Thanks you so much for your reply! I did what you said, and now the network is cleaner. Unfortunately I'm not able to put our ISP gateway in any sort of "Bridge mode" but the DMZ setting on it is set to my PFsense box (so the ISP router will stop blocking ports) and I setup a static IP address on the adapter that is facing the ISP router.

@j@svg: Anyone know the name of the DHCP relay daemon? dhcrelay. Worth checking whether that's running, though if it's not configured under Services>DHCP Relay it won't be. Even if it is, it can't loop things endlessly in a properly setup network. Not a bad next step in trying to figure out how the requests are being forwarded at all.

@2chemlud: To me this "feature" is absolutely counter-intuitive. If you want to block access to the pfsense from a local net, e.g. OPT1 or LAN, completely, I guess lots of people miss this point. It should be locked from the very beginning (GUI not listening on the WAN IP until further notice). Yeh, there has been discussion about this before. People might try: Add a separate management OPT1 interface with pass all. On the workplace LAN delete the anti-lockout rule, put a block rule at the top that blocks anything to destination LAN IP (thus blocking webGUI, SSH…) Have effectively pass all on LAN after that They think they have blocked webGUI access from LAN, but actually LAN users can get to webGUI on WAN IP or OPT1 IP. In pfSense 2.2. there is "This Firewall (self)" that can be used in rules (e.g. as destination for a block). Using that will block out all webGUI access to all interfaces.

NTop or NTopNG can give you these general stats for any devices connected through the firewall. You can install them in the Packages section.

how do you have these indoor AP mounted at a beach?  They must actually be inside structures?

@stephenw10: What do you have it set to ping there? <1ms pretty much means it's something local in which case apinger can't do it's job properly. Set it to monitor some external address so you know when your WAN connection goes down not just when your modem stops working. Steve Its the address of my modem. The point isnt what I am monitoring but the different result I get. I understand that this function is broken.

Thanks for your clarification.. That helps.. have a nice day  :)

The part you're paying for isn't necessarily the uptime, it's the mean time to repair. You'd be surprised how long even a "five nines" uptime can be down when that's averaged out over a year. If you cable line does go down, how long do they typically take to fix it? What is the time stated in the leased line SLA for repair? An example here in the states, a cable line could be down for days depending on how busy the cable co is and how much yelling is done. A leased line is typically repaired in less than 4 hours, but in either case it depends on the nature of the problem. If someone cuts a line with an excavator it's typically going to be down longer than if it's a bad card or other easily solved issue. If you can handle a bit of downtime in either case, then the extra cash for the fancy SLA may not be worth it. If you can get lines from different providers that enter your building from different wire paths that's even better for redundancy. If the telco provides both the leased line and the ADSL, then odds are if one goes down, they both go down, but if you have a line from cable and another over phone lines then odds are one will remain up. And not that it's relevant in your case, but even on a leased line between two sites, you'd still want to encrypt the traffic. Best practice (and by some standards, a requirement) is to encrypt anything that leaves your location and the network you physically control. Even if the line is "private" it's still equipment that could be compromised, either unknowingly by a third party, or willingly as in a telco granting access to a government agency.

Just learned: Note that if you're on 2.2 there's now a checkbox "Don't Pull Routes" that adds route-nopull for you. Ignore the description on 2.2 - the descriptions for those two similar options are flipped.  Fixed in 2.2.1.  https://redmine.pfsense.org/issues/4273

So when you connect your dlink and it gets public IP.  Disconnect it and reboot your modem (if it has battery backup on modem pull the battery) then connect pfsense or a client.  Does it work then? Quite often when you change a device connected to a modem you have to reboot it to clear the mac cache on the modem.  And I do believe from what I read on that device you have to be connected to port 1 to get the public. You can use pfsense in double nat, if you can not get bridge mode to work.  But if works with dlink then it should work with anything.  Unless for some reason your isp has it locked to that mac of the dlink - if that is the case you can try cloning the mac of the dlink [image: spoofmac.png] [image: spoofmac.png_thumb]

Thanks for your help, I will take a look at that!

Interfaces->Assign - add the OPT1 Enable OPT1 with some other static IPv4/netmask Put rules on OPT1 like: block source any destination this firewall block source any destination LANnet pass source OPT1net destination any If you want to stop LAN devices reaching OPT1, then put a rule at the top of LAN to block source any destination OPT1net.

Untangle Works like a charm! Thanks alot Of course looping my vSwitch was a part of my setup, so had to tweak it abit after advice on the untangle forums :)

It all really boils down to being able to match traffic with rules. In most cases you do one of three general things: Put all traffic in the default queue and put certain traffic in priority queues. Put all traffic in the default queue and put certain traffic in penalty queues. A combination of both. My advice: start simple, get familiar with how it works, then add targeted rules and queues to solve specific problems. In your example I would suggest the first option because your mail traffic should be pretty easy to identify with floating rules and put in a priority queue.  Everything else would yield to that traffic if present. With 65 users and 2.5Mbits total I would imagine your usage is pretty much maxed a lot of the time.  Shaping should help but the real answer is probably a bigger pipe.

@Cletus: Because it's been sent to that special IP it will go to the ff:ff:ff:ff:ff:ff and therefore it will be broadcasted to the correct subnet right? Correct. As for sending to x.x.x.255 rather than x.x.x.254.  That may or may not work.  Depends on if pfSense will route an IP broadcast between local subnets.  The reason I use x.x.x.254 is that it can be NAT port forwarded through the firewall from external internet sources.  Where as x.x.x.255 cannot.  At least not in in previous versions of pfSense.

It also depend on what you mean by 'guests'.  Personal friends in your house, or paying customers at the villa?

just restart Apnger changing IP would restart Apinger