Out of box pfsense nats.  So for you to access something behind pfsense you would have to port forward the ports you want and where you want to send it on your lan 192.168.2/24 network. You would then access pfsense wan IP on that port, pfsense would forward that traffic to your VMs behind pfsense on their 192.168.2 IP Your other option which would be to turn off nat on pfsense.  Now your just firewalling/routing - so you would just create firewall rules to allow the traffic you want from your local network into your lan behind pfsense, and same thing for traffic from your lab into your lan. Hope you understand that in your setup your lab out of the box would have full access into your local network, unless you modified the lan rules on pfsense? If you disable nat on pfsense, keep in mind that your actual router/gateway for your local network that gives you access to the internet would have to allow for and nat your lab network (192.168.2/24)  You also run into a asymmetrical routing issue that way.  So prob better off to just keep natting and use port forwards into your lab.  But if you don't want your lab having access to your local your going to have to adjust the lan rules in pfsense. The best solution would be to just replace your actual router with pfsense so now both your networks are behind pfsense on different segments and you just firewall between them to limit access.  This can be done with pfsense on VM.  It is much easier if the vm host pfsense will be put on is dedicated vs your workstation.  But can be done both ways.

@johnpoz: huh?  if firefox is your browser of choice why would you not use that to admin pfsense?? Well as you asked…. I run daily with several dozen firefox tabs for my regular "work". I also have lots of other applications open. It was useful to have the pfsense dashboard and logs on a totally different browser so that I could quickly locate it on the taskbar. Actually I am still using it for this, but given the above am doing changes to config in firefox.

@johnpoz: Dude I brought that up much earlier in the thread.. ;) " If he can not ping, then either clients blocking it not answering.  He has a mask issue on this network between clients and pfsense.  Or he has some sort of connectivity issue be it at layer 1 or 2." Glad you got it sorted.. I admit I am kinda overwhelmed with other stuff here, wearing too many hats  ;) Thanks so much for helping out.

while your device might default to all trunk..  I am at a loss to why, this is bad choice on their part if you ask me.  There is no reason for those ports to be in trunk unless they are going to care more than 1 vlan. Understanding Access and Trunk Interfaces Ethernet interfaces can be configured either as access ports or a trunk ports, as follows: An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.     A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously. From cisco page http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/AccessTrunk.html what I would do with your default setup is change all the ports to ACCESS.. Unless your going to have other switches connected to it, AP with vlans or to a router with vlans on a physical interface ports should be in access mode.  Trunk ports are for 1 going to take longer to come up.  There is zero point to leaving your ports in trunk unless they need to carry tagged traffic. Its possible the ports default to auto mode and try to determine what they should be, if they have issue figuring that out they might default to trunk mode.  I would have to dig deeper into why your ports are all trunk after a factory reset. https://supportforums.cisco.com/discussion/12476171/switch-port-modes Lets be clear your ports should ALL be access, Unless your going to link to another switch or AP or to a port on a router that will have multiple vlans on it. We could also debate the use of the default vlan 1.  In an enterprise/security setup this is normally a big no no.  You would set different vlan other than 1 to use for management and all ports would be moved to a holding vlan other than 1 until they need to be placed in the vlan they will be used for.  This is to keep mistakes from happening since switches all come up with default vlan 1, so if you do not turn off all your ports they would all be in the default vlan - so in this scenario it would be possible that someone might connect and be on a network you don't wan them in and be able to access resources your management of your infrastructure, etc.. In a HOME setup to me this just adds complexity for no reason.  I don't see a problem with just leaving your main lan and even management of your devices all in your default lan, which would be vlan 1.  But just be warned that from a pure security standpoint its bad practice to do that.  You might get suggestions to change your management vlan, and don't use vlan 1.  This way if you forget to configure a port or something worse case someone connects they are connected to nothing else, etc. Good security practice is also to disable all ports that are not in use..  Ie admin down them until such time they are need.  But we are talking a HOME network..  Which just adds more work when you want to plug something in ;)  Which is prob not something you want to do.  I would suggest you put all your ports into the vlan your going to use most often when you plug in a new device.  The will most likely be your lan and its ok to leave that as just default vlan 1.  Unless your worried about people coming into your home and plugging stuff in and being on your lan? ;)

What are the nics?  What is pfsense cpu doing when you start a large transfer..  Does is peg?

