So I found https://github.com/TKCERT/pfFocus and whipped up a bbcode formatter … Here's what I actually have configured.  (I need to submit the bbcode formatter to the author.) ☱ Outputting to stdout ... pfSense Version 15.8 System | Option | Value | | –---- | –--- | | hostname | pfSense | | domain | private.xxx.xxx | | timeservers | 0.pfsense.pool.ntp.org 1.pfsense.pool.ntp.org 2.pfsense.pool.ntp.org 3.pfsense.pool.ntp.org | | timezone | America/Los_Angeles | | language | en_US | | dnsserver | | Interfaces | Name | Enabled | Description | Interface | Address | Subnet | | –-- | –----- | –--------- | –------- | –----- | –---- | | lan | x | PRIVATE | igb1 | 10.20.20.1 | 24 | | opt1 | x | GUEST | igb1_vlan1000 | 10.10.10.1 | 24 | | wan | x | WAN_COMCAST | igb0 | dhcp | | VLANs | Name | Tag | Interface | Description | | –-- | –- | –------- | –--------- | | igb1_vlan1000 | 1000 | igb1 | | DHCP ranges DHCPd configuration for {lan}(#interfaces "PRIVATE") | Option | Value | | –---- | –--- | | enable | x | | defaultleasetime | | | maxleasetime | | Ranges | From | To | | –-- | – | | 10.20.20.101 | 10.20.20.254 | Static mappings | MAC | Address | Hostname | | –- | –----- | –------ | | 00:1c:2a:00:4c:64 | 10.20.20.2 | envisalink | | 80:2a:a8:4f:98:0a | 10.20.20.97 | unifi | | 90:02:a9:92:7b:42 | 10.20.20.98 | dvr | | 00:1d:c0:62:01:c0 | 10.20.20.99 | envoy | | 0c:c4:7a:30:17:f2 | 10.20.20.100 | tendo | DHCPd configuration for {opt1}(#interfaces "GUEST") | Option | Value | | –---- | –--- | | enable | x | | defaultleasetime | | | maxleasetime | | Ranges | From | To | | –-- | – | | 10.10.10.2 | 10.10.10.254 | NAT rules | Disabled | Interface | Source | Destination | Protocol | Target | Local port | Description | | –------ | –------- | –---- | –--------- | –------ | –---- | –-------- | –--------- | | x | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):25565-25566 | tcp | 10.20.20.100 | 25565 | Port Foward Minecraft | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):9418 | tcp | 10.20.20.100 | 9418 | Port Foward 9418 (git) to ssh | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):867 | tcp | 10.20.20.100 | 22 | Port Forward 867 to ssh | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):443 | tcp | 10.20.20.100 | 443 | Port Forward HTTPS | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):80 | tcp | 10.20.20.100 | 80 | Port Forward HTTP | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):993 | tcp | 10.20.20.100 | 993 | Port Foward IMAPS | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):1587 | tcp | 10.20.20.100 | 1587 | Port Forward SMTP Auth | | | {wan}(#interfaces "WAN_COMCAST") | any | {wanip}(#interfaces "WAN_COMCAST"):2525 | tcp | 10.20.20.100 | 2525 | Port Forward SMTP for EasyDNS | Filter rules | Disabled | Interface | Type | IP | Protocol | Source | Destination | Description | | –------ | –------- | –-- | – | –------ | –---- | –--------- | –--------- | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:9418 | NAT Port Foward 9418 (git) to ssh | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:22 | NAT Port Forward 867 to ssh | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:993 | NAT Port Foward IMAPS | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:1587 | NAT Port Forward SMTP Auth | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:2525 | NAT Port Forward SMTP for EasyDNS | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:80 | NAT Port Forward HTTP | | | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:443 | NAT Port Forward HTTPS | | x | {wan}(#interfaces "WAN_COMCAST") | | | tcp | any | 10.20.20.100:25565-25566 | NAT Port Foward Minecraft | | | {lan}(#interfaces "PRIVATE") | reject | inet46 | | any | {opt1}(#interfaces "GUEST") | | | | {lan}(#interfaces "PRIVATE") | pass | inet | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN to any rule | | | {lan}(#interfaces "PRIVATE") | pass | inet6 | | {lan}(#interfaces "PRIVATE") | any | Default allow LAN IPv6 to any rule | | | {opt1}(#interfaces "GUEST") | reject | inet46 | | any | {lan}(#interfaces "PRIVATE") | | | | {opt1}(#interfaces "GUEST") | pass | inet | | any | any | | | | {opt1}(#interfaces "GUEST") | pass | inet6 | | any | any | | Syslog configuration | Option | Value | | –---- | –--- | | enable | x | | logall | x | | logfilesize | 1048576 | | nentries | 100 | | remoteserver | 10.20.20.100 | | remoteserver2 | | | remoteserver3 | | | sourceip | | | ipproto | ipv4 | ☰ Successfully outputted pfSense config as bbcode.

