@DavidGA said in Multiple problems with NAT rule creation UI: You apparently can't create NAT rules for destination port ranges Huh? Sure you can.. [image: 1563275865697-portforwards.png] But yeah concur with JeGr if you were going to do that you would just use a 1:1 nat. I don't have a mac to test with - but for sure could test it with multiple browsers on windows or linux.. Let me fire up safari on my iphone or ipad.. edit: Just fired it up on my iphone and works just fine.. When selected network as address the box did turn gray, but just clicked on it and it went white and could enter stuff..

Might be nice to have a CP option to enable compatibility with older clients, but I'm still thinking it's safe enough just to keep 1.1 around for a little while like we did with 1.0.

So, um, logout? Everything burns cycles, even having the Hyper-v console open.

Apply the patch and it is fixed. -Rico

Thanks for the response. I will give that a try and see what happens when the VPN next drops. Not sure I see how it will help, though. Doesn't the system upgrade check only commence AFTER you've successfully logged in to the GUI?

What I mean by 101 shit, is trusting the ca... And what a CA even is.. To be honest anyone understands what a CA is and even saw that the cert manager allows you to create ones via a gui should be an eureka moment for anyone wanting to trust certs ;) As to using them on other devices locally, and it working before just doing an exception - yeah that is all changing.. Your no longer going to be able to do that.. I would bet any and all browsers end up going there at some point.

To get a browser, at least one fancier than the text-based links which is built-in, you need an entire desktop environment. That's a bad idea for a firewall for a number of reasons, most of them security-related. If you want to keep things isolated but still have a GUI nearby, that's a perfect job for a Raspberry Pi or similar inexpensive small-form computer.

Thanks @jimp, I figured that as much to be the case, however, the "Show temperature in Fahrenheit" option was not grayed out indicating as such.

There's always the testing zone workaround: [image: 1559616898381-screen_shot_2019-06-03_at_20_17_02.png] :)

Hello, huge thanks for the help! I got it fixed and it's working. [image: 1559564731375-67ed9598-91ae-4535-866e-9c4e187aaa43-image.png]

@Derelict okay, must have been something corrupt in the firware. I reinstalled the firmware as per the instructions, using a USB stick and console access. Adding a PPP now has no issues. Thanks all for your help :-) https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html

Because they are completely different things.. Again google mtu vs mss..

Thx for your answer's i will try booth options

@mingus *replying to myself" Sorry, to clarify some more: "If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against." That's exactly what I'm doing. create a local CA via the web interface called "internal". Use the "internal" CA to sign a server cert for ldap.localstuff.lan via the web interface. Copy the generated CA.cert server.cert and server,.key onto the ldap server. Config and test using command line ssl. All good. Set up an LDAP server connection via the web interface selecting the "internal" CA via the drop down box. Attempt an SSL connection via the setup page which fails with error "19 (self signed certificate in certificate chain)"

That all looks fine. You should not be receiving any errors. I question that your swap is almost half full though. 209MB RAM? That's practically nothing. I give the smallest of my test VMs 512MB. That is likely your problem.

@aduffield said in WebGui and RADIUS authentication: So, to be clear, if I set the GUI to use RADIUS for auth, I will still be able to log in as the local admin account? That's what I just said, yes. Regarding the users, I have Windows NPS in place for Radius which uses Windows AD groups, do I need to set the usernames on the pfsense to match the users in AD? Read the docs about how this works, especially with regard to groups on pfSense and the class attribute: https://docs.netgate.com/pfsense/en/latest/book/usermanager/authentication-servers.html#radius https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsense-24.html

@MeisterBlocker said in Cert Manager Layout: I already asked this question last year in the german forum and had not received an answer yet. Because there was/is none. But after having dozens of pages of posts, you could've asked again after some time - no problem with that. ;) As for huge deployments with high 3 digit or 4 digit numbers of certificates, I'd definitly go another route as to manage it on pfSense. After all, you only need the CA and a server cert to run the server part. You can/could deploy/script yourself another way to create/generate your config files (e.g. a generic config with links to generic named files that can be bundled with the certs). I'd assume with that high count of VPN connections, you don't manage the users on pfSense either but use some other auth like Radius or LDAP