did you put the rule it needs to be above other rules that would allow. Also curious are you natting from your lan to you wan?  If your wanting to use pfsense as router/firewall between your rfc1918 networks there is no reason to nat.. But out of the box pfsense would nat.  What did you use for the protocol on your block rule.. Default when you create a new rule to tcp… Which would allow icmp.

I understand, I will reinstall tonight after all clients go home :0 Thanks all for support :D

This is not a primary spam solution, but it does help. One thing I do that seems to word very well is: Install pfBlocker and block everything outside the commercially valuable countries (US and Canada for our company) Put your mail server inbound rule below these pfBlocker rules. Create a second MX record and install SpamD Point the MX record to your pfSense box. This way, mail outside the commercially valuable countries is subject to SpamD rules.

@andyroo54: They are a quad port nic.. right? Still separate interfaces like em0, em1, etc… for the OS. A quad-port NIC is NOT a switch. Those are 4 dedicated NICs on a single plug-in card.

Thanks

if your connection goes down every 5 minutes, then there is something seriously wrong. are you having conflicting subnets between wan & lan?

I have see something : I need to put my lagg0 in promiscuous mode? or I need to put my nics (bge0,em0,em1,em2,em3) in promiscuous mode? it is the right thing to do for my problem?

Ok! :D if I want to log the sites visitated in http e https? Thanks

Generally the only thing that would cause those symptoms is a WAN subnet that overlaps with your LAN, or putting the same IP on WAN as on LAN. Using option 15 at the console to go back to the previous config (and reboot after doing so) will get you back to where you started.

What type of WAN? DHCP, PPPoE, …? What logs are you getting at the time?

@ragnor: I am running pfsense in a VM so maybe it is something to do with that. What about removing the USB support (at least : this port/device) from your VM ?

Fixed it! Now it's working nicely! I used to have a VM with pi-hole.net but if I can have ad filter directly on the router, much better Now I will have to read more about easylist, so I can add Adblock lists!

Gateway monitoring for Status>Gateways and quality RRD graph.

Depending on the direction of the traffic and NAT that may not be visible. Blocks that happen on WAN with INBOUND traffic will have NAT applied before they reach the firewall rules. If the logs show that traffic with the WAN IP address as the destination, then there was no NAT involved. If you are blocking outbound it gets a bit trickier, outbound NAT applies before the rules as well so you can't see a local source there, just the WAN IP address. If you want to see local addresses you have to block inbound on a local interface

not exactly, but depending on the requirements you could use https://doc.pfsense.org/index.php/Interface_Bridges it would be better todo this on your switch, because computers are horrible switches

From what you've given, it looks like your IP address ranges all fall within the same IPv4 subnet. For example, if your address blocks were 10.20.28.0/16, 10.20.29.0/16, and 10.20.30.0/16… The /16 in all of these examples means an address range of 10.20.0.1 through 10.20.255.254. So if you set a LAN address of 10.20.0.1 on your pfSense LAN interface, you can use that as the default gateway for all of your various address ranges, as long as they begin with 10.20. So as doktornotor said, there's nothing unusual that you need to do to make this work. This is normal IPv4 networking.

In principle, something like this would be possible, but I personally wouldn't go this route as you'd be double-NATing in every instance. In this scenario, you're treating the firewall like an upstream router, which it really isn't. Assuming your clients are all located locally, you'd still be better off having their own networks directly connected to separate NICs (or virtual NICs) on your PFS and routing them out on their own separately assigned external IPs through the firewall. Otherwise, if they decide to use their own routers, assign them their own external IPs and connect them directly through your pipe to your upstream ISP router. This is just my own opinion, of course.