Many thanks for all this additional information! And apologies for not responding earlier. Had some account issues and my access has just been restored. I think I will try a hybrid model: Use some VLANs on the LAN port Setup the guest network on an OPT port. This will also allow me to play a bit with Squid and SquidGuard. If all goes well then I'll move some VLANs on their own OPT port. Again thanks for all the feedback

This looks like it might be a solution for you. https://superuser.com/questions/85536/securing-freebsd-in-single-user-mode I haven't checked that directory on pfSense myself but being freebsd based its worth checking out. Change the console line in /etc/ttys to "insecure" to signify that the machine is in a physically insecure location and require a password to enter single user mode.

@deddric: So what´s opinion on exposing webgui (other port then default) to internet? Never in a million years would I do that or suggest that to anyone..  If you "must" do it then it would need to be locked to so specific source IP that is in your control.

@Jailer: If you have it set up with a domain name then you won't be able to access it locally without NAT reflection.  Wordpress is rather finicky about that. I misunderstood your post and thought you had it running locally on your LAN and not exposed to the internet. Your port forward needs a little work. Change the destination to WAN address and your redirect target IP should be the local IP of your wordpress installation. Do the same for HTTPS and you should be all set. You sir… are a magician. Now my main site works!!!!!!! i just have to figure out why my 2nd site doesn't work.. since it's just the same link with "wedding" as the host name. I'll have to see what else i need to change.

There is a problem like this.

What I would do is create a separate internal network with your DNS server. Create a separate network with a /24 netmask. Ideally physically separate it to your main network. As others have suggested, you can hijack the 53 forward packets to your DNS server in your separate network. Do you have an available network interface in your pfsense router?

You probably want to change the WebGUI port to something different. (it binds to all local addresses… including the VIPs)

I agree with the Realtek assessment.  I was running a pfSense box that would freeze up randomly.  Root cause, Reaktek chipset on one of the NICs.  Replaced the Realtek chipset and it's been rock solid since.

Is this a question or a statement?

Glad you got it sorted out.

Thanks very much for letting us know. Glad it's sorted out.

Outbound NAT has nothing to do with where traffic is routed. It only determines what translations happen when such traffic is already routed out that interface. What you are seeing has absolutely nothing to do with the introduction of Hybrid Outbound NAT mode despite your conclusions. If you are policy routing over the VPN then traffic sourced from the firewall itself is not subject to policy routing because it never enters the interface with the policy routing rules on it. If you are accepting a default route from the VPN provider then traffic sourced from the firewall itself should follow that route while that VPN is up.

It may take it's settings only when it's started in which case enabling it after wards will not have any effect. It's hard to say what the issue is there. Maybe run  a packet capture to look at what's happening. Devices that don't allow you to enter the IP of the resource always seem like the result of lazy programmers to me, relying entirely on auto-discovery. Steve

My pfsense box is now setup properly (i guess). I edited my original post. I am now facing only one problem with the VLAN on the HP Procurve 2920 switch. I do not know if may belong here but you might be able to help me :) I have a default VLAN_DEFAULT with ID 1 on the switch with untagged ports 1-4,25-48. The pfsense box is connected to port 48. Then i have the VLAN with ID 10 with untagged ports 5-24 for computers. When i connect my laptop to port 1 for example, the default VLAN, i have internet and can ping all VLANs. When i connect my laptop to port 5 however, i get an "unidentified network" with "no internet" on my laptop. Do i have to add a NAT rule or similar on pfsense to get this working?

No, that procedure works. You might have been experiencing some extra-special fs corruption.

FWIW, I am having exactly the same NTP widget issue. I will try clearing my Firefox cache to see if that fixes things. Thanks for the suggestion. Update Clearing the cache and reinstalling the widget had no effect, the issue remains. Update 2 Chrome does not suffer from the problem. Chrome keeps perfect time. My Firefox installation continues to suffer, however. Cheers, Pete