Apply the patch and it is fixed.

-Rico

Thanks for the response. I will give that a try and see what happens when the VPN next drops. Not sure I see how it will help, though. Doesn't the system upgrade check only commence AFTER you've successfully logged in to the GUI?

What I mean by 101 shit, is trusting the ca... And what a CA even is.. To be honest anyone understands what a CA is and even saw that the cert manager allows you to create ones via a gui should be an eureka moment for anyone wanting to trust certs ;)

As to using them on other devices locally, and it working before just doing an exception - yeah that is all changing.. Your no longer going to be able to do that.. I would bet any and all browsers end up going there at some point.

To get a browser, at least one fancier than the text-based links which is built-in, you need an entire desktop environment. That's a bad idea for a firewall for a number of reasons, most of them security-related.

If you want to keep things isolated but still have a GUI nearby, that's a perfect job for a Raspberry Pi or similar inexpensive small-form computer.

Thanks @jimp, I figured that as much to be the case, however, the "Show temperature in Fahrenheit" option was not grayed out indicating as such.

There's always the testing zone workaround: Screen_Shot_2019-06-03_at_20_17_02.png

:)

Hello, huge thanks for the help! I got it fixed and it's working.
67ed9598-91ae-4535-866e-9c4e187aaa43-image.png

@Derelict okay, must have been something corrupt in the firware. I reinstalled the firmware as per the instructions, using a USB stick and console access. Adding a PPP now has no issues.
Thanks all for your help :-)

https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/reinstall-pfsense.html

Because they are completely different things.. Again google mtu vs mss..

Thx for your answer's i will try booth options

@mingus

*replying to myself"

Sorry, to clarify some more:

"If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against."

That's exactly what I'm doing.

create a local CA via the web interface called "internal". Use the "internal" CA to sign a server cert for ldap.localstuff.lan via the web interface. Copy the generated CA.cert server.cert and server,.key onto the ldap server. Config and test using command line ssl. All good. Set up an LDAP server connection via the web interface selecting the "internal" CA via the drop down box. Attempt an SSL connection via the setup page which fails with error "19 (self signed certificate in certificate chain)"

That all looks fine. You should not be receiving any errors.

I question that your swap is almost half full though.

209MB RAM? That's practically nothing. I give the smallest of my test VMs 512MB. That is likely your problem.

@aduffield said in WebGui and RADIUS authentication:

So, to be clear, if I set the GUI to use RADIUS for auth, I will still be able to log in as the local admin account?

That's what I just said, yes.

Regarding the users, I have Windows NPS in place for Radius which uses Windows AD groups, do I need to set the usernames on the pfsense to match the users in AD?

Read the docs about how this works, especially with regard to groups on pfSense and the class attribute:

https://docs.netgate.com/pfsense/en/latest/book/usermanager/authentication-servers.html#radius https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsense-24.html

@MeisterBlocker said in Cert Manager Layout:

I already asked this question last year in the german forum and had not received an answer yet.

Because there was/is none. But after having dozens of pages of posts, you could've asked again after some time - no problem with that. ;)

As for huge deployments with high 3 digit or 4 digit numbers of certificates, I'd definitly go another route as to manage it on pfSense. After all, you only need the CA and a server cert to run the server part. You can/could deploy/script yourself another way to create/generate your config files (e.g. a generic config with links to generic named files that can be bundled with the certs). I'd assume with that high count of VPN connections, you don't manage the users on pfSense either but use some other auth like Radius or LDAP

@lytledd said in Web Interface login issue:

Is there a remote system that pfSense tries to access

Yes ...
(all depends if it tries to refresh the version info - packages updates - the copy right notice at the bottom of the is often refreshed)

@lytledd said in Web Interface login issue:

and is down

As seen a couple of weeks ago : this actually happened.

@lytledd said in Web Interface login issue:

Running under ESXI

I'm using pfSense on dedicated hardware for a decade or so. Experimenting with it running under Hyper-V @home since a couple of month and I can confirm : this opens up another boat load of possible issues.
When you use an 'external' syslogger (another VM instance for example) you can see all the http GUI requests coming in. You'll be knowing that the GUI works, but that PHP is busy 'doing something' == probably waiting to time out "something".

@Gertjan Yeah we will have one from now 😄

Thanks for your help ;)

you can do a simple scp command to backup the full xml somewhere - so that is very simple to script.. But just pulling out the aliases and then the hard part would be the partial scripted restore.. Of just that section..

Its been discussed in the past, have never seen anyone do it. And its not built in sort of feature.

How many changes to aliases do you make? That this is something you would want to script?

You do understand you can point alias to some other location, and just use a common location you update right... The url table function, and have it update every so many X days

urltable.png

@xoomdust said in 1x1 Pixel on login:

That's probably what it is. I'm guessing SSH is not enabled by default? I can't SSH in.

Nope. You need console access then.