup your config, go back to factory defaults, and see if your microcell comes up. You probably want to factory reset it too and let it like sit overnight. They are temperamental wenches. Look in the DHCP Leases, get it's IP address, and look at the states. They will probably look perfectly normal. Probably either UDP500 and UDP 4500 or UDP 500 and protocol ESP.

For home use I keep using old/refurb Dell slimline boxes.  They are very cheap, nearly silent, and tend to be power efficient.  For a long time I had a Dell P-III-600MHz box, that finally ran out of CPU when I moved to FiOS (usenet downloads maxed at maybe 70Mb/s).  Now I'm running a Core2Duo slimline Dell, picked it up on Amazon (free Prime shipping) for $80.  Something similar to this, they're all over Amazon and Ebay: https://smile.amazon.com/OptiPlex-Core2Duo-2-66GHz-160GB-DVD-RW/dp/B00J8K4KZ4/ Also found Realtek cards with full or low profile brackets that actually work well with FreeBSD: https://smile.amazon.com/gp/product/B008FAELF2/

Yeah, this is what I will do. Thanks again

so first thing would be to setup a dhcp reservation, ie static dhcp so that client always gets the same IP.  Then create a schedule for your rules so those IPs don't have access when you don't want them to have access. https://doc.pfsense.org/index.php/Firewall_Rule_Schedules

Wow.. any luck reversing this for CLI restore?

The forum's Search function would have found this for you quickly. https://atxfiles.pfsense.org/mirror/downloads/old/

@kpa: @humaidq: @w0w: ral0? What is this? It should be some wireless ralink chipset? FreeBSD and pfSense would not be happy with most of wireless cards. It is the built in ethernet on the motherboard, there is no way to remove it other than unsoldering it, should I insert another ethernet card to use instead of the built in? It can't be the built-in ethernet because the ral driver is for a WLAN card and not for an ethernet NIC: https://www.freebsd.org/cgi/man.cgi?query=ral&apropos=0&sektion=0&manpath=FreeBSD+11.0-RELEASE+and+Ports&arch=default&format=html Oh, I see. I did not know that. I setup the interfaces correctly, now everything seems to work fine!

sorry to revive the dead, I just did this and it worked great thank you.

I don't know what directory rules reside in (or if it even works that way, but I expect it does). But you might be able to find it by creating a rule with a unique string in it, then grep for that string?

@KOM: They both will work just fine.  Having your AP on your switch is the most common home setup as most people don't have extra ports on the router to play with.  That's the switch's job. The difference is whether or not you want to segment the wireless traffic from LAN.  If it's all the same to you, put AP on LAN by plugging it into your switch.  If you need to treat wireless clients differently from LAN clients for whatever reason, put them on their own interface.  If your switch is managed then you could accomplish the same separation with vlans. Thank you. thats exactly the answer i was looking for :) Now i got a plan for tomorrow! have a good day :)

Any ideas?    It will run at a solid 10 Mbps for anywhere from one to ten minutes, then sit idle for up to an hour.  During this time I can go to speedtest.net and get ~5 Mbps download no problem. Being a VPN tunnel, does pfSense or my ISP even know what's going through the pipe?  I would think encrypted traffic would all look the same, but it feels like I'm getting throttled. Should I suspect the VPN server itself? I'm open to ideas…. I really don't want to go back to my old router.