to add on, from the pfsense i can ping successfully the client ip 10.0.0.6, and from the client pc to pfsense LAN ip 10.0.0.1. i also have enable the option [14] secure shell option in pfsense.

Not possible with the console driver FreeBSD has, neither with the old sc(4) driver or the newer vt(4) driver. You would need X for dual head set up and pfSense doesn't include anything X related.

Glad I could assist.

so untag it on the switch, ie set it to the native vlan if its a trunk port.  Your typical access port would not be tagged anyway.  If your looking for cisco command help.. You better of RTFM or check the cisco forums.. FE8 on some other switch?  On the mikrotik itself? draw up your connectivity and where you want tagged or untagged.  Just set the port to access and set its pvid and that would normally be untagged traffic.

UTM-1 570 Intel Celeron M 1.5 GHz 1 GB RAM 160 GB ATA HDD Firewall Throughput: 2.5 Gbps VPN Throughput: 300 Mbps IPS Troughput: 1.7 Gbps But according to your screenshot it looks more like UTM-1 270 specs UTM-1 270 Intel Celeron M 600 MHz 1 GB DDR2 RAM 400 MHz 160 GB ATA HDD Firewall Throughput: 1.5 Gbps VPN Throughput: 120 Mbps IPS Troughput: 1.0 Gbps Even if its written in specs that it can do 'Throughput: 1.5 Gbps" I am not sure what does it mean without test specification. The CPU is very low end for gigabit anyway.

Alright - problem resolved.  My ISP uses the cable infrastructure of another local ISP.  The local ISP had some issue going on that was preventing ICMP for some users.  They must have made some changes to fix things up - just had to reset my modem after and all is well.    It's being discussed over at DSLReports as well.

@jimp: Status > System Logs, Settings tab. Enable the extra column or row to show the rule description in the log. That only affects what you see on the Firewall log tab in the GUI. Hi jimp, a little better now, at least it's on logs Thanks!

A reboot is not necessary.

@vijaymaddukuri: Thanks for the update. Could you please guide me where can I find reference Yang models for Pfsense 3.0 Where it makes sense, we follow the IETF standard models.

Thanks guys for your answers. My point here is, i have 33 users in that office I want to distribute the three connections to them. It doesnt matter if the network is down,as long as the connection among them is distributed to these three network. Rather than providing individual pfsense per 10 users, why not use one ordinary desktop having three NIC to manage them? How about virtualbox? having windows 2012 as host and virtualize pfsense in three NICS, is this possible? Please be patient with me and sorry for taking your time. Best regards,

@johnpoz: There are many places to grab lists of ip blocks based upon geo location.  maxmind comes to mind, there is pfblocker package that does the heavy lifting for this sort of thing. What ports do you have open/forwarded now that your worried about hackers from say china or russia?  There really seems to be a basic disconnect. Out of the box there are ZERO inbound ports allowed to pfsense or your network from the internet/wan.  Only stuff you request would be allowed.  So are you saying you don't want your devices going to places hosted in china.. Or do you have say http forwarded to some webserver behind pfsense, and you only want IPs from the US to access it? So out of the box ALL geo locations are blocked to pfsense - there is no reason to do a specific block unless you don't want these specific locations to access stuff you have opened up, while allowing other to access them. I'm not sure why I never received notification about replies to my post, so I'm just now seeing these. Pouring over more documentation and internet searches I believe you are right that there's probably not much need for me to do this since all inbound ports are blocked by default. I thought maybe it would be a good safety measure to block regions known to be hostile. But after some additional thought I realized it was probably pointless anyway. Any hacker worth his salt isn't going to originate anything from their home country anyway. Thanks for the input everyone.

What's you're system activity? Interrupt and total. My quad core i5 easily hits 2Gb/s around 12% load and 1.4Mpps around 20% load, with traffic shaping.

There is no HSTS forced anywhere in the (completely unsupported) pfSense 2.2.2. For help with Apache configuration, you need to go to another forum. And once the client has hit the webserver, no amount of messing with the headers server-side will undo it, it will be cached and forced by the browser for the original max-age period.

Bump and an update: I don't have problems over VPN, just over LAN SSH also gets disconnected Any pointers are appreciated.

It has a single core CPU.

What exactly are you wanting to prevent access to - the firewall on what port?  And from what interface the dmz?  Where is this user that is going to change his IP?  And you do understand that its just as easy to change mac address. You can setup static arp on pfsense - so specific IP can only be talked to on a specific mac address.