@johnpoz: yes.. ;) Ok, thank you very much.

@BlueKobold: Debian Linux on a small Raspberry PI 3.0 or on a Netgate Minnow TurBot and OpenLDAP on top or with nice graphical user interface (GUI) together with TurnKey Linux. TurnKey Linux & OpenLDAP Packet Radius Server 3.0 is announced to be coming as a packet for pfSense directly! The Captive Portal with voucher system will be able to be used for guest WiFi. So I need additional hardware?

No. Just managed layer 2. Any "web smart" switch should do fine. As long as it properly supports 802.1q.

@AndroBourne: @johnpoz: Or just use unbound and let it resolve vs forward.  Now you have dnssec for sure and doesn't matter how shitty your isp dns is ;)… ...Your talking .6 of a sec vs .1 of second - doesn't make much a difference either way... It does matter, especially if his ISP DNS is having issues…. No it doesn't, resolver doesn't use his ISP's DNS at all, for anything.

@silverberg: Hi, did your find a solution for this? I've been having this issue for about a month but can't find a solution. I've even changed hardware What have you tried and exactly what behaviour are you experiencing? As per my last post, the combination of changing monitoring IP and the Gateway Action have sorted it for me.

would suggest you use Squid and Squidguard/Dansguardian. PFS on it's own can't block addresses using aliases in firewall rules. And on top of this you may combine this with an OpenDNS account too!

I would personally set up a DMZ if I have servers that need Internet a permanent connection or IoT devices that are sniffing my network and then snitching all home to the vendor server. It could be also a nice place for smart TV, game consoles and/or internet radios or many IoT devices, for sure that can be also done with an extra multimedia VLAN for sure, so nothing wrong with it if they are all not disturbing the rest of the LAN. I would the entire local area network divide into several VLANs and this by using a small switch either Layer3 or Layer2, likes needed and/or wished. Cisco SG220/SG250 or SG350 series are here one of the best you can get your hands on, they are starting with 10 Ports and ending up with 48 port models, likes you need it. This is based on my own opinion and nature and surely not a must be. If you need a switch you may get also the benefit from that, if your entire network load is to high, based on what ever, the switch is saturated and if this all will be connected to your firewall directly this one will be freezing! I would set up: pfSense 192.168.1.0/24 VLAN1 - management VLAN - 192.168.1.0/24 VLAN10 - IoT devices - 192.168.3.0/24 VLAN20 - private wired devices - 192.168.4.0/24 VLAN30 - office - 192.168.0.5/24 VLAN40 - WiFi guest - 192.168.6.0/24 VLAN50 - WiFi private - 192.168.7.0/24 VLAN60 - children (each) - 192.168.8.0/24 ect…... wired devices over OpenLDAP on a small MinnowTurBot or Raspberry PI 3.0 with Debian Linux or TurnKey Linux wireless devices (guests) over the Captive Portal w/ voucher system wireless devices (private) over FreeRadius Server 3.0 w/ certificates OpenDNS Account if children are in that house hold and then matching to their age pfBlockerNG & DNSBL + TLD might be also nice to use, but a Squid Proxy with user auth. might be better together with SquidGuard & SARGE to get knowledge who is surfing where! (Children)

The Vlan will be untagged at the Unify AccessPoint with 2 SSID. WiFi AP with one SSID is untagged and a WiFi AP with multi-SSID support must be tagged running. I would try out to secure the Guest WiFi named "Student" with the Captive Portal and vouchers divided in several different groups and the other WiFi network named "Staff" I would try out to secure with a Radius Server working with certificates. So the staff has its own WiFi (VLAN10) and security and the Guest WiFi (VLAN20) will be separated from that one.

I agree with Blue. This is pretty much what DMZs are made for. Another thing you could do is. Created the DMZ. Put all your devices on the DMZ interface then make a policy to block PFSense Web UI on the DMZ. (best to put web ui on a custom port and just block that port on the DMZ) This should block PFSense Web UI from the DMZ side but with rules, you should be able to allow it on the local LAN only, at which point I'd do as you laid out earlier and create a management interface for that traffic. Another option would be leave it enabled but force HTTPS and change the port number to something totally out of the norm. While it would still be enabled. It would be very difficult for someone to figure out what port it is on and pull it up. Just a thought.

That pretty much sums it up. [image: beer-793x526.jpg] [image: beer-793x526.jpg_thumb]

If you are still having issues, login to the portal and open a support ticket and someone can take a deeper look with you. Even though Gold does not include support access, if you have a problem with AutoConfigBackup they can help you get it working.

If you want to confirm that definitively, then you can always check which library versions both haproxy and the openssl command you run link against, such as: [2.4.0-BETA][root@master.dw.example.com]/var/etc: ldd `which haproxy` /usr/local/sbin/haproxy: libcrypt.so.5 => /lib/libcrypt.so.5 (0x800995000) libz.so.6 => /lib/libz.so.6 (0x800bb4000) libssl.so.8 => /usr/lib/libssl.so.8 (0x800dcb000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x801200000) liblua-5.3.so => /usr/local/lib/liblua-5.3.so (0x80166d000) libm.so.5 => /lib/libm.so.5 (0x8018a8000) libc.so.7 => /lib/libc.so.7 (0x801ad3000) libthr.so.3 => /lib/libthr.so.3 (0x801e6f000) [2.4.0-BETA][root@master.dw.example.com]/var/etc: ldd `which openssl` /usr/bin/openssl: libssl.so.8 => /usr/lib/libssl.so.8 (0x8008a2000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800c00000) libc.so.7 => /lib/libc.so.7 (0x80106d000) [2.4.0-BETA][root@master.dw.example.com]/var/etc: openssl version OpenSSL 1.0.2k-freebsd  26 Jan 2017

Well, I just realized when my dhcp server machine went down, that I have a lot of services redundant or in failover mode, but unfortunately not dhcp. So I was looking for an easy way to do it, and one option was the pfSense machine (where I quickly put up a dhcp server with another address range as a quick fix). Since I had that running, I wondered if I couldn't just use it on a more permanent basis. I understand from your reply, however, that the pfSense implementation was not meant for this. So I'll probably just take some other machine already running here. Yes, it's something you shouldn't need for a home setup. Unless you are the only one who can fix such things in a family, and if you're at the same time away frequently for days or weeks even. And leaving the family with no working IT is not always something they appreciate.

I'm a moron. There is a 64 bit version available here: fetch -o /conf https://sites.google.com/site/pfsensefirebox/home/WGXepc64 This should fix any issues in case someone Googles this.

1: You should search the forum vigorously - this setup is discussed for more then decade literally 2: you wire your WAN to the switch, changing this port to some separate VLAN (so packets from ISP are marked with this VLAN), and on the port on which you connect your pfsense you should add this VLAN to tagged list.

Problem found! netstat -r revealed that an openvpn P2P tunnel was inserting some routes when it refreshed, and the static routes were getting overwritten.  Only affected the secondary.