Are you using transparent proxy or explict, maybe those browsers are not pointing to the proxy?  Are you set for timed filtering, if so maybe there was a state already open.

Put it in the from port field, not the to field. By design.

@johnpoz: "server is to old to run a more recent version." How old is it..  Get a new one if its that freaking old ;) its a ibm 88642tm… feel free to donate to the "i need a new server" cause

@robi: ??? It didn't need that before… Can't even get it, since the mail sever is managed by a third party... Any other tips? Um, yes you've always needed it.  And it's been there. But just because it's been there in the past doesn't mean it's there now. Get the cert being sent by the email server and look at its trust chain.  If non of its trust chain certs are in "/usr/local/share/certs/ca-root-nss.crt" then it won't work.  From time to time certs get removed/added.  It is possible the cert needed for your email server has been removed. Here is some additional info on the subject. SSL/TLS Option Breaks My SMTP Notifications https://forum.pfsense.org/index.php?topic=115884.0

There are a bajillion options here, prtg, observium are 2 off the top of my head other than the 2 already mentioned.  If you just want updown why do you need snmp can you not just ping them with say smokeping?

shall we say webmail?

^ yeah your source on your nat and firewall rule would be ANY, your dest would be your wan addess on a forward.  If you try and lock down the source then that traffic would have to be coming from that IP.  I don't know how you would know what that is if your serving up dns to the public from this. As mentioned post your rules and nats, and we can see what your doing wrong.

Forgot to say: server is a "Dell PowerEdge 750" with "em*" network cards (advertised as "Dual embedded Intel Gigabit NIC, Intel PRO/100S; Intel PRO/1000 MT; Intel PRO/ 1000MT Dual Port" in the PDF specs).

Ok but how I define that this time is for the off-time. I think if i create one for monday from 9 am to 1 pm and other monday but from 2 pm to 7 pm. This will work?

ok, but sorry my firewall is down temporality but i remenber that in firewall –aliases, in this is by ip, port and url, you use url and write the no-ip direction and call by example "external", before in firewall -- rules in tag WAN create a rules for example access to dashboard web pfsense but in sources you select "host or aliases" and select the rule create in aliases call "external" and in destination select WAN address port https this is all. i'm wait you comments.

Thanks Jim, That corresponds with what I see in actual tests too. /etc/postfix-msa/master.cf: smtpd_tls_security_level=none pfSense E-Mail Notifications: Port: 587, Enable STARTTLS: No,  SMTP testing e-mail successfully sent Port: 587, Enable STARTTLS: Yes, Could not send the message to xxxxx@xxxxx.com – Error: server does not support starting TLS /etc/postfix-msa/master.cf: smtpd_tls_security_level=may pfSense E-Mail Notifications: Port: 587, Enable STARTTLS: No,  SMTP testing e-mail successfully sent Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent /etc/postfix-msa/master.cf: smtpd_tls_security_level=encrypt pfSense E-Mail Notifications: Port: 587, Enable STARTTLS: No,  Could not send the message to xxxxx@xxxxx.com -- Error: server does not require authentication, it probably requires starting TLS Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent This would seem to indicate that pfSense version 2.3.2 requires TLS, rather than falling back to plain text mode, when the E-Mail Notification option to "Enable STARTTLS" is selected.

Found my answer: https://forum.pfsense.org/index.php?topic=97554.0 Looks like I need to reboot it off a USB disk to enable it though.  Will try that tonight.