Update - after all clients disconnect, I can then access the Web admin UI page. But when any IPSec client is connected, it will continue to hang, if I have previously tried viewing IPSec status page.

Well, I did a lot of test and I can't find the problem. Definitely, it is not a problem of pfsense. As divsys said, I'm going to use another AP to see what happens. I did these tests: No vlans No security in TPLINK DHCP in tplink or DHCP in pfsense Review of logs… TPLINK allows these operation modes:  (1)Access Point (2)Multi-SSID (3)Client (4)WDS Repeater (5)Universal Repeater (6)Bridge with AP I tried with 1 and 2. Should I try with another one? Thank you all for you help, I learnt a lot. Regards.

If you are talking about a subnet routed to one of the addresses on your /28 you will be fine. You can: Just use the addresses on pfSense WAN as virtual IP addresses Assign the routed subnet to an interface behind your WAN and put hosts on that subnet with public IP addresses. This is probably preferred especially since you can use the other addresses on the /28 as VIPs if you need them. You would get the benefit of pfSense as a firewall to all the hosts and you would have no NAT. But, as always, it really depends on what it is you need to accomplish.

More CPUs have integrated GPUs, so I just wondering if it would be feasible to do in pfsense. Why they should write code for something that is really long times available from the lower bottom to the highest top? There are cards that can be easily used for this with much more power like the internal GPU of a CPU. Home and SOHO till Pro and Enterprise Intel Atom SoCs, Xeon E3 and E5 CPUs with integrated AES-NI instruction set (free of charge) SOHO Soekris vpn1411 for older system with 100 MBit/s ports (fully supported) ~$72 Pro and Enterprise Netgate Intel QuickAssist adapter without additional LAN ports ~$1100 Pro and Enterprise Netgate QuickAssist adapter with 4 additional LAN ports ~n/a (call) ISPs and bigger companies Intel QuickAssist adapters

Tested my firewall thoroughly in the office. Working without any problem. Changed the modem at the client place. Looks like ISP have provided buggy modem (Dlink  DSL- 252OU) for a 8 MBPS connection. Going to shift firewall unit after 2 days. I guess things would start working fine. A special thanks to jonathanbaird for all the effort. Regards, Ashima.

Oh sure, I don't expect 300mb over 802.11ac but I did expect more than 10mb With squid3 v0.4.7 disabled I can get 70mb/s over 802.11n and 20mb upload, with it back on its 15mb/s and 8mb/s Proxy is set to transparent.  Clamav is on.  I haven't modified much else at this point.  I haven't found anything to indicate any settings yet I can tweak but still looking

Okay thanks….I'll try (what you suggested) tomorrow morning - since I don't want to end-up spending hours right now, fiddling around whilst the WiFi is down, and the family members getting all boisterous with me. Will shout out if things go awry tomorrow.

I got everything working guys, thanks for the help.  I was badly over complicating the tp link's simple  untag access port, tag "trunk" port I guess you could say.  Untaggin the right access ports, and tagging port 1 of my switch in each vlan got it all working with the right PVID settings.  thanks

You can't manually edit any conf file. What are you trying to change?

@HowardSten98239: (https://www.reddit.com/r/PFSENSE/comments/2ro9vm/pfsense_hardware_vs_netgate/cnhs9xx): … has some additional tuning to make the result more performant. These differences are not in the "community" image that we release. Are there any metrics supporting this? I'm trying to figure out what kind of performance boost there is buying the official version vs the netgate one. It would be nice to know exactly what tuning is done to make pfSense more "performant". We don't have any stated metrics but there is more to just the hardware-specific tuning. Sure if you dig and find the settings similar settings can be replicated, but having it properly tuned for the hardware without having to tinker is a huge gain for many people. There are also some features in the factory release for SG units that are not found in the "community" images. There is an AWS VPC VPN wizard, an IPsec IKEv2 profile exporter for iOS/OS X,  and more things we are adding as we go. @HowardSten98239: Also, what happens once the support contract expires if we bought the SG-4860? Do we have to start using the community images? Currently the factory firmware updates work indefinitely. I'm not sure if/how that might be changing in the future but at least for the time being that isn't a concern. The install media may not be available if you have an expired account, but you can still update from an older installation. That may vary depending on where you're from as well since things like EU regulations for hardware/software support may apply.  Drop a note to sales@pfsense.org if you'd like more info. At the moment, you can use the community firmware on any of our hardware it's just not an optimal experience to do so.

Sorry, you must have a managed switch to use VLANs. Some unmanaged switch will strip off the VLAN tags, others might pass them through, and yet others will not pass the VLAN traffic… it depends. You can get some entry level web managed switches from D-Link, Netgear and others that will do what you need.

I guess that would make a little more sense plugging in the downstairs switch into the upstairs switch (by the cable modem) instead of directly to the pfSense box.    Thank you for the input there - I didn't even consider it. As for the wired DHCP I don't really mind that as it's just a home network - if someone plugs into it, than they may as well get data that way vs just stealing my stuff. All in all thank you both for the input!

Just to say thanks for everyone's input and help, especially John and Jon.

updated #All File refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|divx|dvr-ms)      10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v))          10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)    10800 80% 10800 ignore-no-cache  ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav) 10800 80% 10800 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims; range_offset_limit -1; refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))    10800 80% 10800 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims # Updates refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 10800  80%  10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; # AV updates # refresh_pattern avast/.*\.(bin|vpx)                      10800 80% 10800 ignore-no-cache  ignore-reload  reload-into-ims; range_offset_limit -1; range_offset_limit 0; quick_abort_pct 70;

Update: Something like this (as en example): Total (GB) 631.962 Total upload (GB) 75.233 Total download (GB) 556.729

Well Johnpoz, I already said I was abit scary about that Teamviewer stuff. Well I turned out I was right, it is scary. :o I opened the window and the first thing I see some weird userlogin ???, like you would login on facebook, too flashy to my thoughts, especially the ads. It looked like a goddamn free antivirus to me. I don't want that despite its superior performance. Not on my tiny industrial-home network, I'm sorry. You said there wasn't a solution for my problem other than using that junk described above or some other commercial RDP software. I am a stubborn man and I couldn't believe that there was no proper way to connect to that Windows 7 machine even though I was aware that that there might not be any solution than to upgrade to a higher version. Well, I am a genuine windows client-server user, but this hack had to be done for the sake of this matter. At first I thought it was a piece of spy/malware but apparently it turned out to be quite genuine in some way. I installed the concurrent RDP patch, and RDP works now. Its quality is what I expected to be as I have used microsoft RDP on xp it in the past. I feel there is nothing compared to that quality. Today I tried to log on my Win7 Home Premium but I couldn't. The reason was expected because I was updating and it must have changed the particular file. I have restored a backup and turned off updates. The machine has SP1 but lacks other updates. It is better to stick with that. I don't want to loose my future connections because of that. Besides we are using pfsense right? Well actually I don't what I am talking about, I have set up SNORT, I think you have to know some rocketscience to able to get that to work and really interprete what is going on. Frankly that is way above my head. Greetings