I think it's the way it's written, it's misleading to say the least.

See above. (Assumes you have at least a public IP on your LAN. If it's RFC1918 or CGN, tough cookies…)

"Wait five minute or a restart of pfSense may require You can test in any browser. All Done !!" I have over a thousand people connected at the minute. I will reboot at a quieter time and report back.

did some more looking arround. I've implemented the following. https://forum.pfsense.org/index.php/topic,17243.0.html https://forum.pfsense.org/index.php?topic=51786.0 It looks like it will probably resolve the issue.

Problem solved with update.

If you don't do layer3 routing on your cisco just connect a trunk of tagged vlans to pfsense, configure the vlans on the parent physical interface and create one interface for every vlan. Assign ip according to your subnets.

So your saying your not seeing gig?  Do you have gig wan?  Unless your wan is gig and your only seeing like 800 or something I don't see what your trying to squeeze out here?

you got some sort of asymmetrical issue if your not seeing the full handshake and then traffic would be my guess. Setting state to sloppy is not something you should have to do. Can you layout your connectivity - how many vswitches?  How many physical interfaces - what is the setting do you have on the vswitch that has tagged vlans?

I tried with Group ACL method but not able to block for single IP or network. Then you're doing something wrong.  It does work.  I use it that way myself.  Maybe you have a problem with the order the ACLs are listed in? btw this really should be in the Cache/Proxy forum.

My fault. They were already instaled  :o ;D

The SCP permission works just fine with 2.3.3 and later. Of course if you don't have permissions to the directory or files as that user, you won't be able to download files from there.

Eh? What client where? LAN => LAN does not go through the firewall.

U should be able add your whole lan net to allow remote admin but why?

Doing OTP via LDAP/RADIUS isn't really that feasible for what we are looking at. I mean it isn't impossible, but not really something I'd like to pursue. I would encourage you to consider adding this, if feasible, as it is a nice security feature. A full implementation that integrates with AD and does enterprise certificate authentication would be cool, but that aside just something simple like SSH keys could work well. Just have the ability to add a public certificate for a user and then do a CAPI auth for that. Requires manually updating certificates and so on but gives people the ability to do 2-factor without needing an enterprise PKI setup. Just a Yubikey (or anything like it) and you are good. The SSH idea is one I may try. It will work fine, Putty-CAC works great with Yubikeys and will give you an SSH key that works properly and requests the right CAPI certificate. So it would work in that card+pin would be needed to access the system. I'll think about that and how much that gets us over just having Webadmin access restricted to a particular set of systems, which require card+pin anyhow.

Thanks for the tip.  I just checked the pfSense book and it doesn't go into much detail at all about URL aliases and URL tables aliases. I did misspeak earlier.  You should be using an URL alias, not URL Table.  URL Table is for when the list needs to be updated on a schedule.