No real definitive cause in there that I'm familiar with. Is the crash the same every time? Or do the processes and backtrace change?

i also unable to reproduce the error but it happened consistently on a daily basis.  my environment was a vm running on the kvm hypervisor
the physical nics are  e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
the hypervisor os is  Ubuntu 11.10 (GNU/Linux 3.0.0-16-server x86_64)

Just an up date say I have finally got the logs to be mailed out direct from PFSense.

After going down the complete wrong track with setting up a syslog server, trying external syslog servers (splunk) and generally having a play with the system the solution I was looking for was a simple installation of a known package.

Once I found mailreport from packages and installed it it took 5 mins to configure and now the logs (and a couple of graphs) are automatically mailed for storage.

Thank you all for the information and suggestions. Responding to mikeisfly's question on the camera.

The camera contacts the remote dd-wrt router (camera at a fixed ip on the lan) when it senses movement in the camera field of view and initiates an ftp transfer of that jpeg image file to the home ip address. The camera operates at a specific port and uses the dd-wrt router to contact the home ip address over the internet. This allows manual remote access to the camera.

Set admin's password so it sets root's. Admin cannot be fully disabled since root can't be disabled.

Is your state count anywhere near the maximum when it happens?

Are you getting ARP replies still, and is the MAC in hosts' ARP cache correct?

I love PfSense and I'm telling everyone that I know about it. I'm using it in a lot of applications that prior to the project I would have used a Cisco Router. I will be making a donation today! Thanks PfSense for all the hard work that you do.

Another thing that you need to check is that all your Windows machines have their firewall setup as home or private. If you have the firewall set up as public then that could be a potential source of your problems. You might want to try to disable all firewalls to see if this will help you.

Also just for anyone referencing this post, you don't need a dynamic routing protocol when you want to route across two different networks/subnets when those networks are directly connected to the router that is doing the routing. As long as you have a rule allowing traffic out of those interfaces you are good. So if you have any rip going on disable it

192.168.1.1 /23 is in the middle of your IP scope and is not good form, you could potentially assign that IP out to a host and that would cause your internet issues a well. You should make your WiFi Lan interface 192.168.0.1 that is the first useable IP on the 192.168.0.0/23 supernet.

Tried those.  Don't recall the exact result but it did not work.

From some network captures it looks like pfSense always insists on "wrapper mode".  After the TCP connection is made pfSense immediately sends client hello and then ignores the initial STMP 220 response.

@stephenw10:

The fact that that traffic is reaching the pfSense box shows that some thing is setup incorrectly, probably the client machine. If it has its subnet mask set wrong it might send packets that should go directly to the switch instead to it's configured gateway, probably the pfSense LAN interface. Then pfSense has a problem because it can't route in and out of the same interface. I'm not sure which firewall you are seeing there, could be an internal rule to prevent this sort of thing happening.

Steve

i restarted the problematic pc and change the ip; now it is working

I use Skype almost everyday (since my sister moved to the US) and have no problems other than Skype's usual variability.  ;)
I had trouble narrowing down any recommended settings. I'm sure a large proportion of people here must use it but no one had any advise last time I asked.
Anyway, Skype is a peer to peer protocol it works best when both ends of the connection are publicly addressable. For that reason if you want to get good quality video calls you need Skype to be listening on your public IP. To do that you can either forward the incoming port to your internal machine manually or use UPNP to do it for you. I have used both methods successfully.
If you are using UPNP you need to enable NAT-PMP (ironic since Skype is owned by MS). Here is what my UPNP status looks like when Skype has signed on.

Port Protocol Internal IP Description 53753 keep state udp 192.168.2.22 NAT-PMP 53753 udp 53753 keep state tcp 192.168.2.22 NAT-PMP 53753 tcp

When you are in a call you can bring up the call technical info window and it should have listed: local:good remote:good.
If it does not then one side of the conversation is going via a skype node and not directly which is much slower.

If anyone else has any insight on this I'd love to hear it. Despite my best efforts I often see 'local:bad'  :-\

Steve

@stan-qaz:

Have you tried a different NTP server? I'm not seeing a noticeable delay with the Mar 13 snapshot on x64. I'm using my ISP's NTP server a couple hops away instead of a more distant one.

Thanks for that stan, Figured out, it was caused by the failed CMOS battery on the system! Changed it and the time in the bios, no more issues!

Thank you guys!

Thanks, I forgot to mention that I'm still running 2.0.1-RELEASE.  I'd like to upgrade to 2.1 and FreeBSD 8.3 but it was hard enough getting this installed on my headless Soekris box (a custom binary to boot with only a serial terminal).

Andrew

Thanks, that did the job.

@suicidegybe:

So what rules do you have to set to give vlans internet access, and how would you grant access from one vlan to another.

I don't mean to highjack this post but this is exactly what I'm trying to do too.

I have this right now: internet-pfsense-netgear gs724t-rest of network(data,voice,tv)

What I would like to do is separate data, voice, and tv out to their own vlans. I set three vlans on my pf sense box and generally understand how to configure the switch. But my issue is that I have two devices that need access to two separate vlans. My servers have the same need but only because the vm's need a different vlan so I will just tag the vm vlan and leave the host to be tagged by the switch, or is this not the way to do it? How would I access say the web gui for my PBX server if it is on a different vlan than say my work station? Is this configured through rules if so how? Same for all rdp type services. I would like to be able to manage all my devices from my work station but not be on all vlans?
Thanks

Determine what network addresses you want to use for each VLAN, create the necessary VLANs on your switch, apply them to the ports for devices you want on each VLAN, setup your trunk port on your switch, then create the VLAN interfaces in pfSense. Once you create the VLANs in pfSense you can go to the (assign) option under the Interfaces tab and create new interfaces for each VLAN. Then just assign an IP address on each new VLAN interface to your pfSense box, using an address from the network you want to use for that VLAN. At this point these new interfaces will be available under your Filters, so you can allow/deny traffic to/from each of your different VLANs from your LAN. It sounds like you want to allow your LAN to access your VLANs but not the other way around. In that case, just create block or reject rules on each new VLAN that prevent those networks from accessing your LAN.

To access the pfSense web interface from a device on that VLAN just open a browser or SSH session to the IP you assigned to pfSense on that VLAN. By default the filters will allow access to the web interface from each VLAN unless you disabled the anti-lockout option on the Advanced setup screen.

This page describes most of the setup quite nicely: http://doc.pfsense.org/index.php/Multi-WAN_using_VLANs_with_pfSense

Just note that site is for using Multi-WAN which isn't what you're after, so ignore the parts about assigning gateways for each VLAN as you're only creating LAN-type VLANs, not WAN-type (you only have a single WAN, so you only want a single gateway in pfSense). Good luck!

@Cry:

Before you launch the application the next time, run up Wireshark first (on the PC running the application) and start a packet capture. Then launch the application and once the error appears stop the packet capture. The packet capture may help you work out what's causing the error (it may be useful to compare it with a capture done when the application works).

Thank you, I will try that when i get the chance.  I will see what errors i get.

this issue is resolved now.  i installed 2.1 beta version which has newer release of FreeBSD and updated Intel nic drivers and i am having no more daily crashes.  
i assume the older version of FreeBSD that the 2.0.x pfSense uses had bad em(4) drivers :)  the 2.1 beta version is performing well for me.
thanks
Richard

Put any port specific allow rule above any blanket deny rules.

Are those VLANs truly the same VLAN, or just the same ID on different, isolated switches?