Just going to follow up on this and bring some closure to this thread.  I continued to have crashes with the APU2 unit as well.  I tried a fresh install and reconfiguration by hand instead of restoring the config, which still resulted in many crashes per day.  We resorted to OPNsense and reconfigured by hand, things are stable since deploying it on the APU2 this past Sunday.  I did submit a few more crash reports in hopes that there would be some key info there to help the guys behind pfSense, if it is indeed some kind of bug.  Will revisit this issue when I can afford some more downtime, or when 2.4 is released.

Thanks for all of the input and help, sorry we couldn't get it figured out.  Some kind of bizarre quirk specific to my configuration/environment I'm sure.

Disabling the default setting "Enable DNSSEC Support" lets things work correctly again with Forwarding Mode enabled.  The OpenDNS public DNS servers do not use DNSSEC.  Should forwarding lookups fail when DNSSEC support is enabled but where forwarding DNS servers do not support DNSSEC? I would expect lookups to fail only when DNS servers support DNSSEC but where what is returned does not validate correctly.

Well…. turned out some user put a Tp-link managed switch in somewhere that was using 192.168.0.1, which by chance is the same as pfsense LAN. I dont know why, but this did not show up in the system log until hours later, and then it was in there every 20 seconds:

Jul 27 11:15:40 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:15:35 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:15:03 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1! Jul 27 11:14:46 kernel arp: 84:16:f9:b9:9e:e9 is using my IP address 192.168.0.1 on igb1!

We have noticed the change at several systems:

One Example:
8 vcpus Intel(R) Xeon(R) CPU E5-2697 v3 @ 2.60GHz 8 CPUs: 8 package(s) x 1 core(s)
Version used before:  2.3.3-RELEASE-p1
Throughput: 1 - 2 Gbit/s
States < 10k
Conns/s < 100

We have changed several parameters (virtual-infrastructure, hw-firmware, and pfsense-update)

We noticed that sync traffic is reaching 10% of WAN-Traffic which is a real huge increase.
I have attached two files (after_update is the sync-traffic, wan_traffic is the wan traffic).

At time our solution is to turn sync off. I have also noticed that high traffic
rates ( > 4 Gbit/s) are only achivable with sync turned off.

170727_after_update.PNG
170727_after_update.PNG_thumb
170727_wan_traffic_after_update.PNG
170727_wan_traffic_after_update.PNG_thumb

I tried again using an OpenVPN setup. I followed this tutorial:
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

I have the same problem. Either I can only access the internal resources, but no internet. Either I can access the internal resources but internet is from mobile provider. Can't get my phone to use the VPN internet connection. What am I doing wrong? Is this thing even possible?
I did check the "Force all client generated traffic through the tunnel." option. No internet on phone, only LAN resources.

Thank you !

Unfortunately I think that's true. It would need to be something from upstream anyway.

I have no idea where that device even is I was testing with anymore.  ;)

Steve

Thanks for the hint.
It does not seem that there is a switch to tune the queue length.
I do not suppose you mean values in system tunables.
I will try and set the adapters to vmxnet3 and see what happens.

@pfBasic:

I think Unbound reloads every time a new DHCP is registered? Hopefully someone else can confirm or deny that.

Also more to the point, if reloaded, is its cached data lost or service interrupted? That would be an important point for some networks. Samba for instance reloads config without stopping+starting.

Remove the FreeRADIUS 2.x package. Install FreeRADIUS 3.x.

Visit the EAP tab under Services > FreeRADIUS, make sure you have a proper CA/Server Cert selected there, or set them to 'auto'. Save.

Then make sure the rest of your settings are correct, especially the Interfaces tab, NAS/Clients tab, and Users.

Review your setup against this document: https://doc.pfsense.org/index.php/Using_Captive_Portal_with_FreeRADIUS

It mentions FreeRADIUS 2.x, but 3.x works the same.

I am on bt
I have a HG612 with a lan cable running from that to my pfsense box.
I have setup the wan interface as pppoe and supplied it with the login details of bthomehub@btbroadband.com and (password) if asked and it connected first time.
as for the AP I just plugged mine into a switch served by the pfsese lan interface and it works great.
if you get issues with that setup let me know.

You have some daemon on the firewall which is extremely busy, connections are coming in too fast for it to handle with the current queue size.

What services and packages do you have enabled?

That does appear to be a bug affecting the time zone display: https://redmine.pfsense.org/issues/7714

@pilotboy72:

Hope it's soon, but looking at redmine.pfsense.org there are still 79 open issues as of today.  Seems like it may be more than a month.

Most of those are not critical and will be pushed to 2.4.1 or later. We don't always keep that list up-to-date as things progress, since people can assign any target version they want when creating an issue there, that doesn't mean it'll stay. Also some older bugs that we thought we might have time to fix may get pushed again since there still isn't a viable solution or time to make one, etc.

Expect that list to shrink. Rapidly. Soon. :-)

Why not just add a tld, single label domains not really a good idea.. If you like local, I do ;) But I use local.lan for my domain - this tells me its the local lan ;) hehehe

The pool option was added in the 2.4 betas.

If your syncing with non pool, it is more likely that the pool you were syncing too just went offline and you have not picked a different one.  If you look to see what IP your checking you can just look that ip up on the pool site.  They list all servers that are members of the pool.

The could be blocking you - you would want to sniff the traffic and find the point when was working and then it stops working..  Just look to see if pfsense is actually sending the query - and you don't just get an answer?

You can check this site for getting a ntp server up and running on a pi
http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html

It will for sure get you started..  There is also other threads here about supply a pps signal to pfsense..

Did it work with SSL-Session-ID without SSL offloading? I'm still curious.