Hi Firewalluser thank you for your reply..much appreciated..I will try that for sure :)

Have you actually tried just replacing the binary? Steve

Hi, You've probably figured this out now, but on the Firewall/Aliases page, to the top-right is a cog. If you click this, then select the table corresponding to your alias' name, you can manually delete entries without a reboot. Dooby

There have been a couple minor things found/fixed after 2.1.5, but the only one of any note is the GUI issue that some have with cached CSS and/or local fonts that can cause the Help menu to wrap under the system menu. Search around, there are probably a dozen or more threads about it, but it's easy to work around and does not impact traffic or services.

Post editing is only available for a limited time, 14 days perhaps. I'm uncertain. It used to be much longer which was handy for someone like me who makes loads of typos, I would correct them whenever I read back through a thread. The downside is that by editing older posts you are changing the historical record. It's possible to make sn otherwise useful thread completely unreadable by removing some piece of key information. Steve

Upon further searching, it appears that it is not actually a fully-implemented feature… https://forum.pfsense.org/index.php?topic=68512.0 Any recommendations of how I could use an already-created CA to generate a certificate with some other cert creating software? (or via commandline in pfSense)

Probably because you're hitting the firewall's web interface instead? No split DNS or reflection (search doc.pfsense.org for those) enabled would give you it instead of the server. If you proceed past the cert warning, and actually are on your internal server, then it's something to do with the server itself.

All those sort of changes (WAN IP address and/or netmask) happen on-the-fly without reboot. So I am not sure what happened there - I guess some confusion between the upstream device and pfSense WAN, who knows! Glad it is working now.

I'll give you one example I went out and saw in the field last weekend. TOURtech, "the market leader in providing temporary network solutions for the events industry", runs all their Internet traffic at events through a HA pair of pfSense boxes. They do the networking for many large events. Last weekend, they invited me down to see their impressive setup at ACL Fest. It's a significant network across the site, with all their Internet traffic (payment processing and other mission-critical things to the event) running through a pair of our C2758 appliances. @acriollo: maybe something like CISA CISM CGEIT CRISC ? Those are certifications for people, not software. @charliem: Maybe he refers to Safe Harbor; Cisco certifies certain IOS (old) releases, or they used to anyway. That's a QA thing of sorts, and maintaining old software for certain usage cases. Don't think that's really relevant here.

Thank you John for your help, as I wrote you in the PM also  :-* Just a small update: Synology has done some remote debugging for two hours with two guys, leading to the diagnose they need guy-3, who wasn't in the house  ;D So they will try again next Monday, and I will update what comes from it.

Eventually you will discover that you cannot tag vlan 1. If you ever want to "trunk" vlan1 across a trunk port with other vlans you will have to change it.  Some gear might allow it, some might not.  The stuff that won't is usually the higher end gear that is actually trying to meet the specifications. Once you decide to start tagging any traffic at all in your network, you are better off forgetting vlan1 exists.  In the dot1q environment, it doesn't. Using the default management VLAN 1 for real traffic is usually a hassle. Using it as a management VLAN is usually a hassle too.  Yes, it's easier out-of-the-box-for-the-typical-frys-customer but it's just, well, suboptimal.  If you have gear that HAS to have it's management VLAN on VLAN 1, you are way better off setting up an untagged port on your real management vlan on a real switch and plugging such gear into it.  Any gear that doesn't let you change the management VLAN from VLAN1 should be discarded.

If the vpn server is configured correctly and the client, routes exist. If the interface associated with the vpn client is configured in outbound NAT to be used with a certain subnet, thats where the traffic will go. Seems simple to me.

128MB is the absolute minimum RAM requirement and it would probably require some tweaking to run in that. 256MB is really the minimum you want, more would be better. If that's the hardware you have maybe consider m0n0wall as an alternative. Not sure you can do a LAGG with wifi connections. Even if you could the other end would have to support it and you probably wouldn't get any increase in bandwidth probably less in fact. If the router supports simultaneous dual band you might be able to achieve something with two cards but support for 5GHz wifi in pfSense is almost non existent. Make sure whatever you use supports client mode, many Ralink USB wifi devices run great in access point mode but not as a client. Just get something with a decent antenna and take some time to align it for best signal. Steve

Simple mistake, I'm sure. Yes it was.  :)

k… there's no logical reason that I can think of that exceptions would stop working if DG is working in general. Are you saying that DG is running fine, but it is not updating with any new exceptions that you add? If so... the only thing I can figure is that the UI is not updating the execptions list. The UI updates a text config file that resides in one of the DG directories and then it tells DG to re-read the config file. Did you check that the exceptions are being written to the text file in the DG directory (can't remember the name of the file off the top of my head)? Also, if it started when Snort was installed, a logical first thing to try would be to uninstall snort...