EDIT:  So far, trying the method below my "restricted" user can't see the User Manager menu item in the gui, so even if the other changes I made are correct, I can't test them.  I'm no coder, so I'm still looking for exactly how the menus are drawn. I'm making a start into this.  I looked into /etc/inc/priv.defs.inc to find "interesting" php file names.  From there, I started looking at files in /usr/local/www to see what is there.  Here is my general plan: Make a copy of system_usermanager.php to system_usermanager_restricted.php, modify the copy to remove functions I don't want the restricted user to be able to do. Go to /etc/inc/priv folder and create a custom usermanager_restricted.priv.inc file and point the options therein to /usr/local.www.system_usermanager_restricted.php. I don't know if everything I want to restrict is in that one file.  At this point, I'd like my restricted user to be able to : Create a new user Set username for new user set password for new user tick the box to create a new cert for the user save new user. POSSIBLY delete users. Caveats I see are that it is possible that the custom files I create could be removed during a future upgrade, so I'm going to have to keep a copy of the custom files off box just in case. Also, if the file DOES get deleted, I'm not sure what happens to the user that is relying on those files for its rights - I assume that other rights will remain, but they would loose access to the customer user manager. If anyone has any feedback on my proposed process here, I'm all ears.  I don't "know" php, but I can generally figure things out from code that is already written.  This is likely going to take some trial and error (mostly error) on my part, so any hints would be appreciated.

One additional piece of information - I just deleted and re-created the account, and now the user defaults to the Diagnostics: System Activity page again…. not sure how this works, obviously :)

The command is not working it says "Not Permitted"

At the risk of spamming this thread, I'll post another few tidbits I'm seeing. The RRD graph for this particular site-to-site openvpn server instance is displaying zero users, even when the status page is displaying all the client info and appears to be working (although it shows the wrong virtual IP address). To clarify the "wrong virtual IP address" issue: The "virtual IP" shown in the client status is the IP address of pfsense's tunnel endpoint, not the client endpoint.  That's wrong.  I tried reducing the VPN subnet for this particular server to a /30 so that there would be only 2 host IP's available, but that didn't change it (and was a pretty weak attempt at a fix, anyway). Willing to do more troubleshooting here, if anyone desires.

Hi, Yes, don't worry, we've seen them all. You could try "System => Advanced=> Mitigate the BEAST SSL Attack" - but, honestly, I not for sure if it is even related. It's a known bug, with one major side effect: it leaves traces in the web server log ….

Just in case someone else should stumble across this issue. I was able to get back in via HTTPS by: Connecting via SSH and resetting the LAN IP (to what it was), and enabling HTTP when prompted. I then deleted the "webconfigurator default" cert, created a new CA and a new cert and switched the system back to HTTPs and all seems well.

It does so in IE as well. Havent tested chrome…

Hi, Diagnostics => factory default Or the long way (15 minutes ?) : re-install. Note: editing directly the /cf/conf/config.xml always gives 'special effects' if the 'no errors' rule isn't respected ;)

No, I still couldn't click the X on the states but the reboot cleared out the entry giving me grief anyway.  :-\

Have you checked the interface? I have one box always picking the wrong interface for one RRD graph, but iirc it was the quality chart on a PPPoE connection…

Hi, System => User manager => Settings and you can set the session time (default 4 hours).

It sounds like he made the opt2 interface, but didn't right rules that would allow him to access it as it wouldn't be affected by the anti-lockout rule LAN has.

anyone with an answer please?