OK Here's what's happening: I created a FW rule to allow traffic from wifi AP to LAN on port 1812.  That definitely was missing!  Good catch ;)  At least now I see something in the system logs… After that I followed your instructions, that is, created a new cert under "System > Cert. manager > Certificates" (named pfsense-RADIUS) then exported the root CA (under System > Cert. manager > CAs) to my Android phone. Then I modified the wifi connection on the phone and assigned the newly imported root CA to it.  Then I modified RADIUS's config and selected the certificate "pfSense-RADIUS"  (under EAP tab > SSL Server Certificate). Finally I tried connecting to the Wifi network, but the phone still says "Authentication problem" and pfsense logs show: Oct 16 18:54:11 radiusd 22391 Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX) Oct 16 18:54:11 radiusd 22391 SSL: SSL_read failed inside of TLS (-1), TLS session fails. Oct 16 18:54:11 radiusd 22391 rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Oct 16 18:54:11 radiusd 22391 TLS_accept: failed in SSLv3 read client certificate A Oct 16 18:54:11 radiusd 22391 TLS Alert read:fatal:unsupported certificate Oct 16 18:53:31 radiusd 22391 Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX) Oct 16 18:53:31 radiusd 22391 SSL: SSL_read failed inside of TLS (-1), TLS session fails. Oct 16 18:53:31 radiusd 22391 rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Oct 16 18:53:31 radiusd 22391 TLS_accept: failed in SSLv3 read client certificate A Oct 16 18:53:31 radiusd 22391 TLS Alert read:fatal:unsupported certificate Oct 16 18:53:09 radiusd 22391 Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX) Oct 16 18:53:09 radiusd 22391 SSL: SSL_read failed inside of TLS (-1), TLS session fails. Oct 16 18:53:09 radiusd 22391 rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Oct 16 18:53:09 radiusd 22391 TLS_accept: failed in SSLv3 read client certificate A Oct 16 18:53:09 radiusd 22391 TLS Alert read:fatal:unsupported certificate Oct 16 18:51:34 radiusd 22391 Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX) Oct 16 18:51:34 radiusd 22391 SSL: SSL_read failed inside of TLS (-1), TLS session fails. Oct 16 18:51:34 radiusd 22391 rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Oct 16 18:51:34 radiusd 22391 TLS_accept: failed in SSLv3 read client certificate A Oct 16 18:51:34 radiusd 22391 TLS Alert read:fatal:unsupported certificate Oct 16 18:50:52 radiusd 22391 Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX) Oct 16 18:50:52 radiusd 22391 SSL: SSL_read failed inside of TLS (-1), TLS session fails. Oct 16 18:50:52 radiusd 22391 rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Oct 16 18:50:52 radiusd 22391 TLS_accept: failed in SSLv3 read client certificate A Oct 16 18:50:52 radiusd 22391 TLS Alert read:fatal:unsupported certificate Oct 16 18:50:29 radiusd 22391 Login incorrect (TLS Alert read:fatal:unsupported certificate): [wifiuser] (from client unifi-ap-ac-lite port 0 cli XX-XX-XX-XX-XX-XX) Oct 16 18:50:29 radiusd 22391 SSL: SSL_read failed inside of TLS (-1), TLS session fails. Oct 16 18:50:29 radiusd 22391 rlm_eap: SSL error error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Oct 16 18:50:29 radiusd 22391 TLS_accept: failed in SSLv3 read client certificate A Oct 16 18:50:29 radiusd 22391 TLS Alert read:fatal:unsupported certificate Oct 16 18:50:16 radiusd 22391 Ready to process requests. Oct 16 18:50:16 radiusd 22010 Loaded virtual server <default></default> Thats weird no?

Thanks a lot !  ;D

I vaguely recall a similar behavior with pfSense looking at Name Servers over an IPSec tunnel.  IIRC, they had a static route configured for the IP of the DNS server which used the pfSense LAN IP as the Gateway.  (This was an infrastructure I inherited, I promptly dropped IPSec and moved to OpenVPN.) Might also work with the Null4 (127.0.0.1) entry?  Would have to try it. …ct

Im using Check_mk, can it talk to this nrpe plugin?

Note that even if there were a way to override the fsd signal on the slave, it would be a bad idea because the signal generally indicates that the master is about to instruct the UPS to turn the load off.

The "Authentication servers (e.g. LDAP, RADIUS)" checkbox under System > High Avail. Sync doesn't seem to have anything to do with the freeradius2 package because the package continues to try XMLRPC syncs even when that box is not checked.

It appears that this unit is known to incorrectly report load as 0. http://networkupstools.org/ddl/APC/Back-UPS_ES_550.html

https://forum.pfsense.org/index.php?topic=115349.msg650408#msg650408

Then perform spam checking on the mail server(s) or use a separate VM/appliance for mail filtering, it's not the firewall's job. A spam-filtering MTA combination like postfix adds a gigantic attack surface to the firewall. Far too many moving parts that interact and could break in insecure ways.

I tried this command "/usr/local/sbin/pfSsh.php playback svc restart openvpn client 1" and now I can't login to the web interface, not even after restart. any tips for me? :P

@CBRom: /var/log/c-icap/access.log (that actually does not contain useful data) Hi. I've just been struggling to disable this file. It was receiving several lines of useless information every few seconds. The c-icap configuration file is located in /usr/local/etc/c-icap/c-icap.conf. You can edit it but, somehow, the webinterface replaces it while saving the configuration so this is what I (blindly) did. I'm sure there has to be a better way: Edit /usr/local/etc/c-icap/c-icap.conf.pfsense Locate the line AccessLog /var/log/c-icap/access.log Replace it with AccessLog /dev/null Go to Services/Squid Proxy Server and just save the configuration Check that both /usr/local/etc/c-icap/c-icap.conf.pfsense and /usr/local/etc/c-icap/c-icap.conf have the "AccessLog /dev/null" line Reboot the server (maybe restarting the icap service would be enough) Browse some site and check for modifications to the access.log file Regards.

What can be done about this?

Excellent. Glad it's working.

Well for starters what are you interfaces called in pfsense.  From this error seems it can not even find the interface it wants to bind too "Network interface ath0 not found"

I'm pretty sure these services are installed with the Squid package, and are only active when the respective functions have been enabled.

Hi, the source for the bind package comes from the freeBSD port git repository. You would have to ask in the freeBSD mailing list when this is going to be updated there. Best Sven Voleatech pfSense Select Partner www.voleatech.de