Hi - just to update you, I have now managed to get this all working :) Thanks for all your help.

@edfcmc: When I switch from my pfsense router to… Just don't do that.  :P

@SisterOfMercy: @SisterOfMercy: @Inperpetuammemoriam: Hey guys,Therefore, the virtual machines running all the services should be the only ones making use of the DMZ sided port in order to offer their services to the outside world. Do you mean you are only exposing non-management services on the DMZ, such as a web server, and the SSH ports are only open to the LAN? Yes, that would (have) be(en) the idea. @BlueKobold: @BlueKobold: Connect to the pfSense a DMZ and a LAN Switch Place the entire server connected to the web in a real DMZ Ok, so the better way would be to completely isolate the Server within the DMZ from the LAN. @BlueKobold: Let the DMZ servers only connect to the Internet through Squid onto the pfSense I never used squid before but from what I read about it (squid-cache.org), the main feature is a performance gain rather than a security gain. Did I miss something? @BlueKobold: Connect the servers through the IPMI port or over KVM switches placed in VLAN1 (default) I'm not using the IPMI port. It could have been useful to be able to remotely manage the server even before the OS has booted but from what I read about it I think there comes a much bigger security loss than a gain in usability with it. The risk of someone implanting low level spy/malware (which is really hard to detect) outweighs the benefits by far. @BlueKobold: Set up a DMZ and LAN radius server that only you will be able to secure connect to the servers I also never used a radius server before but wouldn't this be like taking a sledgehammer to crack a nut? From what I read, I assume there comes a big configurational and computational overhead with it but little to no gain in protection from the WAN side. Wouldn't it be better to just be very restrictive in the firewall configuration concerning traffic intended for the DMZ? (e.g. allowing the SSH access only from the LAN side and restricting WAN access to the few required ports) @BlueKobold: Set up snort sensors and servers to gain more security inside of your network Snort is already running. ;-) However, even with a not so conservative configuration I had to suppress a few alerts otherwise the internet experience would have been drastically reduced. Is this normal?

465 is a port microsoft used for SMTP listening over SSL.  In that case, SSL happens before any communications take place, ie before the SMTP 220 banner is sent by the server, just like https.  It is a non-standard port but a defacto standard because the world marches to Microsoft's drum - more so in the past. STARTTLS is negotiated after the initial connection and an EHLO. telnet smtp.gmail.com 587 Trying 74.125.20.109… Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 smtp.gmail.com ESMTP sjdhsdjskksjbder4jnf - gsmtp ehlo example.org 250-smtp.gmail.com at your service, [X.Y.Z.A] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 Note that there are no authentication options presented yet.  This is because gmail requires SSL/STARTTLS prior to authentication.  Your mail client would see the STARTTLS capability advertised by the server, start the STARTTLS process and would be presented with a new set up options similar to this: openssl s_client -connect smtp.gmail.com:587 -starttls smtp 250 SMTPUTF8 EHLO example.com 250-smtp.gmail.com at your service, [X.Y.Z.A] 250-SIZE 35882577 250-8BITMIME 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN XOAUTH 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 Client would then authenticate and submit its message.  Messages must be rejected prior to authentication on smtp-submit 587. A connection to 465 doesn't require starttls, but if SSL/TLS isn't automatically negotiated, the connection will fail: openssl s_client -connect smtp.gmail.com:465 220 smtp.gmail.com ESMTP ssdfssdfsdfsfsf6 - gsmtp ehlo example.com 250-smtp.gmail.com at your service, [X.Y.Z.A] 250-SIZE 35882577 250-8BITMIME 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN XOAUTH 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 POP3 and IMAP listen SSL  on 995 and 993 respectively and might also support STARTTLS on the normal (plaintext) 110 and 143 ports.

