ok i ll check it, thanks.  :)

@tux_dude Did you solve it out now? Did you brought up the LAGs and the VLANs straight working smooth?

Status - System Logs - Firewall.  Or install the Firewall Logs widget on the dashboard.

Hmmm.  I had to manually create the SSH keys for this host yesterday.  Today, after a reboot, the SSH keys are gone again.  It's almost like this thinks it is running a live CD, but it isn't?  Also, the thing hangs fro aobut 12 minutes during boot at "synchronizing user settings…" no idea what is going on there.

@Sensi: My pfSense 2.0.1 (multi-user) is acting strangely!! Anybody got any ideas? There's an idea. Any change you can try this on the current version?

iorx, if you're using intel e1000 physical nic's, try the solution I implemented (thanks to cmb) last friday: https://forum.pfsense.org/index.php?topic=96325.0 Until now (5 days and counting) it's going good, so I'm hopeful.

@phil.davis: You have to follow the instructions and complete the legal stuff. A few weeks ago the repo became a private one on GitHub rather than where it was before on some other machine hosted at some other pfSense name. I know the existing people signed up to the previous tools repo address all got access to the repo in the new place. I am not sure how that all links together automaticaly now for new sign-ups. After signing up, I would look first in GitHub pfSense section and see if the pfSense-tools repo appears for you. Thanks phil.davis, I can access pfsense-tools now. But It's very straight for me. I think I must install FreeBSD 10.1 (for Pfsense 2.x) and download pfsense-tools from git repo. After that, I patch all fille in pfsense-tools to FreeBSD. Is it correct? Do you have any instruction to build pfsense development enviroment?

also imagine someone is using the wifi network for some evil torrenting;  oO On your pfsense machine your traffic graph will show the WAP_ip instead of the offenders_ip as the source/destination of lots of traffic  (since you NAT everything on the WAP)

so you have a any any rule on wan?  Yeah that is not good… "Wan => (Wan Rule: Pass Any Any) PFsense => Server" If this is what you want "I want to record who ping my server" Why don't you just setup a wan block ping with logging?  Why wold you want to send it all they way to the server, just to block the servers reply?

The state table lists the states the firewall has allowed.. Its a stateful firewall!! If your having issues controlling traffic - then post up your rules and explain what your wanting to accomplish.

All 3 are Layer 2. I knew that, what i didnt know is the Lx meaning. I am learning on the go, i dont want to be rude but in any case my boss should be the one asking that.

Dunno, but "scrub rule then PF will re-package the data using an MTU of 1460 by default, thus overriding this mssdflt setting" would strongly suggest that messing with that sysctl is a total waste of time.

Hi - just to update you, I have now managed to get this all working :) Thanks for all your help.

@edfcmc: When I switch from my pfsense router to… Just don't do that.  :P

@SisterOfMercy: @SisterOfMercy: @Inperpetuammemoriam: Hey guys,Therefore, the virtual machines running all the services should be the only ones making use of the DMZ sided port in order to offer their services to the outside world. Do you mean you are only exposing non-management services on the DMZ, such as a web server, and the SSH ports are only open to the LAN? Yes, that would (have) be(en) the idea. @BlueKobold: @BlueKobold: Connect to the pfSense a DMZ and a LAN Switch Place the entire server connected to the web in a real DMZ Ok, so the better way would be to completely isolate the Server within the DMZ from the LAN. @BlueKobold: Let the DMZ servers only connect to the Internet through Squid onto the pfSense I never used squid before but from what I read about it (squid-cache.org), the main feature is a performance gain rather than a security gain. Did I miss something? @BlueKobold: Connect the servers through the IPMI port or over KVM switches placed in VLAN1 (default) I'm not using the IPMI port. It could have been useful to be able to remotely manage the server even before the OS has booted but from what I read about it I think there comes a much bigger security loss than a gain in usability with it. The risk of someone implanting low level spy/malware (which is really hard to detect) outweighs the benefits by far. @BlueKobold: Set up a DMZ and LAN radius server that only you will be able to secure connect to the servers I also never used a radius server before but wouldn't this be like taking a sledgehammer to crack a nut? From what I read, I assume there comes a big configurational and computational overhead with it but little to no gain in protection from the WAN side. Wouldn't it be better to just be very restrictive in the firewall configuration concerning traffic intended for the DMZ? (e.g. allowing the SSH access only from the LAN side and restricting WAN access to the few required ports) @BlueKobold: Set up snort sensors and servers to gain more security inside of your network Snort is already running. ;-) However, even with a not so conservative configuration I had to suppress a few alerts otherwise the internet experience would have been drastically reduced. Is this normal?

465 is a port microsoft used for SMTP listening over SSL.  In that case, SSL happens before any communications take place, ie before the SMTP 220 banner is sent by the server, just like https.  It is a non-standard port but a defacto standard because the world marches to Microsoft's drum - more so in the past. STARTTLS is negotiated after the initial connection and an EHLO. telnet smtp.gmail.com 587 Trying 74.125.20.109… Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 smtp.gmail.com ESMTP sjdhsdjskksjbder4jnf - gsmtp ehlo example.org 250-smtp.gmail.com at your service, [X.Y.Z.A] 250-SIZE 35882577 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 Note that there are no authentication options presented yet.  This is because gmail requires SSL/STARTTLS prior to authentication.  Your mail client would see the STARTTLS capability advertised by the server, start the STARTTLS process and would be presented with a new set up options similar to this: openssl s_client -connect smtp.gmail.com:587 -starttls smtp 250 SMTPUTF8 EHLO example.com 250-smtp.gmail.com at your service, [X.Y.Z.A] 250-SIZE 35882577 250-8BITMIME 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN XOAUTH 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 Client would then authenticate and submit its message.  Messages must be rejected prior to authentication on smtp-submit 587. A connection to 465 doesn't require starttls, but if SSL/TLS isn't automatically negotiated, the connection will fail: openssl s_client -connect smtp.gmail.com:465 220 smtp.gmail.com ESMTP ssdfssdfsdfsfsf6 - gsmtp ehlo example.com 250-smtp.gmail.com at your service, [X.Y.Z.A] 250-SIZE 35882577 250-8BITMIME 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN XOAUTH 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 POP3 and IMAP listen SSL  on 995 and 993 respectively and might also support STARTTLS on the normal (plaintext) 110 and 143 ports.