I am seeing the exact same errors on every boot:

pf_busy
PF was wedged/busy and has been reset. @ 2017-10-13 10:58:59

Filter Reload
There were error(s) loading the rules: pfctl: DIOCXCOMMIT: Device busy - The line in question reads [0]: @ 2017-10-13 10:59:02

These are new following the upgrade to 2.4:

2.4.0-RELEASE (amd64)
built on Tue Oct 10 06:43:01 CDT 2017
FreeBSD 11.1-RELEASE-p1

Running as a Virtual Machine on Xenserver 7.2. A pair of them actually, both getting the same error.

Danny

https://forum.pfsense.org/index.php?topic=134795.0

:)

It's possible. It was disabled because it was broken and/or failed to build at one time. It may be OK now, but needs checked again. Open a request on https://redmine.pfsense.org and we can look into it.

Yes

1. Copy the config to the firewall (scp, for example, or mount a USB drive and copy)
2. Move/rename the new config to /cf/conf/config.xml
3. Remove the config cache: rm /tmp/config.cache
4. Reboot

For anyone that cares, disabling the 6RD tunnel fixed the issue.  So, this is somehow related to IPV6 setup.

By the way, copying to the backup can be done with ionice set to maximum niceness and nice set to maximum niceness too so it will hardly be noticeable. If that's not enough, a script can be made to pause the copying if traffic is detected.

@johnpoz:

What is the config on these switch ports?  What switch make and model are they?

What is the config you have on the lan vm interface on pfsense and what vswitch is configured you have it set to 4095?

Where is your vmkern setup on esxi host?  Is it just a portgroup connected to same physical interface that goes to port 6?  What is the vswitch settings on this port group?  If you have to default which is 0, it will strip all all tags on vlans.

Does your esxi host have more than 2 interfaces?  If so you could break your vmkern out to its own interface and vswitch/port group.

Hi guys
Thanks for the help. I found the error, the error was in ESXI settings, I missed adding VLAN in menager network.
Afterwards it was enough to change some settings in ESXI. I put a new fixed ip addres. and now it works. Now
I can access server from any VLAN, but I will limit the VLAN so that all VLAN will not access MENADGER networks.

Here's a picture that shows what I missed:
https://www.dropbox.com/s/asz02n8pj7pdmr1/fel.JPG?dl=0

I find PRIQ much simpler and effective for me with our voip phones, and I don't have to worry about carving out specific bandwidth for them.

BTW what you are trying to do is called Traffic Shaping.  You can find lots more about pfSense and shaping in the Traffic Shaping forum.

your command looks (mostly) ok – that error seems to be from your Windows machine, not the remote pfSense system. It looks like you have "putty.exe>" in front of the plink.exe on your commandline. Why? that is not correct...
https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter7.html#plink-usage-interactive

You've lost me now  ;D

I was just wondering last night what the significance of the suffix- 24, 32 etc…

Can you ping the secondary's sync address from the primary?

Firewall rules on the secondary allow webgui traffic?

When you make changes on the primary are you getting alerts that the sync to the secondary had problems?

Anything in the System log?

Hope I'm not reviving too old a thread, but this has all the ingredients.

Same errors in Gateway log:
dpinger WAN_DHCP 67.87.80.1: sendto error: 65

General log: (starting round this time)
check_reload status updating dyndns WAN_DHCP

In the firewall log I noticed:
Block 192.168.100.1 port 67 (my modem) to port 68 192.168.100.20 (I assume this is the ISP DHCP server)

I rebooted pfsense and created a new firewall rule for the WAN interface to pass:
Source 192.168.100.1 IPv4 UDP
Destination 192.168.100.20 port 68

I just wanted to confirm if this is the correct remediation.

Edit: I spoke too soon
DHCP timed-out again and I got this in the firewall log
Oct 11 15:33:07 WAN Block ULA networks from WAN block fc00::/7 (12000) 192.168.100.1:67 192.168.100.20:68 UDP

Well, my rule was wrong (from port 68 to 68)
Changed to Source any IPv4 UDP 67, destination 192.168.100.20 68
Edit 2:
The firewall log got me looking at my WAN interface connection. I have Block Private networks checked. Perhaps this is why the WAN interface is blocking the modem from sending traffic.

@Grimson:

How old is that device? Remember there will 32-bit support will be dropped with pfSense 2.4 release.

It is an Astaro ASG220 from 2008 as far as I can see.
I tried with 64bit version but it came up with something like "CPU does not support long command mode" or so. 32bit went fine.

Ok, got it. Guess I cannot use these devices with upcoming 2.4. Damn.
They are so cool with their 8 Ethernet interfaces… :( :( :(

Dude well yeah cuz you dicked up your outbound nat ;)

Change your nat to hybrid and just add a nat above the automatic for your vpn interface.

If your going to do manual - you have to have nat for your wan interface and your networks.. You don't have anything there other than firewall 127.0.0.1..

Its easier to just let pfsense do automatic nat for its networks and just in hybrid mode add an outbound nat to be able to use your vpn interface.

Dude this has ZERO to do with pfsense.. You stated your connection is PPPoE right.. Did you contact your ISP about this when you change the device doing the pppoe connection..

If your cpu was maxing out or something.. Then ok you might say pfsense can't handle the speed, etc.

When you connect these cheap routers, your setting them up for pppoe - or your just doing dhcp on them?