@stephenw10 very true. Thank you anyway

This was prob. a config error from my side ...

First i removed (deleted) all the "old patches"
7601eb38-f389-4eea-bb9c-0e5c68602e83-image.png

The system still said it was on a newer version.

Then @SteveITS suggested to go to the update , and there i saw it ... 🙄

My "home box" is still 2.5.2 , and has has this set
f1486378-7058-449f-a5cd-ba0b34f6531d-image.png

That was also set on the new box that runs 2.6.0

6060f2a6-afe7-4ec4-ac84-35b60c033ff9-image.png

After i changed to 2.6.0 the system showed i was on the latest version

Thanks Gents 👍

Now i might try to "hand delete the patches" in the xml , and reupload.
If you have a backup w. patches applied , and the main box dies , it's not easy to remove the patches , unless doing it in the xml.

Edit:
It was quite easy to remove all patches from the config.xml

You just have to search for the below two XML Tags

And delete everything between them.

Edit2:
As i fixed the DNS error too , in the new config.xml.
And restored the config again wo patches.
The packages was also installed ....
All except Avahi , but i was notified about that , and just did an install of that one. Avahi installed wo any probs. 👍

/Bingo

@m0l50n said in pfsense freeze:

with mSTATA, am I better enable RAM Drive anyway?

Not really. It reduces writes but also prevents using some packages and saving crash reports and your will lose some log data in the event of a power outage.
With an SSD the drive writes should not be an issue anyway.

Steve

Did you see anything similar on other VMs?

Are you running pfSense 2.6?

The system time is determined by whatever the hypervisor is sending for the system clock. If if was using a much earlier time, like 1970/1/1, pfSense will see that and set the clock at boot to the most recent known time source but not if it's ahead already.

Steve

@ghost-0 said in thinking about 2.5Gbps Switch upgrade, any issues with pfsense?:

Is this instability due to loops or a poorly configured pfSense?

Almost certainly not. If you get a flood created by a loop you will not be able to access anything.
Since merely restarting OpenVPN corrects it, and it sounds like that is a WAB connection, my first guess here would be that the default gateway is still set as automatic and is switching to something invalid.
But STP loop prevention should only be to prevent loops in the event something is mis-wired IMO. If your switches are connected correctly you should not have any loops.

Should I upgrade to 2.6.0?

It depends but probably. It will do nothing for STP though.

Steve

@dinu

Issue resolved, I have moved all my VM's to Hyper-V and I am getting 100% band with of 145Mbps download and upload.

Thanks for the support guys...

Dinu

pfblocker with Dnsbl is your weapon of choice here

Python mode and everything is fine and good to go... Block

Br np

@stephenw10 thank you again!

Ah, yes I've seen a few users hit that with different things. Nice catch!

@stephenw10
I think you were right, I change the pfsense for another old one identical but I changed the SD Card and no problem since 4-5 days ... a record since the beginning!

Thanks again!

@netnerdy said in Performance issue on vmware esxi 7:

Btw, You have to disable hardware large receive offload from advanced settings. Depending on the model of your physical network adapter the vmx adapter may or may not be able to handle hardware checksum offload and tcp segmentation offload.

I've been chasing random drops in upload speeds with pfsense 2.6 installed on a esxi VM and this fixed it. Thankyou.

@steveits

Listing recommended Patches via the the System Patches package is a great enchantment.
Meanwhile I've rolled back to 2.5. The 2.6 enchantment, which I wanted to get from that Release (IP Fragmentation over IPsec) isn't working in my configuration. Probably I'll have to change the IPsec Filter Mode to "VTI only" to get this work. This means also, I'll have to migrate a bunch of Rules (~900) from the IPsec section to each VTI Interface and spend some thoughts on how I design rules for encrypted traffic between sites when a firewall has to do a transit role.

I've encountered another Issue with HAProxy on 2.6 - The process started to consume permanent 100% CPU Time (one core) randomly. After a restart of the service, all went back to normal, at least for a while. I didn't look further into this, maybe it has something to do with ocsp preload enabled on some front-ends.

For now I'm back on 2.5.x., all in all it's running more stable in my configuration, even if 2.6 has some great updates in the IPSec code what makes overall configuration more smooth and reduce boot time about 50%.

@mrsunfire

https://docs.netgate.com/pfsense/en/latest/recipes/migrate-assigned-lan-to-lagg.html

If you do not have a spare interface to use to shuffle, then you would have to leverage your wan interface. Or via a vlan on your wan interface, etc. And come in that way.

@scorpoin said in can not allocate memory error latest firmware:

arp: writing to routing socket: Cannot allocate memory

could this be related

https://forum.netgate.com/topic/152998/arp-writing-to-routing-socket-cannot-allocate-memory

or here

https://forum.netgate.com/post/976491

You see that error though because it cannot allocate memory in the ARP table for an IP in a subnet the firewall doesn't have an interface in. Which is probably because the re NIC has gone AWOL.

@deanfourie

Here's a good reference for TCP/IP:

TCP/IP Tutorial and Technical Overview

@nollipfsense said in L2TP/IPsec VS OpenVPN on pfSense:

My use case is both personal, and business (home office) so I'll emulate yours.

Hello,

a little bit late but for the records it is also pending on what hardware is in usage and for what you need it.

pfSense to pfSense I would prefer IPsec with QAT on
(if available on both sides)

pfSense to other I would prefer IPSec with AES-NI on|-left aligned paragraph

Mobile device to pfSense IPSec is your hero

OpenVPN became or is the hidden defacto industrial standard

WireGuard the future hope

IPSec war proofed and spread out widely

So I am also interested in this as I have a HA firewall and can only do CARP on the LAN networks. My provider, AT&T, gives me the option of PASS-THROUGH providing "real" WAN IP via DHCP and I lock it down to a single MAC on the Router/Gateway (RG).

So my primary firewall has a spoofed MAC on the WAN that matches the one the RG has configured to hand out leases. My standby HA firewall has the hardware MAC on the WAN interface. The primary gets the "real" WAN IP, publicly routable, and the secondary firewall gets a 192.168.5.X IP from the RG. If I spoofed the MAC on the secondary WAN and shutdown the primary then released/renewed on the secondary it would get the "real" IP on the secondary.

Now I say it is "real" since AT&T does some type of bridge NAT but the NAT table on the RG is still in play.

I am interested in what @chansiuming was looking to do based on my ISP quirks.

I could write a simple script to check CARP status and when it becomes MASTER do the down of WAN, spoof MAC, bring up WAN and boom it should work.

Do you have general connectivity?

Have you tried hitting the refresh button there?

That pull the status from ews.netgate.com. That service is functioning normally right now.

Steve

@stephenw10
Oh I see. Yep PCAP was on the VM (172.16.0.202).

Yep I don't get it. I see what you're saying and all just can't wrap my head around what is going on here.