Network Access Control (NAC)... Also called PNAC, Port Network Access Control.. Take a look at Packet Fence as a way to run this on your network. I want to control who is able to connect to my Ubitquti AP via mac. That is just stupid.. As you already understand mac spoofing is so easy anyone with access to google could figure it out.. This is why you would AUTH to get on your wifi.. Ie the PSK would need to be known, or you could get more advanced and use enterprise with need to auth with username/password - or better yet eap-tls, where they also need a certificate assigned by you to that device, etc. etc.. Mac filtering can be used for say a control method of saying kids tablet can not connect between the hours of 10pm and 7am or something... But its not actually a valid security method. Require your wireless devices to auth, use a strong PSK and do not share it with people you do not want to access. If you want user A that has your psk, not to be able to connect device X.. Then use another control method other than mac address if your worried about the user also spoofing the mac address and they know the PSK or other eap method.. For example you could require eap-tls that is tied to the device. Most of this is outside the realm of pfsense to be honest.. While you could run the freeradius package on pfsense to provide better means of authing.. While you can do stuff with static arp, and captive portal to control via mac on pfsense, it is a L3 firewall.. And while captive portal and static arp can be used as a control method for mac address.. It can not prevent spoofing of a mac that is allowed. Look into 802.1x as way to auth a client other mac address. I use the freerad package and eap-tls to auth to my trusted wifi network.. Only devices that have a cert issued by me can auth to this network.. Now in theory if they had a second device, they could export this cert and install on a 2nd device, etc. But this is much more involved than just spoofing a mac.. And if the device is a work device, they would have to have the appropriate permissions on the device to export it to put on a personal device - which they should not have, etc. But no matter the method of the auth, if a user has it - be it a psk, username/password, mac address, cert, etc. It can be difficult to control them from using that on another device. You could look to 3rd party supplicant software that would auth to your 802.1x controls.. So they would also need to be able to install this software on their device to be able to auth.. This agent would also be controlled by you and only installed on devices you want to allow on the network be it wireless or wired even.

Ok.. here the scenario I have one main subnet called LAN0 (192.168.1.1/24). This network has its own server (192.168.1.3) and ISP (192.168.1.1) I want to segmentate this network in two, creating a VLAN2 where I want to create a transparent bridge that will be used to reduce the communication VLAN2 --> LAN0 but leaving full communication in the opposite direction (LAN0 --> VLAN2). Moreover, on this network, I want to add two independent network: MUSUX (VLAN62) and OUTSIDE (VLAN42). In this case the DHCP Server is supplied by pfSense. The first one MUSUX will have access to all internal networks (LAN0 and OUTSIDE) and to internet, instead the OUTSIDE network will have only access to internet. For this reason I designed three independent networks and pfSense will route through its firewall the connections between networks according to the rules explained above. Here a simplified network chart: [image: image.png] I hope this gives you a more clear scenario. Thanks for your help

System / Advanced / Networking have you disabled harware checksum ? is Open-VM-Tools package installed on your pfsense? right now we only know that it's not working so let's start from the basic steps i'm on esxi 6.7u3 and i have more or less the same configuration but i don't have this problem i'm using vmxnet3, all my vswitch are tagged with 4095 and they fisically go to a cisco switch if it's not something specific to 6.5..

Thanks everyone, I’ve got it sorted out. Did as I explained in my previous post and added allow rules under every vlan, then it started working. Still doesn’t explains the firewall logs showing green for passed while it wasn’t the case.

If you already have NAT configured for the others, did you look into 1:1 NAT (https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html) which forwards all traffic for the public IP to that private IP? Or does the VPN device actually require a public IP address in it?

@viragomann I made the recommended changes to my VLAN3 firewall rules and once completed, I re-ran setup for my Ring Doorbell Pro... Seems to be working correctly now!!! I suspect in my many iterations of changes, I had not re-run setup on my Ring Doorbell Pro and it may have worked straight away had I just restarted it... Thank you so much for your help!

