Port 5224 is Plesk license updates (outgoing connections only).. Do you run that on your network?  Also listed as HP vm console port, etc.

udp 123 would be anything setting time.. A lot of apple devices will point to apple for time hard coded.. Many things could have ntp coded… My freaking smart lightbulds like to got to uk.pool.ntp.org etc.. Even when I hand out local ntp server via dhcp.. They don't care they are hard coded - and Im in the US.. So I juts redirect that fqdn to my local ntp server IP via host override.  As to icmp - again many things might ping something out on the net to see if they have internet access..

In your home network seems pointless to not allow outbound for devices you trust to run on your network.  If your curious or paranoid then log it and look into what the traffic is..  I log all my iot devices outbound access.. They normally do dns queries to hard coded 8.8.8.8 for example, they phone home to amazon CDN on https, etc.  If I saw them sending traffic to china might be a bit perplexed and look into that for sure.

Your 16385-6 is Apple FaceTime, Apple Game Center (RTP/RTCP)

Trying to block ports is going to turn into a wack a mole game.. Oh shit this doesn't work, open that.. Oh shit that doesn't work open this.. Oh why do my iot devices not work on the schedule I set - well shit I was blocking them from setting time, etc. etc.

Option 8 console, du -sh command / directory

Interesting discussion…and scary! Your sprinkler needs Internet access? I get it...but wow!

How about this for an approach:

I would look at grouping devices by trust and damage that can be done if they are hacked. i.e. if your sprinkler is hacked you get a wet lawn vs your cameras hacked and they can look inside your house and put your family online!

Maybe put your cameras on their own VLAN with very restrictive rules, specific alias IPs, limited ports, snort IPS, etc...

Sprinkler, thermostat, TVs, A/C Reciever, wireless printer(No internet access), wireless light switches on thier own.

I have a printer which I don't trust as far as I can spit...so I don't give it any internet access. I group it in my IOT VLAN and access it thru polcy rules from other VLANs,

Email/banking devices give their own VLAN.

Alexa maybe its own VLAN...thats another scary device.

I think the balance you will need to look at is manageability, security, usability and privacy. Keep it simple...

Follow up questions would be:
Do you have cable running thru the house or is wireless your only option? That would drive the number of SSID vs using a switch and hardwire.
How big is your house i.e. do you need a big range?
Do some of these devices need to be on the same segment to control?

Open to feedback...

Ok, I just got my Cisco WAP121… and everything is running super smooth. When you fire up the AP the first time, you are presented with a config wizard; I simply entered VLAN 40 when it asks for the wireless VLAN. Didn't have to touch anything else. And now everything works perfectly. This makes me positive the D-Link DAP-1353 is either broken, bugged, or doesn't comply to the networking standards.

At least the time spent on this "project" wasn't entirely wasted. I've honed my VLAN'ing skills, and learned a couple of new tricks :)

AP only needs to be vlan capable when you want to run different SSIDs on different vlans

I figured I'd need VLAN to separate the web interface from the guests, so I'd be able to config/snmp without having to access their network directly. Could this be done differently, even without VLANs?

One thing about shielded cables.  They're supposed to be grounded at one and only one point.  If they're not grounded, the shield is ineffective.  If grounded at more than one point, ground loops may occur.
However, given that just moving the cable causes failure, it's likely a poor connection somewhere.

Rule of thumb, when something fails, cables and connectors are the likely suspects.

Thanks both. I feel so silly for not thinking of starting a new pcap with a small count  :o

@jimp:

If it is this issue, then you must upgrade to pfSense 2.4.2 or later. Once you are on 2.4.2, you can edit the LDAP server entry on pfSense and for the Peer Certificate Authority, set it to Global Root CA List

This is a great fix BTW!
Fingers crossed that it migrates to FreeRADIUS package too :)

Thank you John, V3lcr0, and marvosa, for the incredibly helpful replies above.

I've taken time to read carefully and try and learn from and understand all the points made, which is why this reply has taken some time.  I now realise that my question was, as you said, poorly worded and a bit too clueless. I didn't actually know the right question to ask. I think I have a much more specific focus and a bit more of a clue now. Thank you for the effort in helping me.

I've posted my more focused question in a new thread under "wireless" so this one can drop to the end and not accidentally confuse anyone who finds my OP unhelpful. :)  It should be more "to the point".

Is it a way to extract all settings, and then reinstall pfsense and re-deploy the settings? Or something like that?

Thank you very much Stewart! This topic is now solved! :)

@securedspace:

How do I access it from my webbrowser via that combination?

Just like you access any other FQDN on the planet… www.google.com is a FQDN... forum.pfsense.org is another, etc..

As to accessing it via IP, you can do that if you want.. if you don't want the error then just trust the CA you created the cert with... I have been over this multiple times, there are multiple threads about doing this..  To use an IP vs the fqdn you would have to create the SAN on the cert you want to access..

Only thing even slightly different from typical site on the internet would be if your using gui on different port than 443 you would have to put the port on the end of the fqdn via :port

sslcertnamesandip.png
sslcertnamesandip.png_thumb

All packages are up to:

pkg version -vL= Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. pfSense-upgrade >>> Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. >>> Unlocking package pfSense-kernel-pfSense... done. >>> Setting vital flag on pkg... done. >>> Setting vital flag on pfSense... done. Your packages are up to date

Boot single user and run /sbin/fsck -y / until it comes back clean. Maybe 4 times.

@kb:

Hm… But I'm able to use admin user for that.

No you're not, it isn't working (or you wouldn't have started this thread) :-)

It's pretty well documented around that admin@ is not to be used for scp or anything that needs ssh features. It's locked to the menu.

Just add another non-admin account and use it for whatever you need/want.

You might want to read here: https://doc.pfsense.org/index.php/Multi-WAN

It is up to the client whether it uses IPv4 or IPv6 when it thinks it has IPv6 connectivity and both AAAA and A records to choose from.

With IPv6 disabled on WAN I can't see anything else helping more.