Hi all, I'm a bit puzzled here. I just set up a CSS326 yesterday, and it has an IP address on my Management VLAN, which has a default deny any any rule in PFSense, meaning Management VLAN devices shouldn't be able to reach the internet. Further, PFSense logs any attempts that Management VLAN devices make to access the internet; I know this because I see hits from my Unifi access points periodically (insert eyeroll).
I understand that SwOS uses some sort of MAC address reply algorithm, so I can access it from other VLANs because it doesn't need a default gateway; that doesn't bother me. What does seem strange is that SwOS is still able to check for updates on the internet, and I don't see anything in my firewall. I'm considering deploying these in a business environment, but I'm not really comfortable in doing so until I know exactly how this works in case I choose to block it for security purposes.