Identify downline IP triggering firewall rule
I have SG3100 connected directly to the ISP modem. On the LAN port I have a wireless router. All blocked activities logged by the firewall indicate the offending IP as the router's WAN IP. Is there any way to identify the actual user's IP who triggered the blocked activity? That is, do I have any visibility of the router's LAN users?
Not from the firewall in the scenario you describe. The wireless device should be acting as an AP, not a router. pfSense should be seeing the wireless clients directly, and the wireless device should not be doing NAT, DHCP, or anything else but bridging those clients into your network.
Thanks for the quick reply. So once the router creates the new subnet on its LAN, the Netgate box has no visibility there. That makes sense, but I hoped there was some magic that pfSense could do... But no... So for the 3100 to have visibility into the individual users, they all have to be in the same LAN as the Netgate LAN. If I want to monitor everyone's activities, they will have to be on that one LAN subnet. Got it.
No that is not what he said at all..
You can have wireless clients on any network/vlan you wan and pfsense would see all the IPs of all the clients. But what you can not do is have some wireless router NATing the IPs... You should be using an AP where the wireless clients are put on the vlan or network the AP is connected to - not natting the clients to its IP.
A real AP would allow for tagging different SSIDs clients to different vlans, and pfsense would then route/firewall these different networks and see all the individual clients in the different vlans. Once you put these clients behind a NAT device then yes you hide the actual clients IP from the upstream devices. Just like internet only sees your public IP and not your clients 192.168.x.x address for example.
What Wifi device are you using, what switch(es) are you using connected to your wifi device and pfsense?