@Gertjan Other one are missing, because of google being blocked in china, cellphones and multiple chinese garbage browsers (360browser, etc...) are usually using one of these URL: https://connect.rom.miui.com/generate_204 (Xiaomi) http://www.qualcomm.cn/generate_204 (Huawei) http://www.265.com/generate_204 (Google Chrome, Asus cellphones. This website is owned by google) I also heard that nintendo devices are using http://conntest.nintendowifi.net for captive portal detection but anyway, i don't think that's very important..

@Gertjan said in Trouble With CaptivePortal on Two VLANs in One Interface: You are already using multiple interfaces - a VLAN is considered as a interface. Typically, each interface has its own dedicated AP(s) - using a dedicated radio (== Wifi) setup. A user should choose the correct Wifi SSID first to use the correct network. You can't automatize this. I just wanted to make it happen. I was planning to redirect the user to the correct VLAN by using just one SSID. But I completely got that I can not do it. Thanks for your helps. @free4 I still can not find an opportunity to try PacketFence. I will write down here if I can be successful on it.

My first suggestion would be to upgrade to 2.4.4-p2, but I don't think that alone would solve your problem. I would set this up with a default gateway group using the 1Gbit gateway as tier 1 and the 10Mbit gateway as tier 2. This would ensure new connections use the prioritized 1Gbit gateway if it's up. As pfSense is stateful it won't drop connections unless it has to, so existing connections won't jump over to the faster line as soon as it's back up by default. If this is your wish, you should enable the setting on System->Advanced->Networking named Reset all states I guess. I have never tried that setting myself. **Reset All States** Reset all states if WAN IP Address changes This option resets all states when a WAN IP Address changes instead of only states associated with the previous IP Address. You should look at System->Routing->Gateways to see if the default gateway does switch back to tier 1 when the 1Gbit gateway comes back up.

The question for me is... is your diagram just a quick mockup to give us an idea of what you want to do or is everything already physically connected that way? A high-level, straight forward approach for accomplishing your goals would be: Create VLANs on the PFsense LAN interface Consolidate down to 1 managed switch and connect it to PFsense via a trunked interface Connect everything to the managed switch Configure firewall rules to control access as necessary There's no way to accomplish everything you're looking for as currently shown in your diagram. If you keep the transit network, you can establish connectivity by moving your servers to one of the other switches, but that would mean your VLANs would be terminated on the middle L3 switch and you'd lose inter-vlan firewalling capability. This would be the favorable design from a performance standpoint, but you lose granularity in your access control. If you want to keep the 3 switches and require inter-vlan firewalling, you can still accomplish your goals, but it would require a re-design and managed switches. You'd need to: Create VLANs on the PFsense LAN interface Re-configure the link between PFsense and the middle switch as a trunk Trunk the two outside switches to the middle switch Move your servers to any of the three switches If everything is in close proximity, personally I would consolidate down to one managed switch to keep it simple. Regardless of your design choice, in order to fulfill all of your requirements, all roads lead to managed switches and a re-design.

Everything depends on your setup. Would need more details. Post a network map. Are your VLANs terminated on PFsense or your switch? Post your server1.conf What are the IP's in the VLAN you're trying to access? What do the rules look like on your LAN and OpenVPN tab?

Like an i3-8100t? Then yes. Easily. Steve

Mmm, I agree it seems odd. Have you been able to test it in FreeBSD directly? If it is something we are doing in pfSense we could dig into it but if it's something FreeBSD does it would need to be reported upstream really. Steve

Now if only I could edit the topic, I could change it to solved!

teşekkür ederim ilginiz için

Solution can be found here: IIPsec to Mikrotik

Create a LAGG on pfsense and on the switch stack. Use the LAGG as the vlan parent.

@derelict I say that's a constant regardless of what you do :)

@grimson Thanks, I do read manual but in this case I don't know where to start so I asked question here and yes I only have 1 physical line (at-least for now), I will add quad gigabit ethernet nic to my PC next month.

(pfsense-travando) Bom dia, estou com seguinte problema tambem estou precisando reiniciar o servidor no botão e pois ele trava toda minha rede, não achei nada nos logs, que reporte esse travamento. Fica mais ou menos 1 semana funcionando perfeitamente sem apresentar lentidão, do nada trava.

Get it in where?? Not sure why you think you need a WAN IP to resolve to something in your arp table for vpn clients to connect to you? I am thinking you still don't quite grasp what a PTR or reverse is... Your vpn.domain.tld resolves to IP.242 address.

modem reboot solved the problem thankyou very much for your help!! this is the traceroute from inside the firewall. 0_1540757854627_Traceroute from inside after modem reboot Document.txt

Mmm, I would think there are better ways to do this. But if you wanted to do it like this you will need to setup an OpenVPN tunnel between the two sites to route traffic across, you can't route over IPSec for this. You will need the OpenVPN interfaces assigned at least at the UK end to get reply-to states on traffic coming across the tunnel. Then: Move the VMs to the 192.168.20.0/24 subnet in the UK. That may well be non-trivial! Change your port forwards in the US firewall to point to the new internal IPs. Add policy routing rules on the UK firewall to route traffic from those VM out via the US if that is required for traffic initiated by the VMs. Add outbound NAT rules on the US side for the 20.0/24 subnet to allo that traffic out. Steve