Well is your switch config. If your going to put a vlan on your lan interface (eth1) then what is the ID of this vlan?  You configured that switch port to carry that vlan tagged.. What is the native or untagged vlan on the port for your normal "lan" network? So does your dmz also connect into this switch? But sure lets call your lan network using vlan 1, which is common default vlan for managment/data etc..  Then you create a vlan 100.. So switch port connected to eth1 would have untagged or native vlan 1, with tagged vlan 100.  Then if you wanted some device on your network to be in this vlan 100 that switch port would be configured for untagged or native vlan 100 and that is it.

I made a patch for 2.3.2  pfSense version for a CPU temperature graph for the above mentioned old thread. I used a lot of it but changed some things. I am not a programmer so things could be better. ;) This patch is for a quad core N3700 CPU. --- /etc/inc/rrd.inc 2016-08-21 23:05:29.707358000 +0200 +++ /etc/inc/rrd.inc.modified 2016-08-21 23:44:15.376961000 +0200 @@ -242,6 +242,7 @@ $spamd = "-spamd.rrd"; $proc = "-processor.rrd"; $mem = "-memory.rrd"; + $cputemp = "-temperature.rrd"; $mbuf = "-mbuf.rrd"; $cellular = "-cellular.rrd"; $vpnusers = "-vpnusers.rrd"; @@ -274,6 +275,7 @@ $rrdlbpoolinterval = 60; $rrdprocinterval = 60; $rrdmeminterval = 60; + $rrdcputempinterval = 60; $rrdmbufinterval = 60; $rrdcellularinterval = 60; $rrdvpninterval = 60; @@ -291,6 +293,7 @@ $lbpoolvalid = $rrdlbpoolinterval * 2; $procvalid = $rrdlbpoolinterval * 2; $memvalid = $rrdmeminterval * 2; + $cputempvalid = $rrdcputempinterval * 2; $mbufvalid = $rrdmbufinterval * 2; $cellularvalid = $rrdcellularinterval * 2; $vpnvalid = $rrdvpninterval * 2; @@ -733,6 +736,49 @@ /* End Memory statistics */ + /* CPU Temperature */ + /* the CPU Temperature gathering function */ + /* This is for a Pentium N3700 and coretemp which reports 4 cores */ + /* CPU Temp, create the CPU Temperature database */ + if (!file_exists("$rrddbpath$ifname$cputemp")) { + $rrdcreate = "$rrdtool create $rrddbpath$ifname$cputemp --step $rrdcputempinterval "; + $rrdcreate .= "DS:cpu0temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "DS:cpu1temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "DS:cpu2temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "DS:cpu3temp:GAUGE:$cputempvalid:-273:5000 "; + $rrdcreate .= "RRA:AVERAGE:0.5:1:1200 "; + $rrdcreate .= "RRA:AVERAGE:0.5:5:720 "; + $rrdcreate .= "RRA:AVERAGE:0.5:60:1860 "; + $rrdcreate .= "RRA:AVERAGE:0.5:1440:2284 "; + $rrdcreate .= "RRA:MIN:0.5:1:1200 "; + $rrdcreate .= "RRA:MIN:0.5:5:720 "; + $rrdcreate .= "RRA:MIN:0.5:60:1860 "; + $rrdcreate .= "RRA:MIN:0.5:1440:2284 "; + $rrdcreate .= "RRA:MAX:0.5:1:1200 "; + $rrdcreate .= "RRA:MAX:0.5:5:720 "; + $rrdcreate .= "RRA:MAX:0.5:60:1860 "; + $rrdcreate .= "RRA:MAX:0.5:1440:2284 "; + $rrdcreate .= "RRA:LAST:0.5:1:1200 "; + $rrdcreate .= "RRA:LAST:0.5:5:720 "; + $rrdcreate .= "RRA:LAST:0.5:60:1860 "; + $rrdcreate .= "RRA:LAST:0.5:1440:2284 "; + + create_new_rrd($rrdcreate); + unset($rrdcreate); + } + + /* enter UNKNOWN values in the RRD so it knows we rebooted. */ + if (platform_booting()) { + mwexec("$rrdtool update $rrddbpath$ifname$cputemp N:U:U:U:U"); + } + + /* the CPU Temperature gathering function */ + $rrdupdatesh .= "CPUTEMP=`$sysctl -n dev.cpu.0.temperature dev.cpu.1.temperature dev.cpu.2.temperature dev.cpu.3.temperature | "; + $rrdupdatesh .= "cut -c-2 | tr '\n' ':' | sed 's/.$//'`\n"; + $rrdupdatesh .= "$rrdtool update $rrddbpath$ifname$cputemp N:\${CPUTEMP}\n"; + + /* end CPU Temperature gathering */ + /* mbuf, create mbuf statistics database */ if (!file_exists("$rrddbpath$ifname$mbuf")) { $rrdcreate = "$rrdtool create $rrddbpath$ifname$mbuf --step $rrdmbufinterval "; For easy implementation use the "patches" package. [image: CPUtemp.png] [image: CPUtemp.png_thumb]

