Yes, that seems more likely something in the base TCP stack since forwarding still passed pf but does not terminate TCP sessions.
A lot changed between 2.6 and 23.01 (or 2.7) because of the rebase to FreeBSD 14. I'll see if any of our developers are aware of anything that might have caused this.

Steve

Hi,

the problem was our fault, nothing wrong with PfSense.

The OpenVPN client stop working with 2.6.2 udpate. It starts working again with the one that PfSense have in bundle with the config.

@stephenw10 Looks like that did the trick. Thank you!

@fsc830 Yeah. I came across it after I had posted.

It seems like the new FreeBSD 14.0 kernel used by pfSense Plus 23.01 is based on a pre-release version. So basically, I'm SOL for now.

I don't want to mess with the system too much so I just went ahead and reverted all the changes I had made. No biggie but thanks for the heads up.

Well for some reason traffic from the firewall itself is failing. Maybe you have a rule blocking it? Something incorrectly NATing? Check the states while trying to download lists.

Those logs are expected if you open the webgui to random connection attempts. It's not an indication of any sort of compromise.

You can test it yourself, just try to access some page before you login and you will see those logs:

Apr 5 22:02:16 nginx 2023/04/05 22:02:16 [error] 47504#100318: *72304 open() "/usr/local/www/somenonexistentpage.htm" failed (2: No such file or directory), client: 172.21.16.8, server: , request: "GET /somenonexistentpage.htm HTTP/2.0", host: "4100.stevew.lan"

@johnpoz said in how to set up split-dns to access internal server via external ip and port from inside the network??:

@hsssslaa said in how to set up split-dns to access internal server via external ip and port from inside the network??:

it will get handed over to the dns configured under General Setup.

only if you setup forwarding.. By default unbound resolves, it doesn't forward - if you want your dns to come from say 1.1.1.1 you have to setup that up in general and then turn on forwarding in unbound.

Thanks for your explanation, it all makes sense. Yes, I do have the forwaring turned on so all is working as it should.

@stephenw10 You were correct, mistaken identity :)

Backtrace:

db:0:kdb.enter.default> bt Tracing pid 11 tid 100005 td 0xfffff80004325000 kdb_enter() at kdb_enter+0x37/frame 0xfffffe003f174490 vpanic() at vpanic+0x197/frame 0xfffffe003f1744e0 panic() at panic+0x43/frame 0xfffffe003f174540 trap_fatal() at trap_fatal+0x391/frame 0xfffffe003f1745a0 trap() at trap+0x67/frame 0xfffffe003f1746b0 calltrap() at calltrap+0x8/frame 0xfffffe003f1746b0 --- trap 0x9, rip = 0xffffffff80da98f4, rsp = 0xfffffe003f174780, rbp = 0xfffffe003f1747e0 --- callout_process() at callout_process+0x184/frame 0xfffffe003f1747e0 handleevents() at handleevents+0x188/frame 0xfffffe003f174820 timercb() at timercb+0x25f/frame 0xfffffe003f174870 lapic_handle_timer() at lapic_handle_timer+0x9b/frame 0xfffffe003f1748a0 Xtimerint() at Xtimerint+0xb1/frame 0xfffffe003f1748a0 --- interrupt, rip = 0xffffffff81531986, rsp = 0xfffffe003f174970, rbp = 0xfffffe003f174970 --- acpi_cpu_c1() at acpi_cpu_c1+0x6/frame 0xfffffe003f174970 acpi_cpu_idle() at acpi_cpu_idle+0x2e0/frame 0xfffffe003f1749b0 cpu_idle_acpi() at cpu_idle_acpi+0x3e/frame 0xfffffe003f1749d0 cpu_idle() at cpu_idle+0x9f/frame 0xfffffe003f1749f0 sched_idletd() at sched_idletd+0x326/frame 0xfffffe003f174ab0 fork_exit() at fork_exit+0x7e/frame 0xfffffe003f174af0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe003f174af0 --- trap 0, rip = 0, rsp = 0, rbp = 0 ---

Panic:

kernel trap 9 with interrupts disabled Fatal trap 9: general protection fault while in kernel mode cpuid = 2; apic id = 04 instruction pointer = 0x20:0xffffffff80da98f4 stack pointer = 0x28:0xfffffe003f174780 frame pointer = 0x28:0xfffffe003f1747e0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = resume, IOPL = 0 current process = 11 (idle: cpu2) trap number = 9 panic: general protection fault cpuid = 2 time = 1680623985 KDB: enter: panic

Nothing significant in the message buffer

It looks like something in the idle process so maybe some unsupported power saving function?

Has it always done this?

Steve

You need to use REGEX there so something like: Apr .4 1[2-5]

Though I'm sure anyone with REGEX skilz could do better. 😉

It could be either but I would set it up as 'split tunneling'. So OpenVPN on pfSense on your LAN will only route traffic to the OpenVPN tunnel subnet or other remote subnets. The server sends the subnets to route to the clients when it connects.
So, yes, you can keep a PIA client separately and route traffic across that without causing a conflict.

Better to add comments to the bug so all developers can see them.

@serbus Thanks John. That's probably a better idea than what I am doing.

I do have it working now, though. I had it testing successfully using port 465 SSL/TLS, but true notifications failed. I changed to 587 plain and notifications are being received.

Thanks for the replies.

When you use an actual proxy, like HAProxy, you don't need any sort of reflection. The proxy will listen on the public IP for incoming traffic from any source and will open it's own connections to the backend so no outbound NAT is needed there either.
So your LAN rules would need to allow connections from LAN to the WAN IP HAProxy is listening on without routing via the WAN gateway.

Steve

Oh, man. That's not good.

I thought for a second to initiate rsync job from the remote host but I remembered about this one time rsync on a target macOS was too old (no surprise there) and it failed one of the options—so… it's required on both ends.

Thanks again everyone. I'll go with scp, it has to be there. The good thing is that it's only a handful of files that have to be overwritten anyway triggered by a successful task, e.g; successful cert renewal. There is no need to compare files or anything like that.

I'd like to share it when I'm done (almost there, as soon as I simplify error checking) so I don't want to script an install because I think that would be too invasive.

@stephenw10 Thanks!

No packages are not covered by TAC Lite. But this seems like a bug anyway so opening a bug report is correct way to go.

@stephenw10
@SteveITS

It seemed a weird issue, I could navigate to the bbc.com, apple.com but netgate.com and this forum I could not resolve. I could ping those addresses.

I unticked the DNSSEC support, which gave me the above results.

So, just for laughs and giggles, I Factory Reset pFsense and manually inputted the barest setups and went and unticked the DNSSEC support button and ALL was GOOD. Could get everywhere.

Am assuming that since this has been an old setup that I have added and added (for over 10 years), that along the way there is something not quite right, an issue buried long ago that has now bitten me on the bum.

So, am going to take this opportunity to (almost) start again, I've been able to re-import restore areas, such as OpenVPN (although I need to add new user certificates ).

Oh well. Thanks all for your kind help!

Ian

@dobby_ said in Cut's in streamed music?!:

@furom said in Cut's in streamed music?!:

No disconnects, and well, atm I have pfBlocker installed, but this started a long time before I recently installed that.

Perhaps other packets installed?

Snort with some rules affecting that behaviour Squid and ClamAV and not checked don´t scan "streams" Squid set up to pass through streams from audio and/or video in pfBlocker-NG the servers for the streaming into a whitelist perhaps?

Thanks for good suggestion! This started before I even knew I could install any sort of packets on pfSense, so I must assume it is not the setup in itself...?

Hmm, I'm not sure how to show that per interface. Possibly some combination of netstat -i and netstat -Q