Yes to those questions but… From the questions you are asking it seems as though you are trying to reconfigure a pfSense box you didn't setup yourself? Please explain your situation a little more so we can provide a more helpful level of answer!  :) Steve

Ok, thanks for that. I'll play around with it.

should be possible with a radius server i guess

I think you'd be better off using PFSense as your primary firewall if you want it to handle network traffic. Use the ASA like it's a server and just have the inside interface listening on port 443 for anyconnect clients and forward that port from PFSense Wan to the ASA. Then you can either use firewall rules to allow / block IP ranges. Better yet if you have vlan support get a license for more vlans and the ASA should be able to put the clients directly on the correct subnet.

You have to use manual. It will fill in automatically with an equivalent set of rules to the automatic ones.

The root user needs ssh access in order for scp to work. Direct access to root or admin or any account is equally dangerous on the firewall. You should protect access to ssh entirely, not just a specific user. If you switch to key-only auth, and limit access by IP, and for good measure change the port ssh runs on, it's safe even to login as root.

Yep.  Backup settings, fresh install, reinstall packages, upload settings, Ta-Daa!

I can now access it via HTTP on the LAN. @dreamslacker Disable NAT Reflection for 1:1 NAT - DISABLED Disable NAT Reflection for port forwards - DISABLED Firewall Maximum Table Entries - DEFAULT (Left it Blank) Firewall Maximum States - DEFAULT (Left it Blank) EDIT: Now that I am onsite here I found that the old router (connected to the same ISP) still had the static IP settings of the new router. Switched it to DHCP and I think our issue may have been resolved.

I was able to figure out the issue.  The problem was that I PFSense supplying DHCP addresses to the domain controllers.  This seemed to cause the issue. The solution was: Changed gateway IP to 192.168.3.1 PFSense WAN - 192.168.3.2 PFSense LAN - 192.168.1.1 Our LAN computers that previously connected to the gateway address of 192.168.1.1 now connect to PFSense using that address.  This allowed us to connect to the internet and throughout our network. Thank you Wallabybob

Thank you, This is the key information I needed for further analysis in resolving this issue.

@heper: but look at this: http://www.zyxel.com/support/knowledge_base/kb_detail_8603.shtml there seems to be a way to tag vlan's by ip Because you can do something on a Zyxel switch doesn't mean you can do it on BSD or any other general purpose OS. Sure it's feasible to tag specific IPs to certain VLANs in theory, in practice to do so on FreeBSD means you're in for some kernel hacking.