For the benefit of newbies reading this and other threads, it can't hurt to restate this. When a client (mail programme, browser…) connects out to a server offering a service at a well-known port number, then the client uses an ephemeral port number (gets given any old port number from a temporary range - http://en.wikipedia.org/wiki/Ephemeral_port). The destination is the well-known port number (e.g. SMTP 25, HTTP 80, HTTPS 443… - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers). When making rules to let clients out to a particular service, you generally need a pass rule on the interface where the source address is like: Source address: IP/s of the clients Source port: any Destination address: IP/s of the server Destination port: well-known port number (you can usually pick this from the dropdown list in the GUI) and for easy maintenance and readability of your rules, make aliases for groups of IP addresses (and special port ranges, URLs that you need to reference…) and use the alias names in firewall rules.

There is a similar discussion here: http://forum.pfsense.org/index.php/topic,50444.0.html In that case it's setting MTU rather than connection speed. It ended in a horrible hack.  ;) Also here: http://forum.pfsense.org/index.php/topic,50563.0.html Steve

Here's a second opinion from a few years ago: http://freebsd.1045724.n5.nabble.com/Maximum-ARP-Entries-td4017394.html Steve

@wallabybob: Ask your ISP. It is the DHCP server that assigns the DHCP lease time. This. If you're renewing every 150 seconds, you're getting a 300 second lease. Our dhclient follows the RFC the same as every DHCP client, renewing at half the lease length.

@kishore: text Did you check the cables, switches, and other external stuff such as routers, repeaters etc? Maybe something is running in half duplex or a swith has limitations, uses 10Mb or is overloaded etc? I would look outside your firewall first since your hardware is clearly capable. Also If you are using old network cards or brands such as realtek (not Intel) you may want to check that these work correctly and that you have a good and working driver. Some network cards use other manufacturers circuits (typically realtek) and may have problems, I am not saying that no other NICs than Intel work or work good (they do!) but I have ran into wierd problems a couple of times when the cards did not "work" properly. There are some threats about some of these issues I believe. If you can, try to replace a card for an Intel card (the cheapest desktop pci-cards for example, these work good and have a long life time) and see if the problem is still there. Sometimes you need to fiddle with the drivers and parameters. Did you google the card name? /E

Its 112.0.0.0/5  to  ..*.0/29 actually its my mistake that the subnet mask i put was wrong  ;) I don't know how its happened but now the problem is solved. Hemant

Well for example a minimum set of rules to allow clients on OPT1 to have web access: Source OPT1 subnet, port any, destination any, port 80. This will allow traffic out to port 80, HTTP. You also need to allow access to the pfSense DNS forwarder: Source. Opt1 signet, port any, destination OPT1 address, port 53. Steve

matguy, My hardware is not so good as you describe. I have a pentium 3 800 MHz processor and 198MB of RAM. I think i will not be abble to run several v-machines at the same time.

If you could get your ISP to do MLPPP for you then you could bond 4 dsl lines and get your 3mbps up.

I would guess no it's not possible. You can only enable dhcp servers on static interfaces. In a bridge configuration usually only the bridge interface is static so you would have to use only one instance of DHCP for the whole subnet. There is no way of filtering leases by source interface, that I know of. Alternatively you could have all the interfaces static, 192.168.1.1 2.1 3.1 etc, and still bridge them. If you had open firewall rules traffic could go between them. However you would run into some sort of subnet clash. You would want each dhcp server to hand out a subnet mask that included all the interfaces but you can only hand out the mask of the parent interface. Thus you would have to set the subnet masks of each interface to overlap all the interfaces. I don't know if pfSense will allow you to do that, I've always tried to avoid it  ;) Even if it does I would imagine routing problems. Perhaps it might work - hypothetically! Steve

@marcelloc: if you have php skill, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense users permissions. Thanks. I'll give it a shot. Edit: Where in the file structure could I find those files?

Poster above has only posted 3 times. All identical posts linking to his blog. I don't wish to put anyone off contributing but this seems a little suspicious.  ;) If I'm wrong then I apologise. Steve

@ptt: @sreerajuv: U can find Multi wan configuration in followink link http://linuxhotcoffee.blogspot.in/2012/09/pfsense-201-dual-wan-configuration.html Having "WAN1" on Tier 1 & "WAN2" on Tier 2 and using "Member Down" as trigger level you are NOT Doing "Load Balance" you are doing "Fail Over". Please review your "Blog" post, then come back with accurate info. You can check the info from the pfSense Docs: http://doc.pfsense.org/index.php/Multi-WAN_2.0#Gateway_Groups If any two gateways are on the same tier, they will load balance. If they are on different tiers, they will do failover preferring the lower tier. If the tier is set to "Never" then the gateway is not considered part of this group. Also, I think this was more of a hardware question, of how to get 5 physical ports accessible with his hardware than how to configure them (although, I wouldn't wager against that being the next step/need/question.)