Thanks! I have PFSense running under a VM on TrueNas Scale, and it works great. Not the ideal setup. It has plenty of horsepower, disk, & memory on the Scale Server (probably WAY overkill).
For the price of that little guy might as well try it out. If it doesn't work out, it goes back. I did find out the NIC's are Realtek, and I'll beat it up to see how it performs.

It looks like it's mentioned in two places. One where it's disabled for a list of MAC types:

if (sc->re_type == MACFG_68 || sc->re_type == MACFG_69 || sc->re_type == MACFG_70 || sc->re_type == MACFG_71 || sc->re_type == MACFG_72 || sc->re_type == MACFG_73 || sc->re_type == MACFG_74) { //Disable Giga Lite MP_WritePhyUshort(sc, 0x1F, 0x0A42); ClearEthPhyBit(sc, 0x14, BIT_9);

And the other where it's disabled unconditionally in the setup function for the 8125:

static int re_ifmedia_upd_8125(struct ifnet *ifp) { struct re_softc *sc = ifp->if_softc; struct ifmedia *ifm = &sc->media; int anar; int gbcr; int cr2500 = 0; if (IFM_TYPE(ifm->ifm_media) != IFM_ETHER) return(EINVAL); //Disable Giga Lite ClearEthPhyOcpBit(sc, 0xA428, BIT_9); ClearEthPhyOcpBit(sc, 0xA5EA, BIT_0); cr2500 = MP_RealReadPhyOcpRegWord(sc, 0xA5D4); cr2500 &= ~RTK_ADVERTISE_2500FULL;

Neither has any sort of external config dependency so it doesn't look like you can choose.
And it looks like it's always disabled in the 8125.

Steve

@stephenw10 Oh my God, you're right, I just couldn't see it, on Monday I'll change the port to 636, I'll update you, thanks so much for your help.
Greetings
Domenico

@johnpoz said in I don't think PLEX is connecting to plex.tv:

If its in AP mode why would your client be trying to ask it for dns?
You should be asking pfsense for dns 10.0.0.2

Well, when you put it that way, It's obvious what's wrong. HA! HA!
I feel like I should have caught that.

I changed the DNS server setting in ProxMox to the correct IP and everything works as it should. It was a setting that was left from the old router. I actually tried to have those two IPs the other way around when installing pfsense, but ran into issues.

I still don't know why this caused playback errors for transcoding, but it all works now.

Thanks so much for all the help.

PPPoE is effectively single threaded so it's probably hitting a single core limit:
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#pppoe-with-multi-queue-nics

Though at 5% total that would have to be a lot of cores! What CPU is it? What NICs are you using?

Setting net.isr.dispatch to deferred as shown in that doc will help though.

Steve

Well if you can do a test to make sure it will actually solve the problem first that may be worth it then.

@stephenw10 Thanks Steve! Everything is ok now. I've built a new image and restored my backup. Yeah you were right guys, it took at least 40 min to reinstall and update packages in the background. I wish I can monitor all background processes, to be able to understand what is happening behind the scene.

@brianmaimo said in pfsense "vm_fault: pager read error:

vm_fault: pager read

That's a very generic error. Do you have a crash report?

Any other errors logged?

Steve

Yes, I would definitely recommend that. If only because that's how virtually all networks with VLANs are setup and if you do something unusual like that you will hit unusual problems!
Really the only reason to trunk tagged VLANs to a host is so that host can access multiple VLANs. So you might do that for a VM server or an access point with multiple SSIDs.

Steve

Hmm, yeah seems odd.
Maybe you can whitelist your IP (or dyndns name) to prevent it.

Steve

That can happen certainly if an assigned interface changes state. That can trigger a whole number of things depending on what is installed or configured. Generally though it shouldn't be a problem. The logs you see there are not a cause for concern by themselves.

Steve

Yeah just do that.
It is possible to disable the pkg reinstall process but not in any easy way. For example if you interrupt the boot and go into single user mode you can remove the 'needs_package_sync' file from /conf. If you're running ZFS that's a bit involved but possible.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/single-user-mode.html#single-user-mode-zfs

You could probably also comment out the check in rc.bootup but that's likely more error prone.

Steve

@stephenw10 Thank You, i got it :)

@gertjan said in DNS Resolver doesn't work with my university domain.:

I would like to understand what the reason for the ISP is to block this port 123.

While I agree it low bandwidth, but it is also a common amplification tool via for one that old monlist command, but pretty sure that was disabled many versions ago to prevent that attack vector.

But maybe they are just playing it safe because not like users keep their stuff updated all the time.. Look at here where they are still running like 2.3 versions of pfsense..

They could do it a different way to allow for source 123 to be answered, with yeah a stateful firewall. so if one of there users asks some ntp server with source port 123 that is allowed, but nonstateful traffic inbound to 123 would be denied. While sure udp is not really a stateful protocol, most firewalls do keep track of the state.

But that would be more work for them so they most likely just go the easy route. And don't monitor state of the users traffic and just block all inbound to their network on 123..

Mmm, really you should be using some other type of authentication for that sort of connection.

Steve

@pwood999 that’s the point I was making. Terrorism, organized crime, espionage…but not basement dwelling hentai watchers. The level of paranoia some people have is nuts. It you want to truly be safe, don’t use anything electronic. Ever.

Hmm, the only thing this looks like is an issue we had before 2.5.2 was released where pfctl was bogging and exhausting the RAM triggering a panic in ZFS. But to trigger that we had to deliberately use very low memory systems and this has 32GB so.... that seems unlikely!

However check the memory usage history in Status > Monitoring.

@stephenw10 @andyrh Yes, you are right. I need to set things up so that I can get in when/if something like this happens again.

Thanks for you help.

@jarhead thanks - deleted it, but you can just click the little 3 dots in the bottom right corner and flag the post next time.

@stephenw10

thank you Steve, that was the problem!

Simply decode under Linux:

cat certb64 | base64 -d > cert cat keyb64 | base64 -d > key