On a side note - opening VNC, RDP to the public internet - not a very good idea!  If you need to remote to something on your network while your away. VPN in.. Then remote to it.. Much more secure.

"I will run at least 2 switches, maybe 3 if there arnt enough ports"

Are these ports needed in the same area or you going to run an uplink to another room/closet to have ports there, ie another part of the building?  If you need to start thinking about adding a 3rd switch because of ports in the same area - its prob time to get a higher density switch..

Or this does sound like a business with 10G and 24 port switches, etc. Then get stackable switches vs having to daisy chain them..  Also if you do need multiple switches off your core then uplink them to the core…  Avoid this...

CoreSwitch -- switch -- switch

You would do this

switch -- Coreswitch -- switch

I agree completely about the L3 switch if you need performance between segments if you do not need to firewall between these segments for sure!  But in small setup its also just easier if you need performance between devices to just put them on the same L2 if your not worried about firewall..

So if you have NAS and you have clients that need max speed to this NAS... its much easier to just put them on the same network vs routing it at all be it at your firewall or some L3 switch.

Also encountering the issue. Decided to just let go and set SSL/MITM Mode to Splice All for now..

How do the ISPs "reset" the connection for you all? (I might be getting impacted by something similar)

How they do it in real I don´t really know, but with more and more FTTH or FTTC accounts they will also give many
IP Adresses a very long lease time, that will be then no problem to connect the home network for many users, but
all ADSL/ADSL2/VDSL/VDSL2 Internet accounts are affected to this behavior here in Germany.

Is there a kind soul that could help me getting started.

My version is 2.3.4-RELEASE (amd64).

I will use the solution for PXELinux, so what kind of files do I need.

Thank you

On a bare metal install, had the same issue (though I noticed it as odd CPU activity).

Slightly contrary to the notes on the Redmine ticket, I had "Host Resources" available on the GUI (and active before and after upgrade).  Unchecking it at Services -> SNMP and ensuring that SNMP has restarted fixed the issue for me.

Right. I was saying it should accept none there, at least if it is possible to do an override like that in ISC dhcpd.

That would be a feature request.

Yeah, a static config of that single host seems like a workaround in your case.

modsecurity package was available IIRC in 2.2. It's been gone for a long time.

@marjohn56:

Only one NIC??

How are you planning to run that then?

with a dlink dgs 1100-8 … it is managed and i have used it before on another pfsense setup with 2 vlans, worked fine but it was a hole computer and i am trying to make it more compact with this mini-pc I already have.

no updates?
in linux thereis conntrack -E command which does what I need
no alternative for pfsense?

@aloksinha2001:

2.4.0-RELEASE (amd64)
built on Tue Oct 10 06:43:01 CDT 2017
FreeBSD 10.3-RELEASE-p19

That installation is broken, the 2.4 release uses FreeBSD 11.1 not 10.3. Do a fresh install and restore a config backup, or reconfigure it by hand.

At first on this topic, for sure you may be able to walk down the road as you need it or want it.
You may be able to configure each WAN Port (Wan1 & WAN2) as a unique or single WAN interface
and then you set up on the clients in the LAN the gateway for reaching WAN1 on some clients and
the other clients will be getting the gateway Address fro reaching WAN 2 to have access to the
Internet.

But this might be killing all abilities that pfSense is serving you to get more out of you both Internet connections.
What is if one gateway fails, and what if this is only for one day? Are you willing to change that even and even again?

Yesterday I changed my pfSense configuration. I added a second gateway (WAN1) to connect to the Internet from LAN1. WAN2 is for LAN2 and GLAN.

What please is GLAN? And why you are setting up not two VLANs?
Is there on each LAN port one LAN configured?

The first thing I did was I added an interface and configured it as PPPoE (both of them are PPPoE). Then in the firewall rules I configured which interface to use which gateway.

