Yeah, what you see there is expected at the gui command prompt. You can't enter anything there that is interactive. If you absolutely had to run the upgrade from there you would use: pfSense-upgrade -y
But you should never do that because you get zero feedback while it's running. You'll have no idea what it's doing or if it completed!
Run it from the real command line or use the upgrade screen in the gui.

Steve

Not in any officially supported way, no.

SMB, definitely not.

Certs stored in pfSense in the certificate manager are stored in the config file and cannot just be swapped in and out externally.

Steve

Nice. If you have LAN set to track WAN with a prefix value set you should also now see a valid public /64 applied to it.

@stephenw10 Indeed. All settings are the same.

@jimp said in pfsense 22.01 crashing and rebooting:

What VM hardware version are you running on those VMs? Usually weird/unexplained instability and panics like that are from running a VM hardware version (or ESX version) not fully compatible with the version of FreeBSD used on the guest.

I no longer use ESX here (moved everything to Proxmox VE) so I can't speak to how things work on recent versions of ESX or specific VM hardware versions, but generally speaking it's safest to upgrade them to the most recent available VM hardware version. Sometimes with a much newer base/ESX it might not be a bad idea to keep it on an older version but that situation is more rare.

ESXi 7.0
Issue has resolved by now. Messed with hw offloading and stuff. Not sure what brought the fix but the firewalls are now stable again.
Installed latest updates as well.

Here's the command we use in TAC to determine the largest folders in /var:

Go to Diagnostics->Command Prompt and copy/pasta the following command:

du -a /var | sort -n -r | head -n 10

I really like the output of pfctl -sr from either the console or debug, run command from the web interface.
It shows me the all the rules, in the order they are added/evaluated, and all the different rules (floating, interface, interfacegroups, etc) are in one list. I find it easier to manually parse or walk but you need to be familiar with raw pf rules/configs.

That's my preference, others with more experience in the GUI or the XML config may find a different way better.

@jimp
I appreciate the feedback but I had already done those kinds of searches with 'du' etc.

There were some logs but not a lot and on this particular machine, there are no extra packages installed. I have quite a few on my other 3100s (pfBlockerNG, Snort, OpenVPN Client Import) and had no problems with upgrading directly.

The good news is that it seems to be much easier to install a new version from a flashdrive these days -- it used to be a really painful process. Now I can just create a USB stick with an image (balenaEtcher), boot the device and do 'run recovery' and then restore from a backup configuration file.

No directly, no.

If you run ping there be sure to specify a count. Any commands run there must have a limited time or output set.

Steve

@stephenw10 said in PFSense VLan:

Some switches set that for you when you set a port untagged on a particular VLAN.

While true - from the entry level smart switches I have played with from netgear, dlink and tplink this not the case.. More fully managed switch do set the pvid for you.

I would validate the pvid is set..

Example - I plugged in netgear gs108eV3 I had on the shelf testing something for another thread.

I put port 6 untagged into vlan 9 - it did not change the pvid.

vlan9.jpg

Now when I tried to remove vlan 1 I did get a warning..

warning.jpg

Which is good... But that it let me put port 6 untagged both in vlan 1 and vlan 6 in the the first place is bad..

So yeah validate the ports you put untagged in vlan X, that the pvid has also been set to X and that there is only 1 untagged vlan on the port..

When you have fresh installation of pfSense, there are no rules for WAN, but there are 2 rules IPv4, IPV6 in LAN interface that allow traffic.

@kpucko
No, there is only a single OpenVPN log for all.

However, you can find out the client or server instance by checking the PID details.

@stephenw10 Hey stephen, I was able to track down the issue to the Dynamic DNS service. I use NoIP to track my ISP changes, so it seems that the Dynamic DNS service was rotating the new IP address and the old IP address which is weird because it only started after I upgraded. Which explains why the connection to the server was intermittent. Thanks for your help.

Definitely not a FireFox issue. The 502 Bad Gateway error message was a bit misleading and, initially, made me suspect our pfSense appliance.

I did some further testing and discovered that my host computer would not communicate with the outside world using command-line utils such as:

ping
tracert
nslookup

From the ping command, I received the following error code:

Ping Transmit Failed Error Code 1231

I found the following Microsoft article on how to reset the TCP/IP stack due to this error code:

https://answers.microsoft.com/en-us/windows/forum/all/ping-transmit-failed-error-code-1231-windows-vista/0b3216d3-481e-43ca-b222-e55faf56cac2

So, I issued the commands from the article, then re-booted the computer. FireFox now successfully accesses the pfSense areas:

Boot Environment
User Management

without the getting 502 Bad Gateway error. I have no idea how the TCP/IP stack on my host computer got corrupted and why the corruption only affected FireFox and not Chrome...???

Thank you everyone, for your help!

There is no good way to do that. The only VIP type that uses a different MAC is CARP and that uses a special MAC type the ISP may reject. It also must be configured as static, it cannot be DHCP.
The only way I've seen this done is to create a single interface bridge on the WAN. You can then assign that and spoof the MAC and it will pull a new IP via DHCP.
However that is a hack. pfSense it not intended to operate like that, you should not have more that one interface in the same subnet.

Steve

That is a known bug: https://redmine.pfsense.org/issues/12817

It's fixed in 2.7 and the patch is in the recommended patches list in the System Patches package. Just install that and apply the patch.

Steve

Probably this: https://redmine.pfsense.org/issues/13154

Steve

Check the DHCP logs, you may need to enable debug mode. Are you actually being passed a delegated prefix for LAN to use?

The gateway Sky send you may not respond to ping. Try setting an external monitoring IP like 8.8.8.8 instead.

Sky may require advanced send options as shown here: https://forum.netgate.com/post/1049718

Steve

Yup, a route must exist both ways. 😉

@zkab said in UPS & NUT strategy:

@dennypage OK ... I disabled SNMP in pfSense
In APC UPS I don't have public community - have entered my own community string (read-only)
Running SNMP v1

Go back and make the ro community “public”. You can use a different community later, but for now stay with public.

Edit: And please confirm functionality with snmpwalk before attempting anything else:

snmpwalk -v 1 -c public 192.168.1.12

Hmm, what if you set a source IP like:

[22.05-RELEASE][admin@3100.stevew.lan]/root: ping -S 192.168.18.1 localhost PING localhost (127.0.0.1) from 192.168.18.1: 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.278 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.089 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.085 ms ^C --- localhost ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.085/0.150/0.278/0.090 ms