Well pfsense and 1 simple rule with all your connections as vlans prevents them from talking to each other if that is what you want..  Or you could do that same thing with a L3 switch and ACL(s) This is really basic stuff here.. Does not matter if your locations nat or don't nat if you give them 1 IP or a /16 to work with, etc. A very cheap switch can do this, comes down to how many ports you need..  How many client condo's do you have?

The AP is an Amped Wireless model APA20, I bought brand new.  Running the latest firmware. Would be even the best if the latest WiFi standards are a so called "must be". I thought the AP was just acting as a wireless bridge to my wired network, DHCP/DNS is being handled by pfSense and the AP just passes that through to the clients. In normal, or in common cases when all is running well, this might be not a real problem, but if there are problems mostly they could not so easy solved out then. Last night I tried isolating 802.11B/G/N to the 2.4ghz and 802.11.AC to 5ghz.  I noticed that even though all my devices are AC capable, they were connecting to the AP in N mode on 5ghz.  Curious to see if that helps at all. As told before and a couple lines above this would be the best way to get the newest WiFI standards in usage inside of the network. I'm really hoping that this isn't a problem with pfSense at all… No, not really with pfSense. I guess I just wasn't sure if there were some settings on the firewall that I was missing when having bridges on the network. That´s easy to answer, if it works you are the lucky one and if not it is often better to go with an external WiFi AP likes you have done. If this is only for the private usage no worry, but if also for the public usage you should be activating perhaps the client isolation inside the SSIDs or separate VLANs. Last night I tried isolating 802.11B/G/N to the 2.4ghz and 802.11.AC to 5ghz. You can also try out to put them in separate VLANs with different SSIDs.

@cmb: Briefly, yes, for this site and some other things hosted out of Austin. NFS server problem. All that rain  ;D

As a another example would be the WAN DMZ LAN construction that cames that first explanation nearly. You can also have more DMZ zones and different LAN zones like WAN DMZ WLAN LAN or in other directions and callings likes WAN DMZ WLAN VOIP LAN or whatever the rest was told before.

Here's the scenario: a WiFi network for a university About how many WiFi devices we are talking in that case? and I need to block content such like social networks and porn. And violence will be ok? But this should be your trail, so you could try to work it out with a Proxy server as a caching proxy too. I have been researching and already know about the HTTPS problem with this sites, so I was thinking about a Squid proxy + SquidGuard or maybe a Squid proxy + Diladele Could be a real chance to realize it right. I need to use a transparent proxy because many of the devices that will connect to the wireless network will be mobile devices and in many androids the WPAD configuration doesn't work. Also in many sites says that transparent proxies can't filter HTTPS and in other says that they can, so i need help with this part. nice HowTo

@ktenney: "Newer version available Package is configured but not (fully) installed" Those two lines are the legend for the red and yellow coloured icons you might see next to a package. If the icons are black, they do not apply. You're not the first person to be caught out by this!

what is the advantage to having a separate network/subnet for the home devices and another for the servers? increasing security finding and solving issues and failures faster being able to work with QoS to balance loads I can think of a couple disadvantages. more knowledge is needed more work in normal for you as admin (not permanently) more or more expensive hardware in the LAN & DMZ (switches, APs, ect.) I assume that two separate switches would be required for this set up. Would be a real benefit for the entire network security and also for the entire speed too. All devices over more switch chips and routing CPUs And what about directly accessing the servers from my laptop (ssh/scp for instance). SSH or https would be common in that situations. You can create one or more VLANs for that use case or one switch as the DMZ switch and another one for as the LAN switch. With an viewing eye on the inter VLAN hopping is perhaps the DMZ the better solution to realize it. VLAN10 private LAN devices OpenLDAP on a Raspberry PI or on a Minnowboard Turbot VLAN20 SSID "private" WLAN devices radius server on a RaspBerry PI or on a Minnowboard Turbot VLAN30 SSID "guests" WLAN devices captive portal (pfSense) Web, Mail, FTP, Fax, and VOIP servers into the DMZ Together with Squid, SquidGuard, SARG, Snort, pfBlockerNG and other packets it will be able to secure and control your network for sure with ease.

i configured vlan with cisco switch, and it seems working using class C ip, If this is done in the LAN it would be right. VLANs are also able to configured on the WAN side but more common at all IP Internet accounts with serving different services providing TV, VOIP and Internet services that will be spread into VLANs from the ISP side. In your case it would be right to use internally private IPs. but when i use our public IP provided by ISP it didn't work. WAN is directly connected to modem. Internet –- public IPs --- WAN Port - pfSense - LAN Port --- private IPs --- Switch --- LAN devices What you want to realize in that case with static public IPs internally used? In normal or common use cases this is not really wanted by the administrators. You can either try out to build a DMZ and place there the devices such as servers and/or devices for the public access over the Internet. Or you will be able to set up the static public IP address on the pfSense firewall directly and then route and port forward them to the internal IP addresses of the servers in the DMZ. Would be more secure. But what ever you try to do or realize, you should be providing more details over the entire use case and your network topology.

