@jt40 just create a CA in pfsense, then create a cert with that CA and have your browser(s) trust that CA. [image: 1661096763603-cert.jpg] You can put whatever SANs you need to IPs, old name, etc.. I had created this cert way before browsers started limited valid dates to like 398 days or whatever they limit to these days.. So you can see mine is good til 2027, and browser has no complaints about it. Once you create this CA you can create certs for any other stuff on your network that wants a cert, printers gui, switch gui, unifi controller gui, nas gui, etc. etc.. And since you trust the CA in your browser it will be happy with the cert and no complaints. [image: 1661097107451-nas.jpg]

@stephenw10 I deleted the WireGuard tunnel then I set it up all over again. Done the same thing at VPS. Rebooted remote VM and pfSense and it started working. I have no idea what happened before but I thanks you for all the support you provided!! Thanks a lot :-) kind regards

@kreki1986 There is.. Number 15 : Restore recent configuration List the backup sets (sub menu 1) , and pick for example 01 or 02 to restore, using sub menu 2.

Did the ifconfig output just not show the interfaces then? What the bridge learns is which MAC addresses are connected to which bridge members. Hard to see how it could not show that.

That RSC issue only affects pfSense running as a VM in Hyper-V. So the same client connected via wifi gets the expected upload speed? And that still goes through pfSense? Restrictions if that sort of order are usually either unintentional traffic shaping or a speed-duplex mismatch in a link somewhere. Steve

Hi all thanks for the support so far but I was sick for the last days and in this meantime the VPS deleted my inactive VM instance so I have to setup my VM and tunnel all over again... I'll try again later and if I don't succed I'll try ipsec or wg tunnel later. thanks for the support kind regards

@stephenw10 Thank you

Thanks It seems to work fine :)

There's no way to do that in pfSense currently. You could add a feature requests if there isn't onbe already: https://redmine.pfsense.org/ It would be quite a significant new feature though as it would need to be tied into quite a number things. Steve

Although for that value it probably could be either: [22.05-RELEASE][admin@cedev-3.stevew.lan]/root: sysctl dev.vmx.0.iflib.override_ntxds="0,4096" dev.vmx.0.iflib.override_ntxds: 0,2048 -> 0,4096 Adding it as a loader variable works past that. Steve

The PAM error is usually from it just not matching the key. Either because the correct key isn't present, or what's in the file isn't valid. The keys are on disk on the firewall in the expected location for a user, if you login with a password they would be in ~/.ssh/authorized_keys. If you login as admin or root, then use ~<username>/.ssh/authorized_keys, or look under /home/<username>/.ssh/authorized_keys. The firewall will manage the content of that file and its permissions so those are not likely to be concerns. These issues almost always boil down to a problem with the formatting of the key, either line breaks in the key, extraneous whitespace, or the wrong string pasted in (For example we've seen people paste in the fingerprint, not the public key) There is also a slight chance that ssh-keygen in Cygwin is generating a bad key somehow. Using a more modern format like ssh-keygen -t ed25519 may help instead of using RSA format.

Is it a link-local address? fe80x:x? Those are generated locally and are non-routable. So you would not be able to ping it from a client behind pfSense but pfSense itself may be able to ping it. The ISP can use that to route a prefix delegation across in a setup where they provide only that. Steve

Either would probably be fine but it has always been called 'DHCP/BOOTP Options' in the v4 server and changing it now may cause confusion.

@dhimanvimal As said, I do not use squid stuff - as it is way complicated for me, and I don't need proxies or AV scanners. What about asking / posting in the correct place ? Like here Home pfSense Packages Cache/Proxy

It's a known issue but it's only cosmetic. The duplicate entries don't hurt anything. Steve

@stewart glad you got it sorted.. I don't really do sudo much on pfsense. But I do it it on other linux boxes and my nas.. I hate having to type my user password all the time on my nas when I want to su up to root.. Its lazy sure - but there are no hostiles on my network, its on an isolated vlan, etc. So I just let that account su up without having to reauth.

Ok, that should work. What sort of bandwidth do you need to pass?

@johnpoz said in Problems with Certificate Generation: @guardian said in Problems with Certificate Generation: Is it normal practice to install the intermediate CA along with the server certificate on the server? Its normal practice to install the full chain.. But if the CA is public trusted then you don't - the server will hand out the intermediate CA to the client, who since he trusts that signing CA of that intermediate will trust it. OK, so that is clearly what I have been missing. I need to find out how to install the chain in TrueNAS. There appears to be a Certificate Authority Section which is similar to the one in pfSense. Maybe if I just import them there things might work. @johnpoz said in Problems with Certificate Generation: There is nothing wrong with the CA manager in pfsense. @guardian said in Problems with Certificate Generation: I was expecting to see the entire chain of trust when displaying the certificate. You did - see the cert info I show for the cert in my browser - shows the full chain. Yes, I saw that.... it's how that chain got generated that I didn't understand. IIUC the server is assembling the trust bundle on demand from the component parts, not from a prebuilt certificate bundle.

When you say it's 'super slow' what are you actually seeing? If you ping the server across the tunnel what are the ping times? Steve

@stephenw10 Thanks Stephen! That fixed it. I put my WAN Upstream Gateway to 192.168.1.1 and WAN subnet to /24. I am able to connect to the internet now. I did have to perform an ipconfig /release and ipconfig /renew towards the ends before it started working for me.