That text in FreeRADIUS has nothing to do with OpenVPN user certificates. For OpenVPN users with Certificates you would create the user certs under System > Cert Manager (rather than the User Manager) Which auth system to use is really up to you. RADIUS scales much better to larger numbers of users, but is more complex to manage. Generally, for a low number of users, you'd use the built-in user manager unless you already have a dedicated RADIUS or LDAP auth server (Active Directory, etc).

Thanks.  I will follow your advice then and leave well enough alone for now.  At least until I get my gigabit internet one day….

I've tested the pfSense in various ways, and so far, I gave up using pfSense in just one application, edge router in an ISP network. Each client will access via a dedicated VLAN, so we will have hundreds or even thousands of VLANs.

I'll try. not great at this stuff! I checked in 'show states' there is no evidence of that port being used and I tried the port checker using my phone on 4G. I might take this opportunity to install a smaller PC I have and start again, I really think something has gone pear shaped. For instance when I first set up PFsense 'back to mac' a mac only sort of VPN thing worked great, without changing anything that no longer works and also I gave up entirely on OpenVPN it worked for a little while, but no longer. I need to sort it, my son wants his minecraft server to share with his mates.

They can coexist fine so long as they aren't both trying to carry the same network traffic. So OpenVPN from A to B and IPsec from B to C is OK, or even IPsec from A to B and OpenVPN remote access, etc, etc. You just can't have the exact same source and destination on both IPsec and OpenVPN.

Looks like a busted filesystem. panic: ufs_dirbad: /: bad dir ino 49690 at offset 0: mangled entry cpuid = 0 KDB: enter: panic db:0:kdb.enter.default>  bt Tracing pid 48018 tid 100083 td 0xfffff80003f5f490 kdb_enter() at kdb_enter+0x3e/frame 0xfffffe00003ec340 panic() at panic+0x175/frame 0xfffffe00003ec3c0 ufs_lookup_ino() at ufs_lookup_ino+0xec2/frame 0xfffffe00003ec4d0 VOP_CACHEDLOOKUP_APV() at VOP_CACHEDLOOKUP_APV+0xa1/frame 0xfffffe00003ec500 vfs_cache_lookup() at vfs_cache_lookup+0xd6/frame 0xfffffe00003ec560 VOP_LOOKUP_APV() at VOP_LOOKUP_APV+0xa1/frame 0xfffffe00003ec590 lookup() at lookup+0x56c/frame 0xfffffe00003ec610 namei() at namei+0x4d4/frame 0xfffffe00003ec6d0 vn_open_cred() at vn_open_cred+0xd5/frame 0xfffffe00003ec820 kern_openat() at kern_openat+0x26f/frame 0xfffffe00003ec9a0 amd64_syscall() at amd64_syscall+0x351/frame 0xfffffe00003ecab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00003ecab0 Reboot in single user mode and run "/sbin/fsck -t ufs -y /" until it stops finding errors. Or backup the config, wipe, and reload.

The same way you would on FreeBSD.

Or get a switch with port isolation (even the cheap TP-Link gig switches have it). Then they can only talk to the gateway and never to each other (on ports where you have that set).

Thanks for your help. heper. I just got a phone call from my ISP, the problem is within their network and trying to fix this asap.

Yes, IPSec or OpenVPN would connect when there was traffic to the remote site.

Bridge….. Duh, nevermind the previous request, I assumed (I know, I know.....) that PFSense would act like a switch without bridging enabled.

I hadn't noticed the dhcp log before so that was a useful pointer. Not sure what I changed but I finally managed to get pfSense working as a PXE Server so I'm very pleased with that. It seems pretty straightforward in retrospect :)

Counter-intuitively, DHCP makes things much easier and more controllable. That way all your PCs get the same DNS servers, gateway, time server and everything else. More importantly if you want to change something globally like a subnet, then change it once and DHCP will handle it all in conjunction with DNS.  However I am talking about a real DHCP server, not the cut down abominations in most home routers.

You're obviously not running your 'du' command from root. Try the following: du -hd1 / This will give you an idea of where the space issue is occurring. My bet is /var/log, although you haven't said whether you have any packages installed (NTop can use up disk space quite quickly depending on traffic volumes).

Just like HTTPS, the cost of the encryption is borne by the end-points that terminate the connections. If the VPN is done by the clients through the firewall/router, it doesn't cause any additional load. They're just packets.

Thanks again, for your most recent comments….much appreciated! I will go ahead and implement your suggestions. So, I just received the wireless card, stuck it in the pfSense box, and voila, it seems to get recognized pretty well. Other than assigning the interface to OPT2, I haven't done anything with it as yet (still have to figure out how to setup the pfSense box as a router). Alongwith the wireless card I had also ordered a second "StarTech 1-Port 10/100/1000Mbps PCI Ethernet Card - Model #: ST1000BT32", which I also stuck into the pfSense box at the same time. Assigned OPT1 to this interface. The cost of each of these cards is approx. $15....so I've invested #30 for the 2 cards. I know it's a cheaper option, but would it be wise to stick with these 2 cards (having spent just $30) versus purchasing a used HP 4-port card for $48  + tax + shipping (approx. $60) from eBay? In other words, would I ever need 5 gigabit ports (as opposed to just 3), and also bear in mind that these 2 single port cards are just PCI (not PCIe), whereas the used HP card is PCIe. Would that make a big difference, and therefore would make more sense for me to pay more and just buy the 4-port card?

I'm not sure how to tell what is visible from the outside world. Look at your firewall rules on the WAN tab.  That's what is visible to the outside world.