I am not sure what you are trying to do.  I realize from reading your post that English is probably not your first language so what you said is not very clear, but let me try to anticipate what you're asking.

I think that you have some computers that are allowed access to the Internet through a pfSense firewall based on their static IP address.  The problem you are having is when you move a computer to a branch office they no longer can use that static IP and therefore lose access to the Internet.

I don't know how your network is set up, but let me just say here how useful DHCP is.  You can use DHCP to assign a reserved IP address to a particular MAC address.  This means that a computer will always have a known IP address every time it connects to the network.  At your main office, it might be 192.168.1.200.  At a branch office, it might be 192.168.2.200.  You just assign a reservation at the DHCP server for each office for that particular MAC address.  Then in the firewall you allow all the IPs that are reserved for that computer and MAC address access to the internet.

If this doesn't help, I hope at least it has given you a good idea or two!  Good luck.

@pf2.0nyc:

The problem with the older stuff is it's SATA 1 or 2 at best and the power consumption is crazy.

I go in on drives with a friend and we buy in BULK so my price is closer to $100 per drive… maybe a slight bit more but we buy a lot of these drives.

That's my real challenge, it needs to be SATA2 or ideally 3 so the older stuff is out. <$400 is a goal... <$500 is not terrible... You know how these things go, set a target price and before long you are at $1000 a box. I just need something cheap and easy.

The HP DC7700's are SATA 2.  Also, being Core 2 Duo, their power consumption is pretty decent, actually, probably about 60 watts at 10-40% cpu with 2 standard hard drives.

For new stuff, maybe look at cheap Home Theater PC setups:

http://www.newegg.com/Product/Product.aspx?Item=N82E16856115047
"Mini" system with full height PCI Express for $165 (after shipping)

http://www.newegg.com/Product/Product.aspx?Item=N82E16819116410
Celeron G440 for $40 (free shipping, also you can go to Dual Core Celeron for $10 more)

http://www.newegg.com/Product/Product.aspx?Item=N82E16820313102
4GB DDR3 for $22 (more free shipping, double it if you want 8GB, it's got 4 slots.)

$230 after shipping for the bulk machine, if hard drives are $100 each, that's $430 total.

No problem.  :)

Steve

Thanks ,Its working fine… ;D ;D ;D

Thanks ,its work for me.

Thanks Podilarius!

nice… i think i'm going to pull the tigger on the Infinity here shortly... I may get the Nexus for my wife tho.. She's been hinting for her own Kindle(she uses mine) and this would be a better upgrade then the Kindle Fire

Hand out DHCP from each NIC.  In the DHCP Configuration, specify the DNS server you want each segement to use.

The design you showed would work, but I always try to remember KISS - Keep It Simple, Steve!  ;D

There's no real need for segmenting your LAN into VLANs.  VLANs should be used to segment network traffic.  If you have a small office, with ten or fewer PCs and a server or two, then you don't need to use VLANs.  VOIP phones would be another matter but I don't see any of those on your drawing.

Instead of what you drew, I would connect the firewall, all the PCs, the server and the wireless configuration manager (if it is NOT also a WAP) into the Cisco.  Don't bother to set up VLANs, just let everything connect on the default VLAN (NOTE: if your office is bigger than it appears from your drawing, there is an arguement to be made about setting up a VLAN and letting the default VLAN alone, unconfigured, so that no one can connect a device to your network without you configuring the port, but if this is a small office and you control access to the patch panel/switch, that is not an issue).  This has the advantage that you don't have to configure anything and if the switch loses its configuration you don't have to reload from a backup.

The wireless access points (and by extension, the devices that connect to them) I would put in an umanaged switch that connects back to an OPT interface on the pfSense firewall that serves as your DMZ.  This protects your network a little more than connecting your wireless devices directly to your internal LAN.

Run DHCP from the firewall.  Everything routes out through there and it routes everything not directly connected to the Internet.

Here is a diagram of how I would do it:

Drawing1.jpg
Drawing1.jpg_thumb

If you have GW's already created, then this should do

Create 2 aliases where you have bunch of hosts
like hosts1 : 192.168.1.10-192.168.1.30
hosts2 : 192.168.1.31 - 192.168.1.60

and create firewall rules:
pass * from hosts1 any to any any with gw1 (advanced option you can find it)
pass * from hosts2 any to any any with gw2

This configuration has no failover at all.

Happy SysAdmin Day !!!  :D

If you use search, you'll find some answers. but here is shorten outcome: use separate boxes as best security practices says so. Look freenas if you like mediaserver

At least ISP should be blocking private ip-areas and they should have protected dhcp services.

Nevertheless that is always bad idea, unless you're having a router connected to public ip-area.

@jimp:

If you have your own AS, you can do provider-independent routing with BGP, so you aren't tied down to a single upstream.

In general that's the reason. Though probably not with just a /29, anything smaller than a /24 is highly unlikely to make it in the global BGP routing table as many providers will filter out smaller routes than that.

哎 pfsense官方论坛看不懂中简体中文，呵呵 google翻译下

Hey the pfsense Forum to see do not know in Simplified Chinese, google translation

Once 2.1 is done we'll start on 2.2.

So help get 2.1 finished and then it'll be time to move on. :-)

Install the nmap package, then go to Diag > nmap

Fill in your LAN subnet, pick the LAN interface, select ARP for the scan type, and fire away

Things will only show up in your ARP table if you try to talk to them, so unless you do some kind of ping/arp scan you won't see devices like that.