Backtrace:

db:1:pfs> bt Tracing pid 79686 tid 100334 td 0xfffffe010ce053a0 kdb_enter() at kdb_enter+0x32/frame 0xfffffe010bfa8900 vpanic() at vpanic+0x182/frame 0xfffffe010bfa8950 panic() at panic+0x43/frame 0xfffffe010bfa89b0 trap_fatal() at trap_fatal+0x409/frame 0xfffffe010bfa8a10 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe010bfa8a70 calltrap() at calltrap+0x8/frame 0xfffffe010bfa8a70 --- trap 0xc, rip = 0xffffffff80f9352c, rsp = 0xfffffe010bfa8b40, rbp = 0xfffffe010bfa8b70 --- X_ip_mrouter_done() at X_ip_mrouter_done+0x31c/frame 0xfffffe010bfa8b70 rip_detach() at rip_detach+0x3f/frame 0xfffffe010bfa8ba0 sorele_locked() at sorele_locked+0x89/frame 0xfffffe010bfa8bc0 soclose() at soclose+0xeb/frame 0xfffffe010bfa8c20 _fdrop() at _fdrop+0x11/frame 0xfffffe010bfa8c40 closef() at closef+0x24b/frame 0xfffffe010bfa8cd0 fdescfree() at fdescfree+0x4b3/frame 0xfffffe010bfa8d90 exit1() at exit1+0x4c7/frame 0xfffffe010bfa8df0 sys_exit() at sys_exit+0xd/frame 0xfffffe010bfa8e00 amd64_syscall() at amd64_syscall+0x10c/frame 0xfffffe010bfa8f30 fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe010bfa8f30 --- syscall (1, FreeBSD ELF64, sys_exit), rip = 0x822b5786a, rsp = 0x820a03288, rbp = 0x820a032a0 ---

Panic:

Fatal trap 12: page fault while in kernel mode cpuid = 6; apic id = 06 fault virtual address = 0x0 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80f9352c stack pointer = 0x28:0xfffffe010bfa8b40 frame pointer = 0x28:0xfffffe010bfa8b70 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 79686 (pimd) rdi: fffffe00e204ad18 rsi: 4 rdx: 1 rcx: 0 r8: 0 r9: fffff80010067000 rax: 100 rbx: fffffe010ce053a0 rbp: fffffe010bfa8b70 r10: 0 r11: 800000044d83ed99 r12: fffffe010ce053a0 r13: 0 r14: fffff805734b4700 r15: 0 trap number = 12 panic: page fault cpuid = 6 time = 1680781157 KDB: enter: panic

Console also shows:

config_aqm Unable to configure flowset, flowset busy! config_aqm Unable to configure flowset, flowset busy!

It's probably this or related to it: https://redmine.pfsense.org/issues/12079
Except it's in pimd rather than igmpproxy hence the differences.

Steve

If you're able to replicate it then a bug would be helpful. We would need to know what the config was in 22.01 in order to prevent it failing it upgrade.

Steve

@nocling I can't thank you enough. This worked! I've read so much documentation, posted in numerous forums, etc. No one brought up the switch aspect. Thanks!!!

@soupdiver said in Unable to Register pfSense Plus:

I guess some kind of user error would be nice here

Hmm, I agree. Let me see what we can do there.

@riggi Yes, the first boot after you restore the config to the bare metal device, pfSense will prompt you to correct/assign interfaces.

You can also edit the config.xml file to change the interface names before restoring with a tool like NotePad++. Being careful to replace the names individually and not just do a lazy-man 'replace all'. Simple and effective.

@stephenw10
Well I have not tested on 23.01 but I used to get similar issues for many of my installations with 2.6.

Yes, Ofcourse, Rebooting firewall or restarting service makes the gateway come online.

Recently I found a work around, if it gives some kind of pointer. I have set the WAN as static IP instead of dhcp. This solves the pending issue. I guess it is more of an issue in uplink modem, unable to assign a dhcp address to WAN port of firewall.

So i guess there is no issue with pfsense.

