USB to Ethernet Adapter NOT working
- 
 I dont like this trial and error. That's how you debug networks, but you can do it in a methodical fashion. You don't have to guess. Start at layer 1 (the physical link itself) and work your way up. Is there link? Is the interface up/up? Can you ping the other end of the link? No? Does it allow pings? Do you get an ARP entry for the destination IP? Can you ping outside the network? say ping 8.8.8.8? Can you resolve DNS names? Use proper tools for this like dig/drill or nslookup if you have nothing else. If all that works, you are generally good to go. I, personally, think your USB ethernet is working and you have a DNS problem. What are the DNS servers for the windows host in that screenshot (ipconfig /all) 
- 
 I just got done doing 125 VLANs and I'm waiting for another machine to be delivered to set that one up as well. I'm on my way to the office right now. So i will try those things when I get there. All the VLANs I have on this machine I just need to change their names, I need about 75 for this one and about 150 for the next. Which is why I'm trying to learn this stuff now. Because I also know that in like 4 months there are 4 more that I will have to do. And as far as the time in between, who knows. 
- 
 so when i got into the office this morning, i swapped the wires on the machine, so the the ethernet port was going to the router, and i pinged google.com and it worked perfectly, but i wasnt getting a response from the LAN side of it (at that moment i had LAN set up as ue0, the USB ethernet). So to ME, that says that it isnt a DNS problem, that its gotta be the adapter. Anyone else agree? 
- 
 OK. This is why I don't use USB ethernet. 
- 
 The mcahine im setting up only has one ethernet port, so its the only option i really have, i cant run both WAN and LAN through the same because there would just be way to much traffic for that. Trust me, if i had the option to pick the machine im setting up, it wouldnt be this one. but this is what my boss has me setting up, and that is why im here, for support on my problem, not to hear that this is why they dont use usb to ethernet adapters. So any HELP with my current situation would be greatly appreciated. Sorry if im coming off as a jerk, but it seems as though im getting nowhere on this project. 
- 
 So, I just picked up a Belkin F4U047BT, i plugged it in and rebooted the machine, and everything works. 
 OMG so excited.
- 
 Nice! :) That's really the problem with USB ethernet adapters, with FreeBSD at least. One adapter gives endless trouble but looks like it should work. Another just works first time. There's no way to know in advance what an adapter might do. Manufacturers change chipset or fimrware versions frequently and don't label anything. Don't think you're out of the woods yet though. Give it a few days/gigabytes to crash. ::) How much traffic are you putting through it that you can't put the WAN on a VLAN but can use USB? Steve 
- 
 Just wondering - How much did that USB NIC cost you? 
- 
 Im not exactly sure how much traffic will be on it, like i said earlier, my boss says do this, and i do it. 
 It costed $30 at BestBuy, i know that they are cheaper online, but its something i needed ASAP
- 
 Tell your boss USB ethernet adapters suck. It you want to be a multi-tenant ISP, be one. If not, don't. 
- 
 Derelict is right. USB Ethernet adapters suck. Even when you get them to "work" they still suck USB solution isn't cost effective. Even after you have gotten this up and running, it still would be best to scrap it and make a proper pfsense than to use this one. If you lived in a hut somewhere on the Serengeti Desert and only made $100ish a month, then I'd say its ok because its all you can manage. A cheap old computer with a free PCI port + a Gigabit NIC to put in it cost about what you paid for the NIC. It doesn't even matter if you get a USB solution functioning, its rarely if ever the right way to go. 
- 
 I see USB's command some negativity, but I've yet to establish anything susbstansive and upto date regarding them. Of the pfsense threads I read, most appear to be relevant to USB1 and the introduction of USB2, namely the USB2 doesnt provide the 480Mbps speeds, but with USB3 and continued development since USB2 was introduced, I'm not seeing any new complaints as various chips on the motherboards as well as usb nic have improved. I've managed to find just one bug related to the USB/Ethernet I use (ax88772), which consisted of a script which constantly enabled/disabled the usb adapt until it eventually stopped responding, but eventually this came down to a fault elsewhere in the network with a different manufacturers card nic, in effect the USB nic was the recipient of someone else's bug. That type of bug/situation is quite common in software development & hardware support, usually down to standards not being adhered to properly, which means in some instances some hw configs will just never work and/or some sw / hw configs will never work. I'm just trying to be as informed as possible about the hw I'm already using as my mileage has been good since pfsense v2.1, sure I had problems with pfsense 1.2 and usb adaptors but that was freebsd8 (iirc) which is some time ago interms of development. So what are the problems which are supposed to affect usb nic's? TIA. 
- 
 The biggest bug that all the USB NICs have is that they are not Intel PCIe NICs (-: I'd say that Intel PCIe NICs are the best and USB is the worst. USB is what you use when you have no other choice and are out of money, in which case, I'd say its better than nothing. In your case, I'd recommend using your 1 built in NIC and a cheap VLAN switch. 
- 
 OP must already have a VLAN switch since he has many VLAN interfaces defined. Just make one more for WAN and move on. Now that that's solved, speaking of all these VLAN interfaces, are all these tenants really going to trust you to do their firewalling for them (I know I wouldn't. Nothing personal, it's just a "no way" no matter who it is) or are they going to all have firewalls of their own? 