pfSense Squid SquidGuard SARG Traffic Shaper Captive Portal FreeRadius pfSense DOCs limiters HowTo Squid & traffic shaping Cisco VLAN based QoS Install the WLAN APs and give them all a different static (fixed) IP address from another subnet. Create four SSIDs on each WLAN AP, 2x  in the 5,0GHz for the guest & private and 2x in the 2,4GHz band also for guest & private too. This can be different likes you need or want t it to realize. create VLAN20 2,4GHz private radius certificates create VLAN30 5,0GHz private radius certificates create VLAN40 2,4GHz guests captive portal create VLAN50 5,0GHz guests captive portal Enables QoS priority for the VLANs as you want and not per port please at the Switch and the pfSense firewall All VLANs should be "tagged" based on the behavior of the multi SSIDs or more then one VLAN in use

Hmm ok sounds good! Thanks for the information, I've done the upgrade on my machine but I think it borked the box since most of my services or stopped and it still says "packages are being installed do not make any changes to the GUI". I might just have to do a fresh install which doesn't matter really since I backed up my config but it's strange that the upgrade didn't work. Thanks again!

Thank you all, now I understand the functioning. and a double thanks to dennypage for dpinger  :) Fabio

@cmb: Seeing it blocked in the firewall log? Go to Diag>Tables and pick that alias from the drop down, does its contents look correct? Looking the log, the firewall it is not blocking… The tables it is correct. Rede_monitorada Table IP Address 192.168.5.1 192.168.5.2 192.168.5.12 192.168.5.251 192.168.5.252 192.168.5.254 I just made another test changing the IP of the monitor alias to 192.168.52.6 and 192.168.0.11 and it was like I have done anything, I still can ping and connect to other machines, except the .2 [image: rules.png] [image: rules.png_thumb]

In normal you set up the pfSense and then behind the pfSense firewall you set up a syslog server that is collecting from all switches, WiFi APs and other devices including your pfSense firewall the syslog files. A common way is then to create a VLAN with the Syslog server inside and nothing else as a member and only able to connect from the admin console (your PC or Laptop or Mac) or the admin PC. And then the syslogs will be stored there encrypted that no one is able to short them or delete lines that are revealing his illegal presence perhaps as an example. So you can be sure if you see something inside of that files it is real and existing. If more then one device will be sending such log files to a logfile server you should know that they should be on the same time, so a internally NTP server that is giving all your switches routers and firewall the exactly same time is really useful. Otherwise and if something occurs you must doing a lot of math to be able to read and understand them. And at last it would be nice to set up a small firewall as a syslog server so the first safety line is the separate VLAN (sniffing) and the second one is then then firewall with rules and perhaps snort inside! Easy to deploy and use! A good job for older pfSense hardware to spend them a really second life for many years. And a descend HDD/SSD is cheap to get. But sending encrypted logfiles is not so common and with what it should be decrypted when the firewall is or was compromised or failing?

I use different methods for the auth. and also for different groups of users. wired privat LAN clients over a OpenLDAP server (NAS) wireless private clients over a Radius server with certificates with out client isolation wireless guests clients over the Captive Portal with vouchers & with client isolation Each in his own VLAN.

(Work PC, Printer) VLAN10 2. iMac 7. Airport Time Capsule VLAN20 3. AppleTV 1 4. AppleTv 2 5. AppleTv 3 6. DirectTV Xbox One DMZ or VLAN 30 or each in his own VLAN 8. pfSense Box As it is. Netgear GS716T-300NAS Pending on the configuration and set up and for sure all can be different and changed against each (devices) other it would be better in my eyes to go with 2 other switches but much more according to that set up with a DMZ. Otherwise it can be really useful to go with one bigger switch that is capable of VLANs, QoS and real strong in performance such as a D-Link DGS1510-20 or Cisco SG300-20 and without a DMZ but each in his own VLAN and the siwtch is routing then the entire LAN workload. More cost for sure bit nearly wire speed for each device and routing is done by the switch and not the pfSense firewall to free it for other packets. [image: cf_murph.jpg] [image: cf_murph.jpg_thumb]

That's what happens when you have an auto-update URL hard coded to the wrong place (usually restoring a config from 32 bit system where it was hard coded to a 64 bit system later). If it's left at defaults, it'll never change architecture. System>Firmware, Updater Settings tab, uncheck "Use an unofficial server for firmware upgrades". Going forward, it's not possible to switch architectures once you're on 2.3.

This issue was resolved by making the changes in /etc/inc/interfaces.inc posted by stephenw10 here https://github.com/stephenw10/pfsense/commit/c821a915b1228ed734a6439d816d4ab04590e8cb After a reboot, traffic is now passing correctly across the QinQ VLAN.

Hi Thank you for the reply, After yesterday trouble shooting over and over i first verified with syswatcher to see if im getting the logs which i was so as soon as i saw that i knew it was ELK the issue. As i thought instead of looking over it i just formatted ELK but instead of 5140 i changed logstash to 5144 and its working flawless Thank you again