@jknott The earliest computer I had was an At&t PC6300 it had a DB-9 for the keyboard, monochrome guy. I also remember my Tandy 102 my uncle got us one christmas had a DB25 on the back. My Dad had a Commodore 64 I never got to play with it. The thing was disconnected by the time I was able to. Again, the monitor was dead that went with it and it was outdated at that point but that guy had some connections on the back also. Today I have the C64 mini so I got to play with it in the end, Thank you Santa!!!

You could do this using an alias with all the client subnets in it and then use that as the source in the firewall rule at site A on the IPSec tab.
That wouldn't filter clients that are at site A that don't use tunnel so you'd still need a rule on the client VLAN there directly.
Or as you say you could put that rule as floating outbound on the resources VLAN at site A.

There are some ways to realize it;

Each LAN Port gets an own subnet like
192.168.1.0/24 and on the next one 192.168.2.0/24 You can also add a switch to each LAN port and enrich
that scenario for more users or devices. You may be able to work with VLANs for privat and home
VLAN10 = Home - 192.168.1.0/24
VLAN20 = Work - 192.168.2.0/24
VLAN30 = WiFi - 172.xxx

You may be able to set up behind the pfSense also a small
MikroTik router for each network if you want.

There are many ways you may be able to walk on.

You can use rewrites in Squidguard. It's limited though, it might do what you need.

Screenshot from 2023-04-14 18-45-20.png

Steve

Um....yes we will need a lot more information to offer any sort of solution here! 😉

@stephenw10 ah that makes sense. Thanks. The 8200 already has uc-18 so it was just a BIOS update.

Probably. I have no insight there. I imagine the intention was to have the widget display flash in some way to alert the user.

@stephenw10 said in Network wide compliance policy:

Right, I'm not sure that's in the open source server.

Ugh that is the paid server for 180 dollars a month "built on the open-source structure".
I think I am gonna stay away from that. Anyways seems like my quest has hit a rough end. I will try to harden my network in a different way.

Thanks for all of the replies. Great community!

@stephenw10 this worked. Thanks!

@rubensan112

I'm pretty sure that IP, 192.168.1.1, is very close to you.
Like 3 foot away, the cable between pfSense and your ISP router.

The idea is that you use another, public, IP, one that is further down "the road", a gateway IP of your ISP.
If that one is to hard to find, you could use some other "nearby" IP, like 8.8.8.8.

I'm using the IP of one of my servers somewhere nearby the main 'ISP gateway' :

ececd44b-0e5d-4945-99ec-7b2f9438d480-image.png

Now I see :

8f8df7d3-43ff-4671-90b1-f7a38245e45a-image.png

Which means :
192.168.10.1 is the IP of the LAN of my ISP router, just 30 away from me and pfSense.
188.165.5x.87 is my server IP, and that one is just to 'test' my uplink.
The whole ieda of all this is : If I (pfSense) can reach (receive answers to my pings) from 188.165.5x.87, I know (and pfSEse) that my connection is ok.

Pinging your upstream router on your site/home makes no sense. That says nothing about the 'quality' of your uplink.
Test this yourself : remove the cable (phone/adsl/coax/satellite disk/fiber/whatever you use) from your ISP router : you will see no alerts in the pfSense GUI dashboard, as your 1921.168.1.1 is still answering, so pfSense thinks the connection is ok.
Well, it's not.

@matrix2113

You could use a VLAN and managed switch to separate WAN & LAN interfaces.

@shaw222 I don’t have a link but forward the ports to your VPN server running on your LAN. I was just brainstorming.

@stephenw10 i got it, thank you so much!. if any doubts will let you know.

@johnpoz said in Cisco vs. pfSense:

Throw ddwrt or openwrt on that 20$ box and he would have cool stuff to play with for days and days.. Vs trying to get 15 year old hardware trying to do something actually productive.

I know both DD-WRT and OpenWRT very well and I also use them.
But even then, the differences lie in the hardware.
Just as I wouldn't buy a PC with water cooling if I only use it for writing programs and the Internet, I don't have to invest expensive hardware for an AP if I don't use it in a productive environment.
As @stephenw10 said so beautifully.....

@stephenw10 said in Cisco vs. pfSense:

It's all relative.