Well you can still do it with different firewall rules, just set the required IP range as the source address. Of course there will nothing to stop users in the blocked group giving themselves a static IP in the unblocked group to get around that. Steve

You can use UPnP on pfsense..  But for something as simple as 1 port that doesn't change there is little point to it. Pfsense even allows for rules to be set so say only specific IP can ask for specific Ports - this way you can enable UPnP for 1 host, while not opening yourself up to have anything running on your network just opening ports willy nilly.

I wish some one would make a fix on this  :-\

The failback of OpenVPN to the primary should be fixed by: https://github.com/pfsense/pfsense/commit/4bf23d320bc96eeabf2daf9024583f2cc5a6662a and there have been some changes in 2.1.1 that people reported have made PPPoE reconnect: https://redmine.pfsense.org/issues/1943 If you have an install where you can upgrade to 2.1.1-prerelease then that should help a lot.

Did it ever perform to expectations? We've seen some modems that for whatever reason don't play nicely with the ALIX, resulting in performance issues. Putting a switch in between the ALIX and the modem fixes. It's an unusual case though, maybe heard of or seen it a half dozen times and there are many thousands of ALIX systems out there running pfSense.

im not sure if anything like this exists even if it does i doubt it will be freeware/open source. most of the commercial centralized AV packages still need small clients deployed to the machines on the network that contact the central server for updates/rules/schedules etc. i use commercial GFI and it works well.

thank you for your help clarknova. your explanation cleared my pfsense vlan confusion. everything works as expected now. yaboc

@Jones: How do you to a packet dump? Go to Diagnostics: Packet Capture. Watch on the LAN interface and then the WAN as you ping each host upstream. You should see all the ICMP echo requests go out and the responses come back. You can see packet loss this way and figure out where it's happening. You could also watch for strange traffic that could be causing problems. And the CF card… HA! When I first built this box in 2011, I paid $30 for an industrial CF card. Couldn't get that silly thing to work at all. So I went down to Walmart and got a $12 CF card that goes in a camera. Worked like a charm the first time. Yeah, that doesn't surprise me at all. They can be finicky.

@Jason: Set all user ports to Access mode with the appropriate PVID (do NOT use 1). Set the uplink port for your pfSense box to General (not Trunk) with a PVID of 1 and allow tagged packets from the VLANs you created above. Create however many tagged VLAN interfaces are needed in your pfSense box, including one untagged for the native VLAN, and then use firewall rules to determine which of your computers are allowed to access each network. I'll see if that works when I get home tonight, thanks.

@bfts: phil.davis, thanks for the answer, this was what I was hoping for. I guess now I really have to figure out how this lovely piece of software works  ;) Looking forward to have more fun with pfSense  :) Or, have the tech put the DSL modem in bridge mode.

The AP was rebooting itself every 20 minutes. I was thrown off the trail by the fact that the packet loss was showing up every 40 minutes, and that the rate of loss didn't appear consistent, except in chunks of 24 hours. The latter can be explained by rounding, since the rrd samples are 5 minutes, while the down time was less than a minute. I don't know how to explain the fact that every second outage was not manifest in the rrd graph though. As for the ssh hanging, you're right, I didn't have the box checked to override state killing on gateway failure, so pfsense was killing all states when that backhaul went down.

@JohnnyBeGood: Where is the best place to check if WAN is still UP? I would look at ifconfig in the console if you can otherwise look in Status: Interfaces: Steve

So I "fixed" it. Turns out that it most likely was the netgear switch sending out the pause packets, even tho it was updated to latest firmware version and all.. I bought a Cisco SG300-10 switch and set it up with the same basic vlan configuration and enabled flow control on every port aaaand whatta you know? Everything works without a hitch.. Soo, lesson learned: Not EVER buying a netgear product again! SG300-10 has the added bonus of being able to handle the igmp proxying between VLANs, so pfSense doesn't have to!

You could create a teamviewer alias and create a rule that basically says from noallowed internet to !teamview (negated rules) block, with a default allow afterwards. In the alias, you would put something like www.teamviewer.com teamviewer.com and any custom url. You could also put and IP range for teamviewer if you know it. There are schedules in pfsense. It is considered better if you use them in an opposite manner than expected. There are docs and forum posts on this. You can also create an alias with a fireall rule at the top for facebook (DNS Entries or IP Ranges) that blocks it.

Have you set firewall rules on VLAN10? DHCP should still work however. Try running a packet capture on em0 to see if any VLAN10 tagged dhcp requests or offers are there. How does the wireless router handle VLANs? Is it trunked through or are you just hopnig it won't strip the tags or dumpt the packets? Steve

Thanks Steve, While that didn't work off the bat, I was able to remove both gateways and then re-added the one I wanted successfully. Thanks for your help

sim traduz bem sim