thanks for the response, and sorry for having not thanked you guys promptly. Been busy at work, not having much time to play. I understand the AP is easiest and simplest set up. The reason I am using this setup is because I like second router's simple parental control and DNS filtering presets. With AP setup, I have to use pfsense proxy. It is not inyuitive, and I am not sure it is reliable. By the way, the second router is a Netgear R7000 running Asus firmware, merlin variant. This is only for the kids. I have another Access point for the rest of the family. I will review all the responses and play a bit more.

Hi Chris Really sorry mate, I've not cracked the L2TP with VM's 5 static IP service in modem mode. I pissed and moaned with my best pseudo-litigious vitriol but the best they have done is put me on the trial for the new firmware that supposedly fixes the issue. In fact, for all I know it's probably fixed by now - new firmware appears to be pushed to the box without end user interaction. I'm currently using virtual IP's and 1:1 NAT and that works fine. If your VM box is locking out the lan ports and needing a reboot every couple of days or less, call VM and ask when they're getting the new firmware rolled out. Calling this a business grade internet connection is a joke, the whole point of us paying for static IP's is so we can host stuff from them! It's piss poor that the hardware we have been locked into using is broken. This year I'm going to consolidate all of my isp's/hosting/telephone lines and buying a 100mb leased line it's 400 quid a month but I spend nearly that already and when one or all of these things breaks we, as a company are left bare arsed…

You have 3 different networks running over the same Layer 2 sounds like to me if your bridged the 4 nics in pfsense..  That is BROKE setup!!! plain and simple. You can still use the 4 nics each on their own network/vlan or you can lagg them together and connect 4x1g to your switch and then run your vlans on this lagg connection. Since you running different Layer 3 over the same layer 2 you have no real idea if the client are talking to pfsense and then hairpinning to talk to client, or if the traffic is just sent to them directly because they find out the the mac is and just put the traffic on the wire.. Sounds like you have a complete MESS on your hands if you ask me..  If you want to run multiple networks, then these networks need to be different layer 2..  Be it on their own hardware or using a switch that does vlans.  If you want users to be on different networks/vlans based upon their username and password, etc. etc..  Then need to have a switch that can do dynamic vlans, and AP that support this as well.  Not all AP support dynamic vlans based upon auth. Heading out the door - but be happy to post a typical drawing for you to look at.

The provider (google fiber) requires the following - You'll need to obtain your IP address via DHCP in order for your service to work. Did you get rid of this problem? They then assigned 6 IP addresses with the first being the gateway address.  xxx.xxx.xxx.9-14 I yould try out the following; at the WAN port using static IP address and set up xxx.xxx.xxx.9/29 and the other 4 IP addresses with 1:1 NAT to the servers inside in the DMZ With the wan set to DHCP where do I enter the gateway static IP address? Someone told me that you only must use DHCP and the first assigned IP address is then the gateway IP address and the other 5 IP address would be able to set up to the servers in the DMZ over 1:1 NAT. My other two units had wan static ip addresses which was a simple setup. Likes me too, but I am interested to this question too.

@asistio04: I'm Kinda noob here and company server is located @malaysia so the problem is when we are pinging here ph to malaysia it is ok, but when malaysia to ph, the tracert cannot be completed it always display "Request time out" will vpn will solve this to redirect all connection in our static i.p?

@johnpoz: So it has dual ports built in right?  So you have 1 for wan and 1 for lan.  So you really only need a dual port card to add to its 1 slot that available.  That would give you your 3 wan you need an 1 lan. So I see this off the ebay.my site http://www.ebay.com.my/sch/i.html?_from=R40&_trksid=m570.l1313&_nkw=Broadcom+Dual+Port+1GbE+NIC&_sacat=0 84RM is only $20 USD… I would think that has to be a decent price...  That top one has free postage even, the 2nd one is 30RM postage... Even with the postage these prices would seem reasonable to spend. Those 5709 nics seems to be on the list of compatible cards http://www.dell.com/us/business/p/poweredge-r210/pd Dear johnpoz, Thank you sir for your respond and the link that you suggested. I did my research on the compatible cards and i found a good list of candidates and it should be no problem for me to order and purchase it. 84RM is a good deal considering that it's a dual port, most of the dual ports here costs at least 250RM and above. Anyway thank you again sir.

