So, solution update. Editing the files via the webconfigurator was my problem. It seems as though the editor was saving blank files instead of my changes, and as such nothing was working. I edited the files with VI and the cert was accepted into the system. I do still have a issue with a different upstream cert, but I can fix that based on my fix with this one. Thanks for everyone's help, I'll try to add a guide on my site for this because I couldn't find anywhere online that referenced both files.

There isn't one if you ask me - ask Derelict he is the fan all tagged, no native or untagged on interface ;) I am not aware of any security issue with running tagged or untagged on same interface.  As long as you don't try and run multiple untagged vlans on the same interface there is no problem. moikerz point about the stats would be the only reason I could see of putting all vlans vs native and vlans… Because he is right the native interface will show total stats for the untagged and all tagged traffic... While your stats for your vlan interfaces will only show you stats for that specific vlan.. So if that is your concern, then that would be the reason you skin the cat that way vs the other way ;)

Pfsense will not block it.  Firewalls work by blocking connections you do not initiate.  When you connect to PIA, you are initiating the connection.

One way radius can be used to increase security is the ability to use say eap-tls to auth clients to a wireless network.  So now clients would have to have a different method of auth vs just a PSK.. This could be a username and password to auth to the network, or if something as secure as eap-tls.. Where now your clients have to have a cert issued by your CA, etc.. Use of of eap allows for the functionality of different logins for different users, so if say a user creds have been compromised or believe to be compromised you could just change those specific creds or disable them without having to change all your devices to use a new PSK, etc. You could 802.1x with your radius server so that devices are not allowed on the network be it wired or wireless unless they pass the auth you setup with 802.1x As example - you state you have your personal wireless.. Which I assume has access to more of your network then any of your other wireless networks.  So in this case you could require eap-tls to get on this network.  So only devices you actual trust and have given the correct certs could get on this network.

Maybe post a screen shot of the rules for your WAN and LAN? Not sure I can help but others might…

@johnpoz: So you want to put your ATT internet router behind pfsense??  It doesn't work that way.. You would put the ISP device in front of pfsense between pfsense and the internet/wan connection.  You could then bridge this so pfsense gets a public IP On it… Or you can double nat.. What specific device do you have from the ISP, or what device/service are you looking to get.. Needed any other information?

This is possible via switch that does vlans and support dynamic vlans, or wifi again that supports via radius or 802.1x etc.. This has always been possible - but really has zero to do with pfsense.. This is your switching/networking infrastructure to put your devices/users on different vlans… Once your devices are on different vlans then pfsense comes into play and can firewall that vlan from different vlan or allow network/vlan X to use wan 1  while vlan Y users wan 2. You don't need to be on different vlans to control which wan a connection goes out of - you can do this with policy routing based upon the IP all in the same vlan.. So IP 192.168.1.100 could go out wan 1, while 192.168.1.101 goes out wan 2, etc. Whatever method you want to use to make sure user X gets a specific IP works too - say radius auth handing user specific IP vs vlan ID, etc.  But all of that is your network and not pfsense.

You mean root like A, B, C, etc. ? Because this pfSense's DNS servers are set to servers on my LAN, so no outbound communication should be made related to name resolution.

unless you have separate your different networks you will have to wait til you have smart/managed switches to segment your network.

@johnpoz: Well that is clearly some IP in their network.. If your normal wan monitoring RTT has not increased you will have to get with them on any slowdowns your seeing in their network. OK, Thanks for your time. Greg

https://forum.pfsense.org/index.php?topic=142311.0

That is cuau0 not cuaU0 which is why he was seeing that on cuau0. ls -l /dev/cu* connect the USB console. ls -l /dev/cu* The connected console will be the new devices.

I tried what you wrote and did not succeed So did most manually I reinstalled the packages I left the addresses in the new range The most annoying part is to add all addresses to a fixed address There is an access point Which does not appear in a list of addresses But it can be accessed In the old system it did appear on the list For some reason clamd ClamAV Antivirus Does not work i did``` freshclam and i got this message ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). ERROR: /var/log/clamav/freshclam.log is locked by another process How can I fix this problem?

I run a Sure GPS serial module with an extrernal GPS antenna, runs smooth for about 4 years now on my pfSense box.

We had the same problem with our smaller pfsense (2nics) firewall (on the same server). So we tried with virtio instead of e1000 and now everything looks running fine. Has nothing todo with pfsense though :). Just wanted to update this thread instead of someone has this problem too.

@dennypage: @Heimire: Just did it and noticed I got a 29ms response time on one of the pings. First time I see that. Ran it again and this time I see a 234ms ping. … --- 64.9.133.17 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.188/23.642/234.569/70.309 ms Well, that would certainly explain things. This could arise from a few things, but the most likely guess is the target device handles ICMP as a very low priority. You can confirm this by using a monitor address that is a little further out into the world. As a general rule you want to use a monitor address that is physically on the other side of your WAN link. Some people use public addresses such as Google's DNS servers. For my monitoring, I use one of my ISPs regional concentrators. You can use the mtr package to help you choose a suitable target. Run mtr with a target of 8.8.8.8 and look at the hops along the way. I think you hit it on the head. This is still being setup and we have no live traffic there yet. We are moving in there and just seen weird things we did not expect. I will find some points to monitor outside the data center. Thank you so much for your input. Very helpful and I also realize I jumped to conclusion. Should have done more than 3 ping when tested but they came back perfect every time. I think when i did the testing earlier when i set the ping to 10 and ran it several times, I saw high numbers in probably 60-70% of the time. Should have dug a bit deeper before posting. H.

And VLAN 1 probably gets broadcast on all ports with no way to turn it off. https://forum.pfsense.org/index.php?topic=123324.msg680947#msg680947 Others have seen similar behavior from things like TP-Link APs. I think the issue there was IPv6 RAs and such received on the AP's untagged interface were sent to all SSIDs regardless of VLAN. They are junk. $30 for an 8-port D-Link DGS-1100-08 would have been better money spent. I'm a fan of good, cheap gear. TP-Link often misses the good part.

WOW! the beauty of open source. Thanks jimp