Discussions about development snapshots for pfSense 2.5.x
There are a lot of other problems, priorities and clients they are focused on, so be patient :)
Anyway, if those crashes are related to radix_mpath than there are solutions already, if no other way found — they will recompile the kernel without this option enabled. If Netgate really want to use it in some installations they can do some custom kernel, snapshot or some GUI selection that will boot RADIX_MPATH enabled kernel. At least three solutions I can take out of my head and they definitely can add own solution.
All of the backtraces in that are identical:
Tracing pid 26689 tid 100757 td 0xfffff80251dd5620
kdb_enter() at kdb_enter+0x3b/frame 0xfffffe046257aaa0
vpanic() at vpanic+0x19b/frame 0xfffffe046257ab00
panic() at panic+0x43/frame 0xfffffe046257ab60
trap_pfault() at trap_pfault/frame 0xfffffe046257abb0
trap_pfault() at trap_pfault+0x49/frame 0xfffffe046257ac10
trap() at trap+0x29d/frame 0xfffffe046257ad20
calltrap() at calltrap+0x8/frame 0xfffffe046257ad20
--- trap 0xc, rip = 0xffffffff80e9a6fa, rsp = 0xfffffe046257adf0, rbp = 0xfffffe046257ae00 ---
in_delayed_cksum() at in_delayed_cksum+0x5a/frame 0xfffffe046257ae00
pf_test() at pf_test+0x2493/frame 0xfffffe046257b010
pf_test() at pf_test+0x2088/frame 0xfffffe046257b220
pf_test() at pf_test+0x2088/frame 0xfffffe046257b430
pf_check_out() at pf_check_out+0x1d/frame 0xfffffe046257b450
pfil_run_hooks() at pfil_run_hooks+0x90/frame 0xfffffe046257b4e0
ip_output() at ip_output+0xa53/frame 0xfffffe046257b610
udp_send() at udp_send+0xa0c/frame 0xfffffe046257b6d0
sosend_dgram() at sosend_dgram+0x345/frame 0xfffffe046257b730
kern_sendit() at kern_sendit+0x1f9/frame 0xfffffe046257b7e0
sendit() at sendit+0x19e/frame 0xfffffe046257b830
sys_sendto() at sys_sendto+0x4d/frame 0xfffffe046257b880
amd64_syscall() at amd64_syscall+0xa86/frame 0xfffffe046257b9b0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe046257b9b0
--- syscall (133, FreeBSD ELF64, sys_sendto), rip = 0x801f929ea, rsp = 0x7fffdf5f84a8, rbp = 0x7fffdf5f84f0 ---
Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x18
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80e9a6fa
stack pointer = 0x28:0xfffffe0462267df0
frame pointer = 0x28:0xfffffe0462267e00
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 11651 (unbound)
trap number = 12
panic: page fault
cpuid = 3
KDB: enter: panic
I'm not seeing any similar backtraces for previous crashes when I search, but in_delayed_cksum at the top of that makes me suspect it may be an issue with checksum processing, but it could also be a hardware issue in general.
Maybe try toggling the hardware checksum option under System > Advanced, Networking tab
Hyper-V 2 CPU cores with pfBlockerNG and Table Usage Count: 24691 is every 2 seconds unbound using 1CPU at 100%. When pfBlockerNG is disabled, all ok. With same lists on 2.4.4 there is no noticeable CPU usage at all. Problem still there. but not so critical as it was.
And memory usage with pfBlockerNG is increased twice compare to 2.4.4.
I split your posts off to a new topic since, although it was a crash, it was nowhere near the same crash.
Yours is crashing in the NIC driver while processing an interrupt from a vr(4) NIC. Those Via Rhine NICs are very, very old (They're only 10/100!) and were never all that reliable. I would strongly suggest replacing that NIC with a quality Intel NIC gigabit NIC. And replace those Realtek NICs while you are at it.
There are existing examples in the code for doing this as well. Start here:
Yeah if your running your esxi in your own lab with your own vms - I wouldn't use any of the mitigation anything for this family of exploits.. If there is any possible performance hit.. Which most all of these mitigations are.. Some can be a pretty stiff hit..
Do you recall when meltdown first came out.. Lots of hoopla about that.. Even though most use cases of pfsense would have zero need for concern with such an attack vector..
Lots of traffic about it here and elsewhere, etc.. negate put out this blog back Jan of 2018
The important take away
Most of our users should not be concerned as long as they follow our basic guidelines for limiting access to the WebGUI, shell as well as physical access to the pfSense appliance.
Same goes for all of these sorts of exploits..
