I got everything working guys, thanks for the help.  I was badly over complicating the tp link's simple  untag access port, tag "trunk" port I guess you could say.  Untaggin the right access ports, and tagging port 1 of my switch in each vlan got it all working with the right PVID settings.  thanks

You can't manually edit any conf file. What are you trying to change?

@HowardSten98239: (https://www.reddit.com/r/PFSENSE/comments/2ro9vm/pfsense_hardware_vs_netgate/cnhs9xx): … has some additional tuning to make the result more performant. These differences are not in the "community" image that we release. Are there any metrics supporting this? I'm trying to figure out what kind of performance boost there is buying the official version vs the netgate one. It would be nice to know exactly what tuning is done to make pfSense more "performant". We don't have any stated metrics but there is more to just the hardware-specific tuning. Sure if you dig and find the settings similar settings can be replicated, but having it properly tuned for the hardware without having to tinker is a huge gain for many people. There are also some features in the factory release for SG units that are not found in the "community" images. There is an AWS VPC VPN wizard, an IPsec IKEv2 profile exporter for iOS/OS X,  and more things we are adding as we go. @HowardSten98239: Also, what happens once the support contract expires if we bought the SG-4860? Do we have to start using the community images? Currently the factory firmware updates work indefinitely. I'm not sure if/how that might be changing in the future but at least for the time being that isn't a concern. The install media may not be available if you have an expired account, but you can still update from an older installation. That may vary depending on where you're from as well since things like EU regulations for hardware/software support may apply.  Drop a note to sales@pfsense.org if you'd like more info. At the moment, you can use the community firmware on any of our hardware it's just not an optimal experience to do so.

Sorry, you must have a managed switch to use VLANs. Some unmanaged switch will strip off the VLAN tags, others might pass them through, and yet others will not pass the VLAN traffic… it depends. You can get some entry level web managed switches from D-Link, Netgear and others that will do what you need.

I guess that would make a little more sense plugging in the downstairs switch into the upstairs switch (by the cable modem) instead of directly to the pfSense box.    Thank you for the input there - I didn't even consider it. As for the wired DHCP I don't really mind that as it's just a home network - if someone plugs into it, than they may as well get data that way vs just stealing my stuff. All in all thank you both for the input!

Just to say thanks for everyone's input and help, especially John and Jon.

updated #All File refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms)      10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v))          10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)    10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 10800 80% 10800 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))    10800 80% 10800 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims # Updates refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; # AV updates # refresh_pattern avast/.*\.(bin|vpx)                      10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; range_offset_limit 0; quick_abort_pct 70;

Update: Something like this (as en example): Total (GB) 631.962 Total upload (GB) 75.233 Total download (GB) 556.729

Well Johnpoz, I already said I was abit scary about that Teamviewer stuff. Well I turned out I was right, it is scary. :o I opened the window and the first thing I see some weird userlogin ???, like you would login on facebook, too flashy to my thoughts, especially the ads. It looked like a goddamn free antivirus to me. I don't want that despite its superior performance. Not on my tiny industrial-home network, I'm sorry. You said there wasn't a solution for my problem other than using that junk described above or some other commercial RDP software. I am a stubborn man and I couldn't believe that there was no proper way to connect to that Windows 7 machine even though I was aware that that there might not be any solution than to upgrade to a higher version. Well, I am a genuine windows client-server user, but this hack had to be done for the sake of this matter. At first I thought it was a piece of spy/malware but apparently it turned out to be quite genuine in some way. I installed the concurrent RDP patch, and RDP works now. Its quality is what I expected to be as I have used microsoft RDP on xp it in the past. I feel there is nothing compared to that quality. Today I tried to log on my Win7 Home Premium but I couldn't. The reason was expected because I was updating and it must have changed the particular file. I have restored a backup and turned off updates. The machine has SP1 but lacks other updates. It is better to stick with that. I don't want to loose my future connections because of that. Besides we are using pfsense right? Well actually I don't what I am talking about, I have set up SNORT, I think you have to know some rocketscience to able to get that to work and really interprete what is going on. Frankly that is way above my head. Greetings

okay,so a usb of about what,4 GBs is fine?

OK that worked. Thankyou!

when you reset the xclaim ap to factory default do you see the ssid XCLAIM SETUP? I am running xclaim APs with pfsense with no problems at all I also set them up with vlans and they work great with pfsense

@Derelict: Yes. You might also need a route to get the traffic into OpenVPN then an iroute in the CSO to route from OpenVPN to the correct tunnel. Thanks, I will definitely keep this in mind and maybe give this a shot before trying 2 VPN servers when the time comes.  After reading on iroute, that might be the missing link.

Thanks so much!

I can acces the internet, this is my fault, i forget to fil the proxy config in the clients because we work with a proxy in our corporation. But i have already fil the proxy config in pfsense, i was thinking clients work natively with the proxy yet renseign in pfsense but not, i have to fil the proxy address in each client… There not a solution for have not to renseign proxy with hand in each client ???

There is nothing stopping you from using pfSense to NAT for 500 ports on a layer 3 switching infrastructure. It would do that quite well. private IP /28 address which will be NATted Seems like for 500 ports you really want a layer 3 switching solution. Are all these 500 ports within 100m of each other or are you dealing with multiple wiring closets? IPv6 address I assume you mean IPv6 /64 DHCP on each subnet You will want to use your switching infrastructure or an external DHCP server with helpers for this. pfSense will not be the way to go. But if you want to build all that behind pfSense, it will NAT for you beautifully.