Beside the simplicity you now have double NAT and possible problems with port forwarding, possible bufferbloat on modem side, etc… but it's your choice anyway.  :-X

for sure there is a problem with pppoe reconnection - as i have this problem with 2.3 (including all recent updates) and searched more than 2 days to find a proper solution, i.e. to have a stable pppoe connection with my pfsense. the fix mentioned here works good for me: https://forum.pfsense.org/index.php?topic=54207.0 Failing that, give this a try: Edit usr/local/sbin/ppp-linkdown and comment out or remove this line (keep an unaltered copy around though so you can restore the copy if it doesn't help) Code: [Select] /usr/sbin/ngctl shutdown $1: mind that there is a closed, 17 page long thread at https://forum.pfsense.org/index.php?topic=41061.240  i came across several times. imho this workaround should be added to that thread, as it will help people who have this problem. unfortunately, that post is closed and cannot be replied anymore. can some moderator add this information ?

Not that I'm aware of. Searching for macsec or 802.1ae doesn't turn up anything meaningful outside of a few references to drivers for cards that support it that had to be worked around.

That will keep out casual access attempts and rouge keyboard cats LOL "rouge" [image: 3160292-The-red-cat-lays-on-the-keyboard-Stock-Photo.jpg] [image: 3160292-The-red-cat-lays-on-the-keyboard-Stock-Photo.jpg_thumb]

Only multi-WAN is here interesting for us. And what other services you are running, or plain what packets are installed on that pfSense firewall? Something like Squid as a caching proxy, or Clam AV Scanning, or Snort / Suricata perhaps? And when yes what interface they are watching (LAN or WAN ports). There was snort running, on the wan ports. It allso slowed down the connection. there are 2 local nets 192.168.0.0/24 and 192.168.100.0/24 which are seperated. How they are separated? With VLANs or each on another eth port? Each net has its own eth Port and is running on 2 vlans on a swith. They are seperated in snort with 2 Floating firewall rules. If i disable this rules they act lice a local net. And i have setup a multiwan with vdsl and kabel which has failover but prefers vdsl for the .100 net and kabel for the .0 net. ??? What does this meaning for us? In normal there are many ways to go with here in that case. You may set up load balancing and fail over so both is given to you and available to your network. i attachted some pictures you can se what i mean. After a while the connection of both nets gets slow and some webpages or video streams are not working correctly any more. A reboot of the pfsense fixes the problem. Two things could be happen here, the RAM is full or the mbuf size is to small and the second thing could be that the first internet line is failing and the second one is not used or the ISP is throttling down after a limit is reached one or both internet lines. There should be no throteling on the ISP Lines. they have full speed and no problems if i directly connet without the pfsense box. It runs on on a JETWAY JBC390F541AA-19-B. If I am right informed for each RJ45 ports will be created queues and then it is filling the to small mbuf size to fast and all is narrowing down the entire throughput then at last. high up the mbuf size set the amount of queues to a smaller number perhaps activate the PowerD (high adaptive) option eventually it could be also nice to activate the TRIM support (but not really related to that problem here) I rised the mbuf size to 1000000 lets see if it helps. What is the config of the WAN interfaces and what kind of load balancing is used here in that case? I would suggest here to go by policy based routing and a fail over rule that will be nice matching and then perhaps on top choosing the right ratio for that two internet lines. How fast they are each of them I mean? I Attatched some pics, hope they will help to see how i did the setup. High up the mbuf size: Choose your NIC and the installed driver for that and follow the instructions for your 211AT or 210i NICs it should be the igb(4) driver and set the mbuf size to  1000000 and click save. You might be trying out also other numbers! Please don´t forget if you have only a small amount of RAM you cold ending up in a booting loop! I would install for that 8 GB of RAM and then trying to high up the amount step by step. 250000, 500000 and 1000000 you will be able to see the usage on the dashboard! Please don´t forget also the amount of 10 NICs. Could also be interesting to that A proper Multi-WAN config: (load balancing & fail over) Please read carefully this at first: Multi-WAN Groups and please watch out that topic Policy based routing & fail over rule If wished and/or needed: Enable TRIM support in pfSense thanks for the links, i will doublecheck everything Thanks for your help. Best regards, Alex [image: pfs-services.png] [image: pfs-services.png_thumb] [image: pfs-floating.png] [image: pfs-floating.png_thumb] [image: pfs-lan-mln.png] [image: pfs-lan-mln.png_thumb] [image: pfs-lan-ak3.png] [image: pfs-lan-ak3.png_thumb] [image: pfs-gateway-groups.png] [image: pfs-gateway-groups.png_thumb] [image: pfs-gateways.png] [image: pfs-gateways.png_thumb]

@doktornotor: Backup the config, edit the XML as required, restore the config? I actually wanted to avoid that, as it becomes a bit painful to edit the big file, while it could've been simpler to just restore (like for the DHCP/Interfaces/VLANs) the specific part, or know that it'll get restored with eg the Interfaces

Realtek NIC? The drivers are unreliable where hard-setting like that in certain cases I think. But if it's working and the interface is not taking errors you are probably OK.

Yesterday it did it once every 20 or 30 mins, i am still wondering what would that be I am a VoIP providor, so i know is not me as a carrier, we now fired a lot of people and we are down to 45 agents, we use codec G729 I Just need to know if there is any tool to log traffic on a network, store destination and bandwidth speed at a particular time, so i can trace it down better I am a newbie, so, guidance will be appreciated Thanks so much !!! [image: Hiccups.png] [image: Hiccups.png_thumb]

Yes, it's more than enough.

You have also to grant DNS access to the client.