At the moment we don't have a way to generate user certs from the command line. It may not be terribly hard to script for a one-off thing like you're doing, but making a more generally useful script that could be included in the firewall is much more difficult. Even so that only gets you part way there as you'd still have to export them from the GUI, which is much more difficult to automate.

You mean on the console? If it gives you a login prompt there, that usually means that the console is password protected. There is an option for that in the GUI under System > Advanced on the Admin Access tab. You should be able to login at the prompt with your admin or root credentials, too.

You could try adding a directive under Advanced features - Custom ACLS like this: acl YourWWWServer dstdomain .YourDomain.tld always_direct allow YourWWWServer This assumes that you have split DNS returning www.YourDomain.tld as a LAN IP address in your DMZ.

You generally wouldn't want to use the firewall GUI web server as a general web server. It defaults to HTTPS (and should stay HTTPS), and it's best not to mix your roles in that way. On 2.2.x and before, it uses lighttpd, and on 2.3 it is now nginx. You're better off standing up a small but dedicated http server somewhere else on the network to serve up those files instead of attempting to use the firewall as a file server.

Not enough info to go by, check the output of "ifconfig -a", "netstat -ni", and look at the link speed and if there are any interface errors. Could be any number of factors though. What type of WAN is it? PPPoE? DHCP? Static IP address?  Is it cable, DSL, fiber, or what?

You seem to have mixed up a few terms. 1. pfSense log files in general are CLOG format, a binary circular log. You can't open them properly in a plain text editor. 2. pfSense firewall log entries on 2.2 and later are in a form of CSV format described at https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2, the log itself is still a clog file. 3. The "BNF" term is used on the link above is for Backus–Naur Form which is the type of grammar used to convey the actual layout of data in the filter log entries. The log is comma-separated, BNF refers to the way the page shows you how the CSV data can be present in the log entries. Long story short, you'll need to run the log files through clog to get plain text as described in the link on point 1 if you wish to open them in a text editor.

Install the cron package and then use "/usr/local/sbin/pfSsh.php playback svc restart openvpn client X" where "X" is the ID of the client you want to restart.

No, that is not possible. Squid can't use authentication if transparent is active on any interface.

/usr/local/sbin/pfSsh.php playback svc restart <name></name>

cisco are a bit pricy… Why not take a look at the unifi stuff.. the new gen AC models, the lite is like $89 and the Pro is $149 https://www.ubnt.com/unifi/unifi-ap-ac-lite/ The new gen AC models support band steering, ATF - DFS is not yet supported in the US..  But there are many enterprise level sort of features but for a home budget price. I have an older v2 AC model, the new Lite and LR models in use.. And as soon as the pro's show back up in stock will be replacing the old v2 with new pro model.  While it works and all.. They don't seem to be giving the band steering and ATF love to the older models. I would be up for selling it for a good price ;)  If you have any interest in that.  If not it will prob just sit on my shelf as a spare..

I would try a different brand of modem.  Zoom makes a few different ones that work well on Comcast, just make sure it's at least DOCSIS 3 and check the number of channels bonded up and down. I've been using a Zoom 5341J that has been pretty good for me. As to "why"  if you can get to a web interface, see if there is anything about "statistics".  Look for errors and such on the channels.  Cable modems are very sensitive to signal levels and SNRs.  There maybe a bad or marginal device inbetween the cable modem and the wore from the street.  If you have any splitters, try removing them (yes you may have to give up TV for the test).  You may need better quality and higher bandwidth ones.  See if you can make a straight run from the outside to the cable mode.

Adam, Sorry for the delay, yesterday was a crazy day! The box that Storm put in is not a switch at all (that's what the guys called that installed it), it's a router that can do PPPoE. The brand is MikroTIK, type is 750UP. I suppose they have it set up in pass-through, so packets are just passed along. It does solve the problem though. -Rob-