@cmb: That sounds like this: https://doc.pfsense.org/index.php/Upgrade_Guide#Console_Problem_Workaround though that shouldn't have just started out of nowhere, it would have happened on the first reboot post-upgrade to 2.2.2 for systems that were affected. The workaround there will get it to boot quickly. Then if you upgrade to 2.2.3, that won't happen again. Sorry for the late reply. Dude, you're a life saver. Thank you so much. I did exactly that : To work around the issue, restart the system and activate option 3 at the pfSense logo boot menu for the Loader Prompt. At the loader prompt, enter: unset boot_serial boot Then I updated to 2.2.3 Then rebooted normally. And everything's good! Thanks again! @muswellhillbilly: PS: I had something similar happen to me a while back. If all else fails, you ought to be able to boot into single-user mode (shows in your YouTube clip), navigate to the /conf folder and pick up the config file by copying it to a USB stick. I did try the single-user mode and the same problem was occurring before the fix above. @muswellhillbilly: @BlazeStar: And of course I don't have a recent backup of my config :'( When you do get your system back up, you can do the following (this is one of many ways to do pretty much the same thing): 1. Log onto your pfSense system on the command line. Write a shell script thusly and save it in your /root folder. Call it something like 'backup.sh': #!/bin/sh cd /conf cat <<end |="" ftp="" 'ftp:="" username:password@myftp.site.com="" '<br="">put ./config.xml END Obviously, substitute 'username', 'password' and 'myftp.site.com' for your corresponding site and credentials. 2. Create a cron job: 00 5 * * 1-5 /root/backup.sh. This will upload your system's config file at 5am every working day.</end> Thank you that's very wise, i'll be creating that cron job for sure!

@daggero: I'm configuring an existing, hand me down, running 24/7, network with me having little knowledge of networking… This always confuses the hell out of me... Why are you doing it - if you don't understand what your doing?  So your the one guy in the office that has a wifi router at home so your the IT guy? Precisely. I'm an IT support staff. I only repair computers, laptops install softwares… we used to be a 2 man team A network Administrator (AWOL) IT support staff (me) Since I have basic to no knowledge in Linux, BSD, and Networking. I became both. I know I don't need to master everything just how things work and where to look if needed. @johnpoz: You keep mentioning wifi routers.. Your going to be using them as AP rights.. Any soho wifi router can be used as just an ap, does not matter what cheap ass home model you think you can run a business with ;)  Turn off their dhcp, connect them to your network via a lan port, change their lan IP to be on the network you connect them too.  There you go $20 AP.. Noted. @johnpoz: I would really look to getting at min some smart switches.. They can be had very cheap.. You don't need a cisco nexus 7k ;)  You can for sure can find smart switches under $100 usd..  What part of the world are you in? I'm from the Philippines… unfortunately. as for the purchases the company is in a really tight budget. And I already raised the issue even to the operations manager. all he said was: "if the old device is still working, I don't see why we have to get a new one? the internet is working. the problem is that it's just too slow. when the IT admin was here it was working great. maybe the problem is in your side check your configuration maybe you clicked on something you shouldn't have. I was just wow... I want to just... smash the AP's with a sledge hammer and leave. but I wan't to fix things first before that, I might learn something while I'm doing it. hahaha after that I'm leaving this hell hole

kernel: re4: discard frame w/o leading ethernet header (len 4294967292 pkt len 4294967292) 4GB Ethernet packet. Increased the bar for "jumbo" frames.

For the future. Rule of thumb, never get anything with RealTek hardware, even if officially supported. Same for Broadcom. I do purchase devices with my blacklisted NICs only if I have an acceptable path to install a NIC of my choosing. Got a motherboard for my desktop with a RealTek, installed an Intel i210. My firewall came with a RealTek, installed an Intel i350.

There are routing complications, as that system isn't going to be the default gateway in such a config. Need a static route on whatever is the default gateway to send the IPsec network over to that system's WAN IP.

@weust: I will give these a go later today or tonight. Thanks for the links. I will report back here on the results for both SMTP servers. Did you get this working?

Thank you jimp for the info.

I have the opposite issue with my ISP. If I get my IP to change by changing my MAC, I will still receive traffic for my old IP including the old MAC until the DHCP lease ends, which is like a week.

Tried that. Changed the MTU on the wan interface (as well, didn't take immediately in the gui either, had to force it from the shell). Frustrated that the (older) sonicwall works fine in similar setup but pfsense fails. This leads me to believe (hope?) that a setting needs changed. Still looking for suggestions! Thanks all.

short and crisp … and it works. - Thanks!