You can do self signed certs on ip's, but self signed will still by default generate a warning because its not trusted by the browser.
I dont know if you can import certificates on the device you have, if you can then I suggest this ronski.
On your local pfsense, goto the certificate manager and create a CA cert.
Then still in pfsense make a certificate for the device, for the common name just put something like PFSENSE in doesnt matter, then at the bottom you can add an ip address for the certificate and use your work ip, make sure its sha256 (default) and I suggest 3072 bits for the RSA strength.
Export the cert you just made, the key for it and the CA cert.
Import all 3 to the zyxel device (if it lets you).
Add your CA cert to the the trusted certs for your browser (chrome uses the windows CA store like IE, firefox has its own). The advantage of this is whenever you make a new cert using the same CA then you will no longer get prompts as the CA is now trusted in your local browser, and pfsense also will store the certificates for you as well in case you need to install them again.
If you cannot import, or simply cannot be bothered, then just do as he said, add the cert and add exception for it in browser, keep sslv3 disabled for operational use as its now obsolete.