PPPoE is effectively single threaded so it's probably hitting a single core limit:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics

Though at 5% total that would have to be a lot of cores! What CPU is it? What NICs are you using?

Setting net.isr.dispatch to deferred as shown in that doc will help though.

Steve

Well if you can do a test to make sure it will actually solve the problem first that may be worth it then.

@stephenw10 Thanks Steve! Everything is ok now. I've built a new image and restored my backup. Yeah you were right guys, it took at least 40 min to reinstall and update packages in the background. I wish I can monitor all background processes, to be able to understand what is happening behind the scene.

@brianmaimo said in pfsense "vm_fault: pager read error:

vm_fault: pager read

That's a very generic error. Do you have a crash report?

Any other errors logged?

Steve

Yes, I would definitely recommend that. If only because that's how virtually all networks with VLANs are setup and if you do something unusual like that you will hit unusual problems!
Really the only reason to trunk tagged VLANs to a host is so that host can access multiple VLANs. So you might do that for a VM server or an access point with multiple SSIDs.

Steve

Hmm, yeah seems odd.
Maybe you can whitelist your IP (or dyndns name) to prevent it.

Steve

That can happen certainly if an assigned interface changes state. That can trigger a whole number of things depending on what is installed or configured. Generally though it shouldn't be a problem. The logs you see there are not a cause for concern by themselves.

Steve

Yeah just do that.
It is possible to disable the pkg reinstall process but not in any easy way. For example if you interrupt the boot and go into single user mode you can remove the 'needs_package_sync' file from /conf. If you're running ZFS that's a bit involved but possible.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/single-user-mode.html#single-user-mode-zfs

You could probably also comment out the check in rc.bootup but that's likely more error prone.

Steve

@stephenw10 Thank You, i got it :)

@gertjan said in DNS Resolver doesn't work with my university domain.:

I would like to understand what the reason for the ISP is to block this port 123.

While I agree it low bandwidth, but it is also a common amplification tool via for one that old monlist command, but pretty sure that was disabled many versions ago to prevent that attack vector.

But maybe they are just playing it safe because not like users keep their stuff updated all the time.. Look at here where they are still running like 2.3 versions of pfsense..

They could do it a different way to allow for source 123 to be answered, with yeah a stateful firewall. so if one of there users asks some ntp server with source port 123 that is allowed, but nonstateful traffic inbound to 123 would be denied. While sure udp is not really a stateful protocol, most firewalls do keep track of the state.

But that would be more work for them so they most likely just go the easy route. And don't monitor state of the users traffic and just block all inbound to their network on 123..

Mmm, really you should be using some other type of authentication for that sort of connection.

Steve

@pwood999 that’s the point I was making. Terrorism, organized crime, espionage…but not basement dwelling hentai watchers. The level of paranoia some people have is nuts. It you want to truly be safe, don’t use anything electronic. Ever.

Hmm, the only thing this looks like is an issue we had before 2.5.2 was released where pfctl was bogging and exhausting the RAM triggering a panic in ZFS. But to trigger that we had to deliberately use very low memory systems and this has 32GB so.... that seems unlikely!

However check the memory usage history in Status > Monitoring.

@stephenw10 @andyrh Yes, you are right. I need to set things up so that I can get in when/if something like this happens again.

Thanks for you help.

@jarhead thanks - deleted it, but you can just click the little 3 dots in the bottom right corner and flag the post next time.

@stephenw10

thank you Steve, that was the problem!

Simply decode under Linux:

What CPU is that?

You are testing directly to iperf running on pfSense? That will always be worse than testing through it. You can see in that video he's testing through the firewall and a completely different NIC type.

Steve

2.4.5? Any reason you're not running 2.52 or 2.6?

What crash are you actually seeing?
supervisor read instruction, page not present could be any number of things.

Steve

Yeah, that's.... interesting. Good to find though!

Also I'd argue it's Chelsio that hates Wireguard. 😉
Though I'm not sure if that's more unexpected.

Steve

@stephenw10 Yep i figured out how the scheduling works. GUI isnt clear (at least to me) how to do a daily schedule or a monthly scedule. Months are presented so it feels like its implied that if you want to have a rule active only on the weekends, you need to select every weekend on every month but you actually dont. Documentation is not clear on this front either but nevertheless reviewing the xml stanza made everything make sense.
Thanks Steve !