My 3.1ghz Haswell i5 with an Intel i350-T2 NIC is getting 2Gb/s(1Gb bidirectional) with NAT and traffic shaping out of the box PFSense, while hovering about 10% CPU. If I disable traffic shaping, it's about 5% CPU. When it comes to a firewall, the NIC is the most important part. You must get a high quality one that has good driver support.

This seems to be signal monitoring and statistics collection process. Do not have PPP configured right now, so cannot compare CPU usage.

well yeah your automatic rules would of been natting that source network for you.  You might have been able to just use hybrid since I believe the hybrid rules are evaluated first.

Understood!  Thank you for your in-site and your time!

Probably in the Traffic Shaping forum, where people post questions about the traffic shaper and quality of service.

There's FreeBSD port for sshguard-pf 1.6.4 You could install the pkg from the FreeBSD repo. Not sure how hard it would be to get it working with pfSense.

Status->DHCP leases

Which Networkcard should I use in KVM for the pfSense VM? Intel E1000 VirtIO (Paravirtualized) Realtek RTL8139 VMWare vmxnet3 Thank you!

I'm pretty sure mermen's issue is a defect with the pfSense package for ntopng. The core issue is that the current package does not support use of HTTPS. If you are using HTTPS for the webgui you cannot access ntopng by hostname because of HSTS. Only HTTP by IP address will work. This is discussed here: https://forum.pfsense.org/index.php?topic=110026.msg643065#msg643065 There is an outstanding PR for the pfSense package for ntopng to address this. [edited for politeness and clarity]

The links below should help you figure out what ports you will need to forward and how to setup port forwarding in pfSense. https://community.netgear.com/t5/ReadyCLOUD/RN104-Router-Ports-to-open/td-p/948497 https://community.netgear.com/t5/ReadyCLOUD/ReadyNAS-102-ReadyCloud-Cannot-Discover-Device/td-p/922769 https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense https://forum.pfsense.org/index.php?topic=55676.0 Not sure how you are going to use ReadyCloud but if I were you I would setup a VPN on pfSense then use a VPN client to connect to your LAN to get to whatever files you want.

Perfect - Thanks Jimp!

Sorry for the slow reply. Thanks for this, will try that tomorrow if I can get it working it will be really helpful.

Thank you all for your replies. Quite interesting to have different views on the situation. I use the vpn service so my pfsense is not only used as a fw. In the meantime I also activated egress filtering. For some of you maybe overkill, but it's also to learn how to use the pfsense (making aliasses and rules, check my fw logs etc..). @chris4916: Are you hosting internal services exposed to internet? NO Do you need remote access to your LAN? YES Do you need to segregate internal subnets? Isolate guest wifi from LAN… Not today, but could be in the near future. @chris4916: all-in-one UTM will do the job with less  flexibility but more efficiency… if you don't know how it works behind. Well apart from protecting my situation, I'd like to learn how it works behind. It's fascinating. @Harvy66: Don't forget to teach your children how to be responsible Internet citizens and not get virii. I got a virus once when I was 7, it was from a floppy disk I got from a friend. I have never gotten malware or a virus since. I absolutely agree on that point too. @pleriche: Regarding pfSense I'm a bit of a noob round here but I would humbly suggest that what you need is a UTM rather than a firewall such as pfSense. I'll have a look at that UTM stuff. @jahonix: Personally I would separate my network in trusted and untrusted subnets with the kid's gear being in "untrusted". This way they cannot infect parents stuff. With vlans, yes this could be an option too. But the "untrusted" part will need access to the "trusted" part. For example: ipad is using application to navigate in the gui of the Kodi Media Player. I'll have to check that. Again, thank you all for the interesting advises.