I just tested the latest 2.4.0 build and it does not seem to work with a CSR that has been generated on a separate system  also there is no option to choose server or user signing.  To solve my issue I:

1. Created the server certificate on PFSense (make sure it is set to server cert, the default is user cert)
2. Exported the new cert
3. Exported the new Key
4. Moved them to my JBOSS server
5. Converted they two to a PKCS12 (openssl)
6. Converted the P12 file to my keystore (Keytool)

Example:
  mv /home/ncadmin/par.local.enms.net\ (1).crt ./par.crt
  mv /home/ncadmin/par.local.enms.net\ (1).key ./par.key
  openssl pkcs12 -export -in par.crt -inkey par.key -out par.p12 -name par_na_crt -CAfile RootCA-Pfsense.crt -caname root
  keytool -importkeystore -deststorepass chgme -destkeypass chgme -destkeystore truecontrol.keystore -srckeystore par.p12 -srcstoretype PKCS12 -srcstorepass chgme -alias my_alias

Looks like an ACPI table error. Are you running the latest available BIOS?

Possibly this or related to it: https://quickview.cloudapps.cisco.com/quickview/bug/CSCuc96148

Steve

Hmm, hard to say how that would be any different then from pfSenses view.

Maybe compare the connection logs from each case for differences.

Steve

To get the full url you have to install squid  proxy and use ssl man in the middle, that by the way is a can  of worms

@jimp:

The crash is in dummynet. You can't use limiters with pfsync (part of HA).

https://redmine.pfsense.org/issues/4310

You'll have to remove limiters, and things that also use limiters such as captive portal per-user bandwidth limits. Either that or disable pfsync on both nodes.

Hi Jimp.

I need some help, please

Thanks for the reply.  My question is more topology related.  Following your lead (which I have been trying similar strategies, and I believe is correct):  So, I would connect the pfSense wan port directly to my ISP provider connection (not a modem, just an ethernet port).  The LAN port of pfSense I would have to connect to a switch, so that I could break out 4 of the ips for outfacing computers, and plug the wan port of the router (for internet on my other computers) into the switch also.

I've tried that with a layer-2 switch, with less than satisfactory results.  I've ordered a layer-3 switch to try that.

The other thing I've been trying is a switch right off the ISP (as a DMZ switch), and then plug both the router and pfSense into the DMZ switch.  That doesn't work either, though this also might work with the layer-3 switch.

Please keep the ideas coming!  Thanks!

@yodaphone:

Does this mean that the AES-NI in Intel chips are vulnerable & since i use one do i need to do anything now?

I know its not a pfSense issue, but just want to know if this is something i need to watch out for

It looks like "AES-NI" is just the name of the ransomware and may have nothing to do with Intel's instruction set by the same name.

Hi Oleg,
Check the routing table on the firewall (Diag > Routes) make sure those static routes are present.

You may need additional outbound NAT rules to actually access anything on the private subnet. Devices there may not have a route back to your internal subnet. Or your traffic may be hitting the default outbound NAT rule and being translated to the public IP incorrectly.

Steve

@Dave:

Hi,
First day with pfsense. I'm trying to configure SMTP notifications. My mail server is behind a NAT on 10.10.10.2 and uses SSL on port 62933. I can connect to the SSL service over telnet from pfsense, but the pfsense gui says "Could not send the message to user@host.localdomin – Error: could not connect to the host "10.10.10.2": ??

Do I need to load the SMTP server (self-signed) into pfsense somehow?

If a self-signed cert is being used, yes it will have to be trusted by pfSense.  There is a thread or two in the forums that should have enough how to info.

https://forum.pfsense.org/index.php?topic=115884.msg644702#msg644702
https://forum.pfsense.org/index.php?topic=115884.msg644709#msg644709

Thanks for answering my dumb question all!

I've got a number of voip setups using voip.ms as the DID provider.
I use pfSense as the central router and I've never had to "register" the router, just the end device(s).
In most cases I setup an Asterisk box to handle local phones, but I have registered phones directly.

In many cases, pfSense has not needed any special configurations at all, others required a few NAT tweaks depending on the ISP at the local end.

It's actually easier said than done… I didn't find the option of setting the gateway, and wouldn't have been able to work out how to do this without this post:-

http://community.virginmedia.com/t5/QuickStart-set-up-and/SuperHub-2-Cannot-change-LAN-IP/td-p/1870936

but I do have it working now, and I guess it makes a decent wireless access point.

I might need to rephrase the question since I got no answer so far.

Is it possible to forward a tagged VLAN (7) from WAN to an INTERNAL OPTx in pfsense?
And if so, how?
I have looked in QinQ and Brdige, but that did not work so far…

Yep, seems I mixed it up, over all my setup was 750, I was shooting for power efficient and long term setup.

Make sure you have your default LAN rule setup.
Firewall->Rules->LAN


Agreed.
What's the point of implementation if it does not do what it's supposed to do?
Implementation of SMART is supposed to report prior to failure.

NetGate/PfSense guys, this should be fixed or removed from the GUI. I'd personally like to see it fixed.

I'd also like to see some kind of email reporting if a rule had been triggered. Say in this case, if a CAM error had been seen in the system logs, then the system would email.

Hello,

I attached a "Packet Capture": it seems that the communication with radius server never starts.

–
Regards,

Marco Mangiante

vpn_vdf_pfsense_client.png
vpn_vdf_pfsense_client.png_thumb