You have to declare each level of the hash/array as you go. Like this:
$config['vlans'] = array();
$config['vlans']['vlan'] = array();
$config['vlans']['vlan'] = $newvlan;
There is a convenience function that can help:
$config['vlans']['vlan'] = $newvlan;
That function only initializes the arrays if they are unset/don't exist/are not arrays so it's safe to run unconditionally.
I'm runing pfsense at a Intel(R) Core(TM) i5-5250U CPU. CPU load is low, RAM usage 23% out of 8GB. Google DNS is blocked. I use igb1. As I told, no problems without WG and full speed. WG natively runing on a Linux Mint 19.3 PC throttles the speed. Imho there is nothing wrong with Mode "Inline IPS"
Your requested results are in Snort.zip
@jimp said in Upgrade to 2.4.5 > 2.4.4-p3 SG-3100 ipv6 bogon list issue:
It's reporting the size as it was when the page was loaded, apparently, and not what the calculated default for the system would be. That may be a bug, though it should probably report both.
Well, it technically does report both in that it appropriately shows the value that was set when the page was loaded in the field where you can change the value. The bug would be that the display for the "default value" stated under the field is actually showing the currently set value.
@virgiliomi ok thank you ill check it out.... I appreciate it...
due to no work.. I cant afford anything,... and people hoarding food and the damn toilet paper...
I appreciate it and ill check it out (:
@johnpoz said in Cert Manager Export Password:
See the popup I showed where it says to look in profiles - did you miss that?
It is a very valid point. It is easy to miss. But I haven't. Going back to the two things I have tried.
If using the unencrypted p12 (which I know it is not meant to work): when I click on it, I see the pop up at the bottom saying that I have to go to my profiles to add it. If I go to general-->profiles I can see it there, I can click to install it, enter the pin code, and then I get stuck waiting for the password. But the p12 does get sent to profiles and an install can be attempted.
when using the encrypted version, nothing happens when I click on the p12 file. When I say "nothing", I mean as if I had not touched the screen at all. No error, no "open with" menu, nothing.
UPDATE: I have noticed that you used the Windows version of openssl. So just for the sake of it, I decided to install it and give it a shot. Surprisingly, it worked this time. Thinking that there can't be a difference between the two openssl, my head pointed towards the transfer between my raspbian and my Windows computer. Per default winscp transfers text file, and apparently doing this messed up the base64 and made it unusable for the encrypted version. After repeating the process with a binary transfer mode, I could import that encrypted p12 as well.
So in the end, I could solve the problem and I hope this can help someone else. Thanks a lot @johnpoz for pointing me in the right direction. Without your screenshot I wouldn't have thought about looking into that and find the root-cause.
i replied in my other thread about the alias is fixed by reinstalling the firewall on my SG 3100 back to stable and not restoring ANYthing previously. entirely rebuilt from scratch
i am now running sg 3100 on 2.4.4-RELEASE-p3 (arm) but have the same issue as i originally posted in this thread.
on the stable release, i have spent hours on trying to figure this out. in reading on redmine https://redmine.pfsense.org/issues/6028 if i am reading this correctly this affects ALL versions of Pfense? i have been using Pfsense for the past 3-4 years and never experienced this.
leads me to two things. is the image file for the sg 3100 contain issues my SG 4220 and SG 2220 did not have?
because i have been using these same rules, and yesterday they were built from scratch not restored from a previous firewall..
if this is the bug i just need to know that so i understand its being worked on
thank you Sir
So a good example would be something like this:
pfctrl -sr currently prints out the rule set and userrules anchor (anchor "userrules/*" all) is empty. I have confirmed with a pfctrl -a userrules -sr which returns nothing. I then added the following:
echo "pass in quick on em0 inet proto tcp from 192.168.1.7 to any port = 32400 flags S/SA keep state" | pfctl -a userrules -f -
when I run pfctrl -a userrules -sr after this I get:
pass in quick on em0 inet proto tcp from 192.168.1.7 to any port = 32400 flags S/SA keep state
The rule doesn't work though and it doesn't display with a pfctrl -sr either. I can't see what I am specifying wrong, I have tried calling the anchor with and with out the /* in quotes a few times and it places the new rule under the userrules anchor as displayed with pfctl -a userrules -sr each time. I can clear it with pfctl -a userrules -Fr as well. Given this example can you see where I have gone astray? Thank you for your help.
It has a well view, what did you use to improve your traffic graph? I still have some problems with and even more when I try to upgrade my Ip man is such horrible haha. I like you css style, well done bro!
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive for past announcements.