@johnpoz said in Netgear/Vlans/Pfsense: Who makes this card exactly??? 6c:b3:11 does not show up as vendor .. ipolex? Not sure how accurate this information is but a Google search shows that his NIC is made by the following company in China. Never heard of them. Maybe this NIC is not compatible FreeBSD 11.x? Company Shenzhen Lianrui Electronics Co.,Ltd Address Block C4 XinTang Industrial Park Baishixia FuYong Town BaoAn District Shenzhen Guangdong 518000 CHINA Range 6C:B3:11:00:00:00 - 6C:B3:11:FF:FF:FF Type IEEE MA-L

@tpit 100 half? That sounds like a cable problem. If you can ssh to it, see what ifconfig shows. Here's my WAN interface: media: Ethernet autoselect (1000baseT <full-duplex,master>) That's what it should look like.

i just saw this, maybe related?: @kiokoman said in Allowing ICMP/Ping From WAN to Machine On LAN for Ptunnel: i tested it and it work for me, what machine is it? windows? if it's windows maybe you need to do this https://forum.netgate.com/post/895254

Okay so it was actually an issue with the windows PC, its now all working. I now have 4 networks: LAN 10.0.0.0/24 IOT 10.0.50.0/24 PRIV 10.0.60.0/24 GUEST 10.0.70.0/24 Its working as intended across ethernet & wifi, and I can configure firewall rules to allow/block traffic between the nets. I've even managed to get mDNS/Apple Airplay from PRIV to IOT network working. However, the last remaining issue is with the VPN. I've set up an IPSec VPN a while ago, and while it still works, it lets me only access LAN (10.0.0.0/24), but none of the VLANs. I tried googling for a solution, however nothing I've tried seems to work. I tried adding a second phase 2 with the IOT network, however it does not work. This is the VPN config overview: [image: Z2XoVc3.png] And in the firewall I have: [image: BYGxKH7.png] What do I have to do in order to reach 10.0.50.0/24 from a mobile IPSec client?

What do you mean you can't add them.. .Sure you can.. Post up the screen where you trying to add them, and what errors or whatever that is keeping you from posting them.. Here.. example [image: 1583204542052-rules.jpg]

i ran into something slightly similar with usg (before moving to pfsense) - the ISP had given us one of those combo units, and the TV worked through MoCA (not sure if this is what you mean by IPTV) was entirely not compatible with USG (at that time). got a dedicated modem, no wifi, usg was still gateway after that for a while (until i started wanting more funtionality that unifi just does not offer) to my point, our cable tv would not work after switching to modem only. we ended up having to replace the cable boxes as they entirely relied on MoCA (edit additional - new modem did not have MoCA) im guessing you want to add vlan tags to pfsense interfaces to get it to pass-thru in a sense? my knowledge on VLAN specifically isn't that high up, but from what I understand, you'd likely want that vlan tagged to be allowed on wan, and also on the port supplying connecting facing your unifi? i feel like i missing something, but hope this helps

It's not being used as tag.. Its what you set in esxi to let it know not to strip tags where you set the vlan id in the switch... It just puts it in a special trunk mode.. You don't actually use the tag anywhere else.

the logs also show dhcp discover and offer (on the correct vlan) but then loops over again and again - it never gets the request or ack.

@detox If I'm reading your description right, you've got only VLAN 10 going to the AP. You need a trunk port that carries all VLANs. Also, I don't see how you could get staff to work on the AP, as you don't seem to have a connection for the native LAN to the AP. BTW, some TP-Link switches have problems with VLANs and I believe the fault may allow the native LAN to get through where it's not supposed to. This may be how the staff LAN is getting through.

@mohkhalifa said in pfSense on ESXi | Best Practices: problem SOLVED after "Disabling hardware checksum offload" Awesome. I poked around on a few of mine and didn't find any with that enabled. Mostly Dell hardware here. Good find.