You may not need interfaces for each subnet unless you're routing between them in pfSense. You will need whatever the upstream router is configured as a gateway in pfSense to add the static routes to. Steve

You would have to edit php file used when creating cert.. https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/system_certmanager.php if ($act == "new") { $pconfig['method'] = $_POST['method']; $pconfig['keylen'] = "2048"; $pconfig['digest_alg'] = "sha256"; $pconfig['csr_keylen'] = "2048"; $pconfig['csr_digest_alg'] = "sha256"; $pconfig['csrsign_digest_alg'] = "sha256"; $pconfig['type'] = "user"; $pconfig['lifetime'] = "3650"; } Keep in mind that would be reverted every time you updated pfsense and that file gets redone, etc.

No. I mean pfSense screenshots of what you have done. And maybe start simple then get complicated.

Yeah, I had to purge the database in the end. All good now, and that script works like a charm. Thanks again for your help! Appreciated.

You could only do policy based routing on traffic that entered the firewall via some other interface. So port forwards on WAN maybe or traffic from LAN3 for example. Traffic from the firewall itself cannot use it as it must hit a firewall rule with the failover gateway group defined going into the firewall. https://www.netgate.com/docs/pfsense/book/multiwan/load-balancing-and-failover.html Steve

So, due to the peculiarities of my install I needed console access before an install was completed. As it happens, I was able to make a change and get the console output before pfSense loaded and over-wrote my configuration, which was just enough to get what I needed done. I will try other options to make this persistent as was mentioned in a previous post, but for a single-use I was able to make the change and use it the way I needed to. Hope this helps someone in future.

You can load that automatically at boot by including in /boot/loader.conf.local: if_urndis_load='yes' You will still hit the old issues of failing to boot if that interface is assigned and the phone gets disconnected though. Steve

Mmm, interesting suggestion. I would vote for that. You should open a feature request for it at https://redmine.pfsense.org if you have not already. Steve

Good decision!

There isn't a specific log entry for a configuration change or adding a new tunnel. The IPsec log (Status > System Logs, IPsec tab) will have events related to IPsec but it doesn't necessarily indicate a new tunnel or a config change itself.

Can you provide a network map so we can see how things are connected?

Sorry guys.. I meant the TP-Link devices..... My bad...

^ I second what Derelict said about reboots. And it's great to hear someone just post a "Thank you"! Developers, Support and Admins will surely appreciate it (e.g. all of the Netgate staff probably).

Hi. It worked. Thank you for the help

Like https://forum.netgate.com/topic/133626/can-i-monitor-external-ips-activities-on-my-web-server-through-pfsense ? Remember : squid is a Cache/Proxy. Also : squid will be close to useless when user access your web server using default settings (== https:// ...)

you should never be hard setting gig.. If you need to down it to 100 or 10 on a gig interface ok. But gig should be auto.. If it doesn't come up gig than you have sort of issue that needs to be corrected. You don't try and hard code it to gig.

"Several times" means : check the logs (all the logs, pfSense captive portal, FreeRadius (enable logs !)) why. It could be anything, except a random issue. This : @gertjan said in Same captive portal zones: To circumvent problems, what about make the names unique ? will blast away your question. Btw : captive portal questions are here https://forum.netgate.com/category/3/captive-portal

Hi, The one that knows all about the 'usage' of your web server, is ... your web server ! pages, size, speed, where from, who, all of it. Tools like awstats and munin and many more, can create statistics without limits. pfSense has a traffic shaper which is excellent for limiting

Thank you, yes it turned out to be the ESX load balancing algorithm, once we changed it the gateways came online.