Thanks, will try that.

FYI, my DD-WRT is presently pointing to 8.8.8.8, 8.8.4.4 for DNS. However this is behind the China Telecom modem/router and DD-WRT is getting a WAN ip address of 192.168.1.7 (turning that China Telecom box into bridge mode would be nice) (Talking to tech support here in China is a waste of time due to my lack of Chinese language. My Chinese friends are not tech savvy enough to help )

Use something like zabbix, solarwinds, or another network monitoring system maybe?

pfSense is not an NMS. It is a firewall.

@jknott

Thankfully i bought the TL-SG1016DE V3 so it doesn't have the vlan bug.

Ok guys, I know this is going to kill any credibility I might have ever had but....the interface names, and places on the motherboard did not line up... So I was using igb0 (first port from left) for WAN, igb1 (second port) for LAN, and igb2 (third port) for OPT1. It turns out, port 1 is igb0, port 2 is igb2, and port 3 is igb3. I figured it was 0 1 2 3.

I discovered this by using the "auto-assignment" feature, I never thought that the numbers wouldn't be sequential.

And thus, I am now able to access the webConfigurator. Lesson of the day: Don't trust random almost no-name Chinese MFGs to make everything sensical.

I'm adding this post for posterity to make sure they remember to chickity check themselves before they spend 8 hours troubleshooting what seems like an insane problem.

Also I found this document at some point to help me achieve what I want to for my pass-through style: http://users.ox.ac.uk/~clas0415/assets/Setting-up-pfSense-as-a-Stateful-Bridging-Firewall-with-commodity-hardware.pdf

@artooro is it really true ? I saw it's conflicting with NAT port forward on 443.

And it's understandable pfBNG and DNSThingy both need to use it, no ?

@knebb
Final solution:
Outbound-NAT was misconfigured to always map to the VirtualIP even in backup mode.

Switched to automated outbound NAT and now working fine.

It's mostly less then %1 cpu load, but we are running on such an environment that any less latency is an important gain. So I am doing everything to increase the performance.

What is the performance gain when I disable it? %10?
and the risk that something may go wrong, such as not a successful reboot?

Look under Diagnostics > States and compare what you see for the remote GRE endpoint before and after reloading the filter.

@johnpoz said in SSL Certificates for Local IP address:

Does that method also allow for rfc1918 IP san entries? Or for a use of domain that is not valid on the public via tld, like local.lan, or single label domains that many users are found of

No, it can't have IP address SANs and must have a valid domain that exists in public DNS. The hostname doesn't need to be public, but the domain has to be registered/have name servers.

If so will have to play with this. But then again not too many switches and other devices have support for ACME that I have seen. Sot he local CA still has multiple advantages IMO.

Yeah, for that kind of thing it could be a PITA to constantly update them with the ACME cert since it wouldn't be automated. Local CA does win out in that scenario.

Yeah why would you be running 2.3.5, clearly you can not be 32bit limited. And your esxi is not even current either. But has mentioned its impossible to even guess without some details of your hardware.

Thanks JimP for quick response.. I normally don't play with this stuff - but did recall a major change with the installer on 2.4..

Yes, both interfaces are on the same system.

It's a Netgate SG-2440, so there are four identical Ethernet interfaces. I can use the wake command from the command-line on three out of the four interfaces. WOL from igb2 also seems to work from the web interface. Only wake from the command line with igb2 is giving the permission error.