As stated above you may be able to set up each gateway as you want or must do, or in short on your own willing.
But you can also get the chance to set up like all other with more benefit on top of this too!
You have normally three well known load balancing methods and they are for spreading the pakcets, services
or also different IP networks over two more WAN interfaces.

Policy based routing
This is what I would suggest in your and the most common situations Session based routing
This more or less for many servers inside of an DMZ or LAN that must be connected. Services based routing
This is more or less for routing the mail service over one gateway and the http stuff over another different one
to spread the traffic over the right matching gateway or ISP.

So with policy based routing you are able to tell the,  wich packet should be running over which interface.
And with one or two fail over rules on top, the entire traffic is running over one WAN interface because
the other one was failing or plain not working due to a net split at the ISP or what ever.

But then I ran into a problem. As you can see on one of the screenshots Gateway WAN1's Status is "unknown" and the other values are "pending".

Would you please so friendly and place them here inside of the forum in your thread?

Is there any way to fix this? I thought, that this error comes up because both of them have the same Gateway-IP-Adress.

Each gateway has its own ip address and not two of them has the same! Over which the packets should be going
outside to the Internet?

I already tried changing the Monitor IP in Gateways, but then the Gateway's show up as offline (I can still access the Internet). I can't change the Gateway-Adress, as it is set to dynamic.

??? Could it be that you are confound the public IP address and the WAN gateway address?

I don't want any failover or load balancing, if that changes anything.

Would you please tell us why not?

I would suggest the following here:

Read it slow and carefully but line for line and word for word Multi-WAN 2.0 Gateway Groups Policy based routing Gateway settings

This might you binging light into that behavior or case you are in. Pleas take the time of perhaps 30 minutes
to read it, and that carefully and as said slow, then you would having all you need to realize it.
system -> Routing -> Gateway Groups

Create a first group with description name "BALANCE", And set Tier 1 for both "wan's" and Trigger level to "latency or packet loss" [this for load balance]"

Create a second group, description name "Wan1 Fail Wan2 Use"  and priority set wan1 to Tier1 and wan2 to Tier2, set "Trigger level" to member down.

Create a third group, description name "Wan2 Fail Wan1 use" and priority set wan1 to Tier2 and Wan2 to Tier1, set "Trigger level" to member down.

Firewall Rules –> LAN, you need to create a three new rules

Balance rule
Interfaces: Lan
Protocol: ANY
Source: LAN SUBNET
Destination ports: ANY
Gateway;BALANCE

Failover rule
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan1 Fail Wan2 Use

Failover rule
Interfaces: Lan
Protocol: ANY
Source Address: ANY
Destination ports: ANY
Gateway;Wan2 Fail Wan1 use

Make sure to place them on top of the lan rules!

So where that rule is located is important. Screenshots would definitely help.

me too here, I would consider that will be the right way to help out. Many users see what they
were setting up but we all must imagine it, or digging it out the nose step by step.

I have 3Access Points (AP) which is plugged into our switch, which is plugged to our pfsense and internet cable is plugged into pfsense.

Are they configured with one SSID only or are there more od them (SSIDs)?

The previous guy before me have AP IP under pfsense -> firewall and under destination section he have selected 'LAN net' under type.

Again are there also other SSIDs perhaps on top of this each in hois own VLAN with his own IP address range?

Is this required? our AP is plugged into switch which is a LAN network so I have have to specify it again on pfsense?

If he was setting up aliases for LAN, Guest and other SSIDs, it might be making sense but if not and
only one SSID is in usage it can be also a "placebo" rule with no effect, or in plain a false rule.

Am I missing something?

VLANs in usage?
How many SSIDs?
Captive Portal in usage too?
radius Server in usage too, but not in all VLANs or for all SSIDs?

You seem to have forgotten the close code bracket or it got cut off – your post is really really long ;)

I see the start code bracket so if the end bracket was there code would of been in a smaller scrollable window..  I do believe.

You might want to edit the post so future readers will not have to scroll down pages and pages to read the thread ;)

Other option with such long amount of info would of been to attach txt file..