you should not use ap in modem, you should have wireless nic in pfsense or other ap device after pfsense to get that desired protection

I repair it whit LAGG ;) INTERFACES -> LAG yeee!  Thanks ;)

Read here of Maximum Transmission Unit

great then

@stramato: @Nachtfalke: Or just use Captive Portal. +1 Then authenticate your Captive Portal using RADIUS. Step 2 would be to setup NPS in your Windows 2008 R2 machine and add the pfSense machine as a RADIUS client. Step 3 would be to create an Active Directory group, call it something like "pfSense Users" then use that in your NPS Policy. There are a bunch of steps really, you can get this thread moved to the Captive Portal section of the forum I apologize for the late response. I really need to check this more often :-X. I've looked at that option before, and its not that were simply trying to give control user access. We need to be able to have different ACL's for different users. E.G. an account for students, teachers, and administration. With each account having different access rights, kids are denied access to youtube, teachers allowed access to youtube, but denied spyware, etc. Currently i've got NPS setup on the Server 2008 machine and squid is authenticating against that. I'd like to be able to "pass" the username and password from the captive portal to the squid server. Or, if their is a way to authenticate squid with a web page that'd work to. The problem is our teachers aren't all "tech savvy or even tech comfortable, its terrible". The proxy authentication window in windows xp throws them off. If it can't be setup like this, thats fine, they'll live. I'm just looking for something that's a bit more streamlined and easy for them.

Edit: Success. I had to add switchport trunk allowed vlan add x where x is the vlan id. I wasn't putting "add" in there. Then things worked perfectly. Plugged in to fa0/2 I get 192.168.10.x and fa0/2 I get 192.168.20.x. Solved!

Set management ip and subnet, make sure that this ip is usable and in same network than your firewall Set your wireless settings Turn dhcp off from that wireless router connect only power cable and lan cable from your network switch or firewall(pfsense) and connect that cable only to lan side no wan at all Enjoy

Sure, Firewall > Virtual IPs. If that all in the same subnet you could use Proxy ARP or CARP VIPs, if they are in the same or different subnet, you could use IP Alias VIPs.

Sounds like something plugging into that switch is causing a layer 2 loop - two bridged NICs going to the same switch, for one, would do that. The switch will work for a few minutes until some traffic starts going around and around and then it eventually melts down.

That's easy in 2.0. Just add an IP Alias type VIP for IPs in the other subnet, and you can then use it on your WAN directly as if it were the IP there.

With 2.0 you can define additional gateways. Create such a gateway for .254 and then use it in the firewall rule on the LAN.

Ok that makes sense . I was applying the rules to the bridge interface its self. The wan and the the servers behind the firewall connect to the same gateway. So i want to be clear. By default all in bound traffic is blocked just like nat? IF that is the case how can i setup open the same ports to different ips? For instance if i have a web server on 99.98.99.45 and on 99.98.99.44 how can i pass port 80 to both?

They start charging overage fees ($1.75 / GB I believe) :(

It work now! It was the windows firewall on the computers with windows7. The server with w2003 and the xp machine worked, i tested on them and then the light went up, its windows again;) Thanks for all the help!:D

@cmb: @jasonlitka: An extra 4-5ms of latency is worth the potential bandwidth bonus to me. It's extremely rare that it would only be 4-5 ms, most people have higher latency than that to their first hop, but if that's the case for you it really doesn't matter whether you tunnel everything through or go straight out. Usually 40-60 ms is more like it unless it's on the same ISP and/or geographically very close with a good direct route that doesn't route you all over. Adding 4-5 ms won't make any real difference, 40-60 is a major difference. Agreed, 40-60ms would stink, but I don't have that.  :D

A1: pfsense is able to do what you required in less then 3-4 seconds :) A2: you can choose to use failover or loadbalancing (round-robin) or even both at the same time for different protocols/destinations/… A3: you can use 1.2.3 for this but me personally would advice using 2.0 as it is a big improvement in tons of ways and it's nearing completion and has been stable for me for months

That helps a lot for what side to put the rules on thank you. If I still cant get it to work I will put up screen shots.