Because they are completely different things.. Again google mtu vs mss..

Thx for your answer's i will try booth options

@mingus *replying to myself" Sorry, to clarify some more: "If you were to create an LDAP user authentication instance you would select the locally-created CA there to verify against." That's exactly what I'm doing. create a local CA via the web interface called "internal". Use the "internal" CA to sign a server cert for ldap.localstuff.lan via the web interface. Copy the generated CA.cert server.cert and server,.key onto the ldap server. Config and test using command line ssl. All good. Set up an LDAP server connection via the web interface selecting the "internal" CA via the drop down box. Attempt an SSL connection via the setup page which fails with error "19 (self signed certificate in certificate chain)"

That all looks fine. You should not be receiving any errors. I question that your swap is almost half full though. 209MB RAM? That's practically nothing. I give the smallest of my test VMs 512MB. That is likely your problem.

@aduffield said in WebGui and RADIUS authentication: So, to be clear, if I set the GUI to use RADIUS for auth, I will still be able to log in as the local admin account? That's what I just said, yes. Regarding the users, I have Windows NPS in place for Radius which uses Windows AD groups, do I need to set the usernames on the pfsense to match the users in AD? Read the docs about how this works, especially with regard to groups on pfSense and the class attribute: https://docs.netgate.com/pfsense/en/latest/book/usermanager/authentication-servers.html#radius https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsense-24.html

@MeisterBlocker said in Cert Manager Layout: I already asked this question last year in the german forum and had not received an answer yet. Because there was/is none. But after having dozens of pages of posts, you could've asked again after some time - no problem with that. ;) As for huge deployments with high 3 digit or 4 digit numbers of certificates, I'd definitly go another route as to manage it on pfSense. After all, you only need the CA and a server cert to run the server part. You can/could deploy/script yourself another way to create/generate your config files (e.g. a generic config with links to generic named files that can be bundled with the certs). I'd assume with that high count of VPN connections, you don't manage the users on pfSense either but use some other auth like Radius or LDAP

@lytledd said in Web Interface login issue: Is there a remote system that pfSense tries to access Yes ... (all depends if it tries to refresh the version info - packages updates - the copy right notice at the bottom of the is often refreshed) @lytledd said in Web Interface login issue: and is down As seen a couple of weeks ago : this actually happened. @lytledd said in Web Interface login issue: Running under ESXI I'm using pfSense on dedicated hardware for a decade or so. Experimenting with it running under Hyper-V @home since a couple of month and I can confirm : this opens up another boat load of possible issues. When you use an 'external' syslogger (another VM instance for example) you can see all the http GUI requests coming in. You'll be knowing that the GUI works, but that PHP is busy 'doing something' == probably waiting to time out "something".

@Gertjan Yeah we will have one from now Thanks for your help ;)

you can do a simple scp command to backup the full xml somewhere - so that is very simple to script.. But just pulling out the aliases and then the hard part would be the partial scripted restore.. Of just that section.. Its been discussed in the past, have never seen anyone do it. And its not built in sort of feature. How many changes to aliases do you make? That this is something you would want to script? You do understand you can point alias to some other location, and just use a common location you update right... The url table function, and have it update every so many X days [image: 1556210737957-urltable.png]

@xoomdust said in 1x1 Pixel on login: That's probably what it is. I'm guessing SSH is not enabled by default? I can't SSH in. Nope. You need console access then.

Ouch, could not find anything with the search function and overlooked this thread you linked. Thanks for clearing it up. -Rico

@forbidden_magic said in Web GUI Issue (pfSense_2.4.4-p2): but it tells me that the address is already in use and fails to bind. By who / what process ? edit : enter console mode, option 8 and run this command : ps ax | grep 'nginx' kill any nginx 'master' process. Using the kill command followed by the process ID. Use also sockstat -4l | grep ':80' to see which process is bound to the port 80. Kill them all - and retry option 11.

Your WAN is RFC1918? You need to uncheck Block private networks and loopback addresses then. -Rico

@JeGr Sorry for taking so long to reply. Broken link came from navigating to the "Status" --> "Monitoring" page in my pfSense router, then clicking on the "?" icon in the top right of the page. That links to "https://192.168.1.1/help.php?page=status_monitoring.php", which seems to redirect to "http://docs.pfsense.org/index.php/No_Help_Found", which then redirects to "https://docs.netgate.com/pfsense/en/latest/index.html". I was expecting documentation about the "Monitoring" page. I guess I'm still just a n00b but I was expecting the redirect to something that actually pertained to the page I was looking at. I don't know how the "documentation" and the "book" differ in the origin of their content. I erroneously thought they originated from the same place because their visual layout was / is nearly identical. I had to compare the URLs side-by-side to realize I was looking at a different body of documentation. We can consider this issue resolved.

@kom Hi Yeah, it's a little weird, I'll look for a phone with a newer version of android and do the test. Thanks.

forget my question. I should read the whole doc before asking... https://docs.netgate.com/pfsense/en/latest/usermanager/locked-out-of-the-webgui.html#ldap-authentication-problems

@gertjan thanks! I've checked that post but it seems in that case he's waiting quite a few of seconds. I'm waiting here like a 2 seconds or so to load the main web page, while the others are loading almost instantly. In any case I've tried removing the DNS (I had 1.1.1.1 and 8.8.8.8 on General setup) and disabled automatic updates checker. Still same problem. I'm guess this is just normal

1st & 3rd fields are my email address, so From: and Notification: