That is almost always caused by packages and then mostly by Squid or Squidguard but Sarg is also good at that. What packages are you running? Steve

Ok, after so much fiddling I figured out the issue. It was the MTU but not the MTU of the server, it was the MTU of the client.

Yeah. Uninstall obvious junk like squid before upgrading next time.

@Derelict: Damn packages.  Don't know why people install them.  No wonder pfSense "just works" for me and not for other people. Glad you found it. I don't really use them either, I might as well uninstall most (if not all) of them. Thanks for the continued back and forth dialogue though.  Much appreciated.

[co]Incidentally, I got connected to Virgin Media today and after initial hiccup, I'm now connected. Cable modems tends to allow connection from one MAC address. If you connected the Superhub2 to your laptop prior to connecting to pfSense box, most probably Virgin still got your previous MAC registered. First of all, you need to setup DHCP, as almabes said. Then, connect the Superhub to LAN port and switch-off the hub. Wait for a min or so and then switch on the the hub - that will refresh the MAC address. Best!

I do have the same problem….sigh.....Guest network@2.4GHz wifi will never go beyond 5Mbps while I also not able to have > 10Mbps for 5GHz signal, and my WAN speed is 1000Mbps.... At the beginning I was wondering if there is any issue with my WAN link.... But double NAT is not an option for me, since Airport Extreme is unable to achieve 1000Mbps NAT throughput.

How do the domain suffixes look on the local and remote sites? e.g. host1.localdomain.net / host-b.remote.com Could you use domain search suffixes & DNS forwarder / referers?

i have just installed it, and as far as i can see i only need to add squid to be 100% covered. DUN DUN DUUUUUUUNNN! That would just happen to be one of the packages that people are having problems with at the moment.

@charliem: @sporkme: That's the section under Services->NTP labelled "Access restrictions" with the odd note that says "these options control access to NTP from the WAN", which seems odd as they actually seem to have an effect on LAN clients and I can't imagine anyone adding the WAN interface to the list of IPs without firewalling that off.  For completeness, these are the parameters that if I uncheck them allow ntpdate and ntpd to work across all the LAN hosts: Any idea which one allows the older ntpdate to work?  Does the preferred method "ntpd -gq" work for you with the defaults? Not sure, I can test again at some point, but I've already annoyed people enough with my nagios alerts on ntp skew. :) @charliem: The crashing issue persists, so I'm trying your suggestion of commenting out the ntpd restarts in rc.newwanip and rc.newwanipv6.  I think all the clock skew that causes is also triggering issues with rekeying on one of my ipsec tunnels, so maybe that will get fixed as well. Interested in results you see. So far so good.  No ntpd crashes, and it might be too soon to tell, but no IPSEC VPN drops either, which I assume is just a side-effect of more accurate timekeeping.

Anybody have any ideas? Multicast http://en.wikipedia.org/wiki/Multicast_address http://www.firewall.cx/networking-topics/general-networking/107-network-multicast.html

maybe checking that there is a default route out WAN for the pfSense box?  If you can ssh to the pfSense box output of "netstat -rn" should show the routing table

So apparently they don't have the code in pfsense to do this just yet. You have to create a dummy account with the same user account name that is in AD and then add that dummy account to the group. Hope they get the code soon so you don't have to have dummy accounts.

If you post the IP address from which the report was submitted and an approximate time, then someone can look at it specifically. Even if it's just the first three portions of the address, along with the time, it should be close enough. I didn't see anything from the IP address you posted from (72.193.x.x) but that doesn't mean much as it could be somewhere different from where the crash was submitted.

Thanks for the confirmation, Jim.  That's what my research was telling me as well.

@doktornotor: Not easily doable ATM. You can try the vfs.forcesync=1 mitigation. In my testing, that was no better. It's worth trying, but I wouldn't expect miracles from it. I haven't yet found any workaround that helped.

Sounds about right. While the connection numbers don't match up, HAProxy did free up swap once you closed it and swap is handled by the OS. To me that means the OS ran low on physical memory at some point in time, paged out data to swap, but then never paged the data back in. The only reason it would not page back in is because the data has not been referenced since. Anyway, still sounds like there was a lack of memory at some point, even if it only lasted for a brief moment.

Disable serial port in your BIOS.