Yes, I'd also like to read some instructions on how to do that. How to clone the whole repo from pfSense's main website?

That self generated cert is going to throw errors at you.  If you want to use https I would also suggest you take the time to gen a new cert with valid fqdn and SAN so you can use name or IP and trust the pfsense CA so your browser doesn't throw errors at you or have you create exception, etc.

You would lagg the connections, depending on switch maker terms might be etherchannel, or port channel or teamed.  All pretty much same term for doing the same thing binding connections together for loadsharing. This provides you with multiple paths for a failover issue while also allowing you to leverage more bandwidth between the switches for loadsharing.  In a typical setup you might even connect switch 2 to 3 to allow for another path if your homerun to your main switch went down you would have another path to the switch via the connect.  You would leverage spanning tree (stp) to block that connection so you don't have a loop unless the home run connection to the main switch when down.  That connection would then come up in forwarding vs blocking. So for example is that fiber connection only 1 gig?  If just using it as failover with 1 connection only being used all your devices on switch 2 for example are limited to this 1 gig uplink to anything on switch 1 or switch 3 or internet.  Not sure where your servers are for example. Typically in a case with location that has need of that many ports you would have way more than just 2 network segments/vlans.  Without understanding your environment and amount of data flow between devices and where they are connected its hard to say what your best setup would be. How are you leveraging those 4 wan connections?  How fat are those pipes? What other types of devices do do you have? Servers, printers? Voip phones? In a typical smb setup you might see say 5 vlans for sure..  Depends on what you want to isolate for security, what your using as your routing for intervlan.. How much intervlan traffic your going to have, compared to security concerns.  For example you might just have a data vlan and you would put all your servers/printer/users/networking infrastructure management all on this data vlan.  If you have phones this normally would be on a voice vlan, and then your wifi normally atleast 2 1 for internal use of known users and devices that need access to your other stuff, and then just a guest that has just internet, etc. Typical you might have infrastructure Data users voice wifi wifi-guest All as different vlans.  With data possible broke up even more into servers/printers/production/etc/dmz and then depending on the number of users or different types of users you might have multiple user vlans.  This might be office users, engineers, management, sales, finance, kiosks or plant floor.. Shoot in my home I have 7 different segments and vlans for gosh sake ;)  If anything that number would just go up.

Possible? Yes. Recommended? No. On the one hand, it could lead to a more secure environment because it would update automatically. On the other, the process is not without flaws and valid objections based on security/authority of the upgrade and potential outage concerns. Even if it were an opt-in feature, we'd likely see a chorus of complaints. Automating that sort of task is risky at best.

It's safer to assume that all upgrades require a reboot unless we say otherwise.

@jimp: I, more than most, am happy to see FreeBSD finally have a way to deal with the extension ordering in PHP. I've been ranting about it being broken (and advocating to get a fix in) for over 10 years now (as of yesterday). Happy Anniversary :)

seems to be working yes… thanks for the update..!

Post a Bounty!

Glad my not-so glamorous 2 day troubleshooting experience with this helped you out :-) When this happened, I had just moved my equipment from a shelf to a rack on wheels in my basement (due to construction of french drain). My guess is that the pfsense/equipment was down for long enough time (full day before I rigged a consumer grade router to get temp Internet), that the ISP decided to put me on a different subnet when I reconnected. This drove me crazy as, with the move, I didn't introduce any new variables, but there was a physical change, none the less. The symptoms would be that once I was able to turn things back on, I would get Internet connectivity, but then, once I would download a file and semi-saturate the link, the gateway monitor would check the old gateway from the original DHCP subnet that I was part of (I knew my IP could change at any time, but never imagined that they would also change your subnet). I saw a bunch of WAN dropped packets in the managed switch that I use to connect everything, so I followed that route for an afternoon and changed cables, RJ-45 couplers, etc.  I was almost to the point of suspecting AC interference due to the new cable routing!    Of course this was simply because the WAN would reject packets while the NAT states were being reset, but I had no idea of that yet. It was not until the weekend when I was able to do more testing and debugging, that I realized what was happening. This never came up when I did the upgrade to 2.3, as my WAN gateway had not changed, so I just could not imagine what could have changed from the equipment being on a static wooden shelf, to being on a mobile wire shelf :-). Good lesson, just hope I don't get more of these crazy ones! @ironashram: Gateway monitoring indeed was my problem, we have nexus 9000 in our new setup and they bring this fantastic feauture thak makes gateway respond to ping only sometimes :( Thanks pppfsense for pointing me in the right direction.

I had the same problem a few hours ago for a while. Now it works properly.