- 
 I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations. A usb nic often has no fancy remote access/management/whatever so should be less to worry about. I'm happy with the speed but I cant get fibre where I am for another few years. However I could use usb nics to control access to the pfsense box like a physical key. I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way. I could have a second usb nic and repeat the above steps for a backup measure. Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication. I couldnt do that with intel nics or any other pci-e nic could I? ;) Edit. Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist. 
- 
 I could use usb nics to control access to the pfsense box like a physical key If you mean you could remove the USB NIC and only connect it when required then no, no you can't. 
 If you remove a NIC that is configured and assigned in the config file then the next time you reboot you will be dumped at the initial interface assign prompt. That is a problem with any easily removable NIC, if it's accidentally removed then the result can be very bad.Steve 
- 
 USB NIC as a security dongle. Now I've seen everything. 
- 
 I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations. That's what management VLANs and firewall rules are for. A usb nic often has no fancy remote access/management/whatever so should be less to worry about. Neither do "real" NICs. However I could use usb nics to control access to the pfsense box like a physical key. I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way. Except that anyone who wants in can get in by spoofing that MAC. I could have a second usb nic and repeat the above steps for a backup measure. You'd probably need one. Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication. I couldnt do that with intel nics or any other pci-e nic could I? ;) Edit. Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist. With proper network design and firewall rules this is all a non-issue. My users cannot get at my pfSense interface, switch management interfaces, AP management interfaces, etc. And, no, I don't have any USB NICs on my network. 
- 
 Ah, wait I see, you mean use the USB NIC at the client end to provide a different MAC? As Derelict points out, probably easier to just spoof the MAC to something else when you want access. But no real additional security anyone could read the MAC and spoof it. If you're concerned about access from internal networks then setup a VPN server and put rules in to only allow access to the webgui from VPN connected clients. Steve 
- 
 I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations. That's what management VLANs and firewall rules are for. A usb nic often has no fancy remote access/management/whatever so should be less to worry about. Neither do "real" NICs. However I could use usb nics to control access to the pfsense box like a physical key. I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way. Except that anyone who wants in can get in by spoofing that MAC. I could have a second usb nic and repeat the above steps for a backup measure. You'd probably need one. Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication. I couldnt do that with intel nics or any other pci-e nic could I? ;) Edit. Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist. With proper network design and firewall rules this is all a non-issue. My users cannot get at my pfSense interface, switch management interfaces, AP management interfaces, etc. And, no, I don't have any USB NICs on my network. Intel nics have had forms of remote access in their nics since the 1990's. 
 http://en.wikipedia.org/wiki/Wired_for_ManagementIt might be obsolete but the functionality still ships in their nic chips, hence a security risk. Lets not forget rootkits were just old dos viruses, that the youngsters forgot about. 
 http://www.intel.com/design/archives/wfm/"WfM has been replaced by the Intelligent Platform Management Interface standard for servers and Intel Active Management Technology for PCs." 
 Intel AMT (vpro) is considered a back door into systems as this works out of band, and the
 IPMI is aimed more at the servers.
 http://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface#Security
 "On 2 July 2013, Rapid 7 published a guide to security penetration testing of the latest IPMI 2.0 protocol and implementations by various vendors.[6]Vendors have provided patches that remediate most of the vulnerabilities, but the "IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval" vulnerability has not yet been addressed. This arises from the difficulty that the IPMI 2.0 specification is flawed in that it reveals the password hash and salt to anonymous remote clients. This allows for offline brute force attacks. Complete remediation will require a change to the IPMI specification.[7] Some sources are even advising against using IPMI at all,[8] due to security concerns related to the design and vulnerabilities of actual Baseboard Management Controllers (BMCs).[9][10] However, like for any other management interface, good security practices dictate the placement of the IPMI management port on a dedicated management LAN or VLAN." "The development of this interface specification was led by Intel Corporation and is supported by more than 200 computer systems vendors, such as Cisco, Dell, Hewlett-Packard, Intel, NEC Corporation, SuperMicro and Tyan." On the point of using vlans, heres a paper which discuss the weaknesses of it. Its worth noting the conclusion as the biggest risk of vlans is not configuring them properly. Considering most people here asking about vlans probably have little to no experience of them, the suggested use would render some users of vlans more vulnerable than if they did not attempt to use it. http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39054 I used to be a big fan of remote access for system support, but I'm finding increasingly as more functionality is added, so the risks of bugs which could be your next undiscovered zero day increases and so more things get hacked. On the point of spoofing, thats fine, in fact it would probably be spoofed so that serial numbers cant be traced back to arp/mac id's and then be logged somewhere in the supply chain. They still need to guess what it is, just like a password, but if its also the only management channel and the only device that connects to it, never goes online and/or doesnt have any remote access built into it, then it should be quite secure if not as secure as pf itself. Arp/mac id's are just another identifier, just like a username and password combined is an identifier for a system. How the system is set up to react to these unique identifiers is down to the user. Windows uses a usb device to store the key if you encrypt the hard driver, how is that any different to a usb nic if not more obvious if someone were to pick up the usb stick due to it being known as a device for storing sensitive info. A usb nic is a less obvious place to store info whilst being in plain sight. @ Stephenw10 
 "If you mean you could remove the USB NIC and only connect it when required then no, no you can't."
 It does work in 2.2 rc, I've tried it.

