By default vpn providers pushes the default route to the clients, so that all upstream traffic is routed over their vpn.
So if you computer tries to connect to the vpn this won't work, cause the connection request will come already from inside the vpn. But if you don't establish the vpn on the computer there should be no trouble with that and traffic should be routed over the vpn.

I finally found out what was causing the crash…seems my motherboard was dying, and today it went belly up!

I figured it out. Static Mode needs to be set to disable on LAG1 on the Netgear to enable LACP.  ::)

I'll second chpalmer. I have WAN firewall rules for the SIP and RTP ports my two phones (one Panasonic, one Polycom) use when the connection is originating from my VoIP provider's IP address ranges, and I've never had any issues.

I'm fortunate that my provider has a support article detailing the address ranges they use, so I was able to set them up. I'm also fortunate that the two phones don't have overlapping default RTP port ranges… though I could probably adjust them anyway. I did have to change the SIP port for one of them though. :)

thank you @nogbadthebad - I've found some entries for that so I'll see what it brings and report back

Thanks guys!

When I turned IPv6 off on the interfaces the errors stopped..  ISP is having issues with IPv6 so we are disabling for now. Ill update if when turned back on the errors start again..

No, I did not - because I misunderstood the instructions

Works now, huge thanks !

Yes you avoid a double NAT.

Some IP traffic has the IP address in two locations in the packet, NAT will only change the header.

@Gertjan:

PC's and other devices could have 'static' DSN addresses set up, so they will contact for example  "8.8.8.8", bypassing completely the local DNS authority (your pfSense).

That makes sense and explains those queries, thx!

@Gertjan:

Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.

I do force all DNS requests to use pfsense only!

I use DUO Mobile (https://duo.com) and it works very well for our VPN users. Everytime a users tries to login, they will get a push notification to their phone which they have to allow before they can login. If your already using radius as the authentication server, you can implement the DUO radius proxy to send the push. Their service is free up to 10 users so I'd give it a try and see how you like it. I have been very happy overall.

https://duo.com/docs/authproxy_reference

@Malad:

Hi guys, I have this situation:
I have a VLAN between two offices in a WAN link that must have access to the internet. A layer 2 tunnel with an ISP has been hired and the internet is accessed through it. The IP of the link is fixed and the VLAN also, all the configuration is done on the VLAN. In my pfSense it shows that the WAN is down. Any suggestions
I would also like to know about documentation to implement a VLAN on a WAN link. Thank you all. Malad

I'd confirm with your ISP if your setup with an MPLS or VLAN for your site. We had an offer from AT&T that has layer2 site to site capability that was cheaper than an MPLS but our VPNs are running smoothly for our needs. I would think they would use different ports on their edge device, WAN(No VLAN) Site-toSite(VLAN) but it could be done either way.

If your sure your ISP is handing you Internet access through a VLAN then all you need to do is add the VLAN to pfsense and change your WAN network port to that VLAN. Go to Interfaces –> Assignment --> VLANs tab. Add the VLAN for your Internet connection(make sure to select the correct parent interface). Then go back to Interface Assignments and change your WAN Network Port to the Vlan you just added.

Try it and see how it works for you.  The method is correct.

I am working with No-IP support now, but I think it's because I had the No-IP app on my Iphone that it updated the DNS. I have removed the app. I thought the app was just to monitor my ip address didn't know it would make updates. Waiting to see what support has to say.

It depends. If you have created firewall rules for the lan interface then it is not inherited by vlans. But if you are running captive portal running then vlans will also inherit it. I think same goes true with squid (not very sure).
I hope this helps.
Ashima

https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

Lets all not forget that the IP database of location data - is far from perfect..

Having a bitch of time trying to get maxmind to update theirs.. A /24 off our /16 they kept saying was in Malaysia..  When clearly its in the US..  Tried for months to get them to correct via their forms with little luck, until it became moot when we no longer proxied data web traffic through that connection.

As to what vpn service your using.. Unless you got one that allows you to pick your endpoint location and country and you did.. And just using it to mask your traffic from your local isp then sure the endpoint could be almost anywhere does not matter where the HQ of the company is, etc.  If your having a issue with your VPN ip now showing the origin country that you want for its IP, then you should get with your vpn provider..

Again - geoip information is not an exact science ;)

This is not TV where they get an IP and lookup that is located in the bedroom of the house on 123 Street on the 2nd floor hehehehe

I've described it here two days ago: https://forum.pfsense.org/index.php?topic=146424.msg795676#msg795676

Some IPv6 & IPv4 multicast comming from the clients regardless of enabling IPv6.

Also out of state traffic.

https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection.

If you don't want to see the IPv6 stuff create an IPv6 block any any and don't log.

The default block rule logs everything.