First, ensure that the traffic you are suppose to see, is there. tcptop won't tell you much, or anything, if the rules are not there to let the traffic in/out (use tcpdump). It should be straight forward to mirror a port in any managed switch, but you should ask in the ubiquiti forums. Now, think about this, if the mirror config is correct, and the date is being sent to the WAN in pfsense, WHY would pfsense do ANYTHING with that data if it is NOT addressed to it? You may be able to see traffic with tcpdump if you put the interface in promiscuous mode, but if pfsense doesn't have an address on the WAN and it is not routing/handling the information, it will not go through it. What you want is to put pfsense in series with your current network. Add it as a router and simply use an rfc1918 address to link the Internet to your current setup. I am sure there is a way to convert the IPS in pfsense to an IDS, but that's not the design/purpose of pfsense, so you are on your own there. @bbuchanan99: snort/suricata….I have gone into my ubiquiti unifi switch and mirrored port 1 (Router uplink) to port 19 (Mirror port).  The pfsense is then connected to port 19 via opt1.  I don't seem to be getting any traffic on the port, tcptop shows nothing on the opt1 interface.  Anyone know how to mirror a port on a ubiquiti switch?  seemed really straight forward but something does not appear to be working.

The act of working to understand why it almost certainly won't work isn't in itself a waste of time. Maybe you'll be inspired to learn FreeBSD and create a driver. It would be nice to see a response on the other thread though.  ;) Steve

I am running 2.3.2_p1 and was running 2.3.2 with openvpn and no issues.  I am currently connected for that matter.  Both as pfsense as a client connected to a vps server running openvpn-as and as a road warrior client connected to pfsense openvpn server. Without some actual details of your setup, and what exact errors your seeing.  I have to assume since your using the export that your trying to connect to pfsense from somewhere else.  What IP are you trying to connect too?  Sure your using pfsense public IP?  Are you using udp or tcp?  What port - do you actually see the connection to pfsense, or is the tls handshake error after some other error? What does the log on pfsense show, what does the log on your client show?

In case anyone else runs into this, it seems to be esxi 6 related.  don't know if it's update 2 or not, but I can confirm the behavior doesn't happen on the same hardware with esx 5.5.

Thread management lic for juniper is not cheap..  Lookup on CDW shows it going for like 11K for 3 years. I am with muswellhillbilly here.. This is a great statement "If you're running a Juniper that nobody knows how to use, then I would think this is an obvious weak point in your security overall. Either educate yourselves in how to use the Juniper and make an informed decision about whether to keep it or not, or remove it altogether and substitute it for something you know something about" I could not have said it better.. While there are clearly some things that juniper can do that pfsense can not..  Your going to pay for those somethings ;)  Do you need those somethings is the big question.  The srx can be a bit tricky.  They are not as straight forward as say the ISGs or SSGs

There, that's all I am saying, it is a bug when the upgrade on vanilla systems fails. @Nullity: @pppfsense: Not what I am saying. It has gotten better, but in my experience, with other similar free software, the failure rate is very, very low. I, for one, have never had an upgrade failure with Untangle, and I have been using it longer than pfsense. With pfsense, in the last few years, every upgrade has had issues for me. Most of them small enough, but that is not the point here: This code is known and it does get to fail in vanilla configurations. Some condition/exception is not being detected or handled properly. Example: https://forum.pfsense.org/index.php?topic=119344.msg661368#msg661368 When I see the word 'odds' as a possible explanation of why the upgrade went wrong, it proves my point: Something is missing or being missed…. I know it is hard and I appreciate the efforts, but in order to get better, we need to admit the issues. @JonH: Today performed my very first ever upgrade, not knowing exactly what to expect. Seemed to work just fine.  No problems. lol… everyone knows that all complex software has bugs, known and unknown. This is not an interesting or useful observation. So, we admit there are issues... now what? Bug reports require details so that others can reliably and repeatably recreate your situation. Without these details there is nothing anyone can do. Things like "The update failed! HELP!!!" are not helpful. Also, don't forget about user error. :)

Doesn't make sense. If the NIC was working with a previous version, a new version would not have killed the NIC. Plus you do see the link on the modem coming up as pfsense boots right? (i.e. NIC works). Reboot modem, reboot pfsense. Check Status - Interfaces and try to get a new DHCP address. You can also try assigning the MAC address of the Linksys router to the WAN interface so you don't have to reboot the modem. Last resource, just for testing, assign the given DHCP address to the WAN interface (no DHCP). (You can also try connecting the pfsense WAN to the Linksys router and see if pfsense gets a DHCP address). @Ramosel: @pppfsense: You DID reboot the (cable) modem, right? Yep, several times.  Observation: As the power comes on to the pfSense machine, the link light on the Arris box goes valid (green).  As the boot progresses and the drivers load, the link light goes out.  Boot finishes with no WAN IP negotiation. Been busy with other projects but just may do a clean reload today and pull a restore. Rick