@divsys: If your DMZ is intended to be wide open to the internet, then no point in VLANs. No it will still be blocked unless port forwarded, so isolated vlans could still be used to lock it down. I have read up on private vlans and like the idea of community sub vlan so that a group (say apple tv's) can access both the nas streaming and the internet, or am I barking up the wrong tree?

I have not until you mentioned it. Another Phase2 tunnel worked out very well and OpenVPN and LAN2 can talk to each other now. Thank you!  ;)

It's also on the doc wiki: https://doc.pfsense.org/index.php/What_are_TCP_Flags

I'm really struggling with this, I've got IP NAT POOLING but for one of my fiber optic connections I have no choice but to NAT to interface address. I have a rule that send all traffic destined for a group of external IP's (created an Alias for this) to this fiber optic, it works perfectly until I change the NAT to use an IP POOL with "sticky" option selected, I tried setting the firewall setting to "conservative" for the connection states, but this doesn't help. All the traffic destined for this group of external IP's all have to originate from the same source IP address, it's a TV system and even though the states and IP pooling are sticky it fails miserably until I change the NAT to use only one interface IP. Is there any way I can set a rule for an Alias to use only one interface IP address and still keep the IP pooling working for all other traffic? I'm really loving my pfsense box, unfortunately if I can't get this working I'm going to have to revert back to a Mikrotik where I can use PCC and packet marking, I really loath the Mikrotik…please help!

Do you have the vpn connected ? You will also have to create rules in the firewall for IPsec. In the firewall you will find floating, wan, lan and ipsec rules.

I just use the DNS resolver and get 0ms DNS queries and answers come from the root servers instead of manipulated ISP DNS servers.

The catch 22 there with NTP and DNSSEC is known, though outside of the system clock being way off on first boot of a new install, you shouldn't be so far off as to cause issues there. The config backup stores all the changes you make via the GUI configuration screens. If you make conf changes outside of that, they have to be restored separately.

If it were me, I would just keep it and leave it disabled. It would just be a good reminder that that's the physical port. I would also probably name my VLAN interfaces LAN-V101, LAN-V102, etc… so you include the name of the physical interface with the VLAN number. This might not be a big deal if you only have two physical interfaces (WAN and LAN), but if you had three or four physical interfaces and multiple VLANs on each, that might help to keep things straight.

Hi, Thanks for the info… I don't like putting the gateway in the so called DMZ+ modes just in order to access the modem's interface. Nothing beats having it in bridged mode. It looks a bit complicated. I'll try it. Would have been nice if such a feature could be enabled/disabled in an automated way by a single field in the new pfSense 2.3 Web-GUI.  :)

BTW my gs108ev3 switch got here last night, it does have a web interface..  Its pretty much the same feature set as my older gs108t..  Atleast it works in firefox now.  Or you can use the util if you want to admin it.. Does not support snmp.  Sucks I normally like to monitor my switches.. For 33$ it will do what I need, which is understand vlan tags in my av cabinet.  I really would suggest you go with the sg300 if your looking for a smart switch with actual features.. You had asked how the sg300 web gui was, etc..  Here is a comparison between brand new gs108ev3 and my sg300..  You can tell from just the menu options that sg300 has way way way more features than these netgear devices.  Now if you do go with the T model, they do support snmp atleast. [image: exampledifference.png] [image: exampledifference.png_thumb]

That's the PTR of this site, it didn't match the forward DNS. I just fixed it so it does.

Bufferbloat is temporary latency due to buffers being filled during moments that data isn't able to be sent over the line. This is often an issue for cable internet customers because of the shared nature of the cable system. It's most noticeable in online gaming, and sometimes in VoIP applications, where low latency is extremely important and a sudden 300+ms delay becomes noticeable, even if it's just for a moment. It's not so much a slowness issue as it is a latency issue. There are a couple of different ways that you can add Codel to the traffic shaper. The best way for you might be different than someone else depending on what other traffic shaping is being done. If you're not doing anything else, then you can add Codel directly to an interface in the traffic shaper. That has worked great for me, raising my Bufferbloat score from a D to a B.

Thanks! I just realized that reply-to is still being set on automatically generated rules for VPN traffic even though I have 'Disable reply-to' enabled in System->Advanced->Firewall & NAT (see my post above showing the rules).  It appears I would need to override that too. EDIT:  It looks like my rules on the WAN interface allowing udp 500 and ESP protocol are overriding those auto-generated rules.  I don't see any packet counts on those auto-generated reply-to rules. pfctl -vsr | grep -A 2 "reply-to" I see all packet counts at 0  "Packets: 0".

"No issues running 2.3.x on esxi 5.1.x" That is nice to hear but that is not a supported configuration from even vmware.. Since they do not support the version of freebsd pfsense is running on.. freebsd 10.x is not supported by vmware until 5.5u2 so while it might work, it is not a combination that should be used..  You need to update your esxi to 5.5u2 at min to be inline with what vmware says their product supports. http://www.vmware.com/resources/compatibility/search.php?deviceCategory=software [image: vmwaresupport.png] [image: vmwaresupport.png_thumb]