Maybe the result of a power outage? pfSense doesn't go in sleep mode, of course.

Did you ever find a solution to this?

Many thanks for your reply. I plan to try this in the next week or so.. I'll post back how I get on. Regards

I suggest to consider all the voice devices/services completely separately from the router. You could set up and use the SIP-Proxy on pfSense You could set up the asterisk or FreePBX packet too Or you install asterisk or FreePBX on an Raspberry PI 3.0 together with Linux as the VOIP appliance! All services running on the pfSense could be narrowing down the entire throughput and/or causing problems. So if this VOIP will be outside you may have enough power to run Snort or Suricata on the pfSense appliance.

Beyond a NAT rule on WAN, this has nothing to do with pfSense. You need to configure your Netgear router to know where to send packets.

We have a staff WiFi and want to add a guest WiFi. Do we have to buy a VLAN-capable managed switch, or can we use a spare pfSense eth port? The WLAN APs should be having VLAN support, so you could set up a VLAN for private (staff) one and a guest network. If there will be a domain or AD/DC managed network at the worksplace you could also high up the security for the entire network, by using something such as; LDAP Server or role on MS Windows Server for wired devices Radius Server or role on MS Windows Server or Linux Server for all WiFi devices (staff) Captive Portal on the pfSense for all WiFi clients (guest network) VLANs with his own subnet –192.168.1.0/24 staff WiFi -- 192.168.2.0/24 for guests WiFi -- 192.168.3.0/24 printers -- 192.168.4.0/24 PCs -- 192.168.5.0/24 servers and so on..... Current cfg: -pfSense 2.3.2 -Netgate 6-port, Port1:GW1/Comcast, Port2:GW2/AT&T, Port3:LAN/172.16.30.1 Would be nice to know now your budget here in that game play! -24-port unmanaged GbE switch, LAN Would be able to get a Cisco SG200-24P or Cisco SG300-24P switch likes you are able to pay or need it. The SG300 is a layer3 switch that is able to route the VLANs by it self and mostly with wire speed! -(4) EdiMax CAP1200 APs, (1) is the array controller and (3) are APs within the array, Staff WiFi Are they VLAN capable? -Windows Server DHCP server, 172.16.30.20 serving 172.16.30.x (can use pfSense's DHCP if rqd) Would be nice to see some other security roles on that server! -8-port GbE PoE switch for the APs, unmanaged. Connects to the (4) CAP1200 APs and to the 24-port LAN switch And also here you might be able to handle that traffic with a smaller variant of that named above switches I was guessing! SG200-10P or SG300-10P. Steps to add an isolated Guest WiFi ???? Create on the pfSense some VLANs and also on the Switch and then on the WiFi APs! They must be tagged between the pfSense and the Switch and also between the Switch and the WiFi APs, because there should be holding then even 2 VLANs each for a WiFi location one for the staff and one for the guests. -Cfg EdiMax CAP1200 APs for STAFF VLAN10 and GUEST VLAN20 (choose tagged opt, yes??) There are two available scenarios: You will need VLAN capable Switch and WLAN APs Connected over a PoE Switch that is capable of VLANs You will need only VLAN capable WiFi APs You might connecting the WiFi APs directly to the pfSense appliance Please not the VLAN1 is the default VLAN on many switches so it should be for the admins only! It would be also making many sense to activate the client isolation for the guest and staff WiFi VLAN because then all devices are not able to have a look on the other devices inside of that VLAN. -8-Port PoE AP switch, move eth that was going to 24-port LAN switch so now goes to Netgate eth Port4 Is that PoE Switch VLAN capable? Are the WiFi APs multi-VLAN capable? There would be two common ways to go, pending on what the switches and WiFi APs are able to do and also based on your budget. 1. pfSense is routing the entire VLANs and you may only need a layer2 Switch 2. The Switch is routing the entire VLANs and the pfSense is holding the Captive Portal for guests and the Windows Server has a radius server role installed that is securing the WiFi clients for the staff. For sure there are many other ways out there to go with but this both might be the most common ways. Get a SG200-24P (Layer2) pfSense is routing then the VLANs or SG300-24P (Layer3) the switch it self will then routing the entire VLANs and connect them all to that switch!

You make an interesting argument - and I'm not saying you're wrong. It is not only an argument, this is more pending on the circumstance that this both IDS systems are doing not the same thing!!! One is watching and sniffing in the network or the network traffic it self and the other one is watching on the host OS of an Server, PC or other devices watching their registry, file system or other elementary or urgent points in that OS. However, your definition of a "router" vs a "server" seems at odds. What here should be better matching is perhaps something such as TripWire or something else similar to that but not a Host IDS (HIDS). One thing is OS related and the other one is network related or pointed. The Server has an OS that is perhaps hardened the firewall or router OS (firmware) must be hardened. For example: what is the difference between a pfSense device running an OpenSSH endpoint vs a server running the same thing? pfSense is a firewall distribution (but here working likes a firmware of an network device) and let us say CentOS & SoftEtherVPN are an OS & Software. Their fore what you are asking for should be matching more well this software or perhaps able to realize combined installed on an appliance; fail2ban DenyHost TripWire How do you make the judgement in this case as to which device warrants an OSSEC agent? Its not me, you should perhaps read the statements and jobs that the software coder where telling their clients and perhaps too you could read about the differences NIDS and HIDS. OSSec getting started

Btw. my PPPoE IP starts with 79 and the GW starts with 217. Might this be the reason Edit: Just got an IP from the 217 subnet so, this is not the reason. Also I can't ping the GW at all when I'm not connected to a VPN. Any further help ?