Unfortunately I suspect the critical funding level will be higher than any bounty can raise in purely economic terms. More likely someone who does IOS apps everyday will find themselves wanting this and just do it. There is already a 'mobile' theme that is triggered by detecting the client as IOS or Android (or by thee browser version?). It would seem to be quite straight forward to have an 'app' send a user agent string that triggers a different theme. It would be nice to have something that didn't rely on the webgui at all. It might be completely impractical, I have no idea. I could imagine something that connected via SSH and edited the config file. Would probably be far more work though. There must be other similar management apps that have solved these problems before, lets not reinvent the wheel here. Steve

Status->Traffic Graph might give you enough info now to get you looking in the right place without installing other packages..

Thank you, Steve.  I appreciate your insight.

Hmm, you've bridged three different types of interface. Does the error appear for all three types? Steve

Hi Firewalluser thank you for your reply..much appreciated..I will try that for sure :)

Have you actually tried just replacing the binary? Steve

Hi, You've probably figured this out now, but on the Firewall/Aliases page, to the top-right is a cog. If you click this, then select the table corresponding to your alias' name, you can manually delete entries without a reboot. Dooby

There have been a couple minor things found/fixed after 2.1.5, but the only one of any note is the GUI issue that some have with cached CSS and/or local fonts that can cause the Help menu to wrap under the system menu. Search around, there are probably a dozen or more threads about it, but it's easy to work around and does not impact traffic or services.

Post editing is only available for a limited time, 14 days perhaps. I'm uncertain. It used to be much longer which was handy for someone like me who makes loads of typos, I would correct them whenever I read back through a thread. The downside is that by editing older posts you are changing the historical record. It's possible to make sn otherwise useful thread completely unreadable by removing some piece of key information. Steve

Upon further searching, it appears that it is not actually a fully-implemented feature… https://forum.pfsense.org/index.php?topic=68512.0 Any recommendations of how I could use an already-created CA to generate a certificate with some other cert creating software? (or via commandline in pfSense)

Probably because you're hitting the firewall's web interface instead? No split DNS or reflection (search doc.pfsense.org for those) enabled would give you it instead of the server. If you proceed past the cert warning, and actually are on your internal server, then it's something to do with the server itself.

All those sort of changes (WAN IP address and/or netmask) happen on-the-fly without reboot. So I am not sure what happened there - I guess some confusion between the upstream device and pfSense WAN, who knows! Glad it is working now.

I'll give you one example I went out and saw in the field last weekend. TOURtech, "the market leader in providing temporary network solutions for the events industry", runs all their Internet traffic at events through a HA pair of pfSense boxes. They do the networking for many large events. Last weekend, they invited me down to see their impressive setup at ACL Fest. It's a significant network across the site, with all their Internet traffic (payment processing and other mission-critical things to the event) running through a pair of our C2758 appliances. @acriollo: maybe something like CISA CISM CGEIT CRISC ? Those are certifications for people, not software. @charliem: Maybe he refers to Safe Harbor; Cisco certifies certain IOS (old) releases, or they used to anyway. That's a QA thing of sorts, and maintaining old software for certain usage cases. Don't think that's really relevant here.

Thank you John for your help, as I wrote you in the PM also  :-* Just a small update: Synology has done some remote debugging for two hours with two guys, leading to the diagnose they need guy-3, who wasn't in the house  ;D So they will try again next Monday, and I will update what comes from it.

Eventually you will discover that you cannot tag vlan 1. If you ever want to "trunk" vlan1 across a trunk port with other vlans you will have to change it.  Some gear might allow it, some might not.  The stuff that won't is usually the higher end gear that is actually trying to meet the specifications. Once you decide to start tagging any traffic at all in your network, you are better off forgetting vlan1 exists.  In the dot1q environment, it doesn't. Using the default management VLAN 1 for real traffic is usually a hassle. Using it as a management VLAN is usually a hassle too.  Yes, it's easier out-of-the-box-for-the-typical-frys-customer but it's just, well, suboptimal.  If you have gear that HAS to have it's management VLAN on VLAN 1, you are way better off setting up an untagged port on your real management vlan on a real switch and plugging such gear into it.  Any gear that doesn't let you change the management VLAN from VLAN1 should be discarded.

If the vpn server is configured correctly and the client, routes exist. If the interface associated with the vpn client is configured in outbound NAT to be used with a certain subnet, thats where the traffic will go. Seems simple to me.