Thanks!  I use to run this, but had yet to get it moved over to the sg-4860 once I switched to that from my vm setup.

The summary emails from dshield were nice to get.  I will have set this back up soon.

@kpa:

If there is a switch in between pfSense and modem then the only link state changes pfSense is going to see are the ones with the switch.

Thanks. Just talked to the ISP, it seems it's actually the gateway router. They are going to replace it.

So was going to swap the firewall out today so I could bench it and test and figure out what was going on and as soon as I fired up the temp firewall, exact same model and case but version 1.1a BIOS, it did the same thing. So I suspected it was likely being caused by something plugged in and since the only thing plugged in was the Tripplite battery backup, I unplugged it, restarted it a few times and it never hung with the error until I plugged the UPS back in.
So, in short the kernel is handing on the UPS during boot.

Should I report this as a bug? It has to be a FreeBSD kernel bug.
I plan to work around it by changing the UPS from USB to serial.

The only other issue I was running into was "AutoConfigBackup service started" would seemingly hang forever. Not always, but periodically.

I am totally open to feedback from the community if this is setup correctly but here is what I did:

I did manage to get my set up to work….my DLink switch configuration is as Follows:

Ethernet 1 -> Trunk to pfSense/LAN Later Edit:  (eth 1 & 5 untagged and eth 2 & 3 tagged)

Ethernet 2 -> Unifi AP
VLAN10  (eth 1 & 2 tagged) - Nothing untagged
VLAN20  (eth 1 & 2 tagged) - Nothing untagged
VLAN30  (eth 1 & 2 tagged) - Nothing untagged

Ethernet 3 -
VLAN40/AppleTV(not Vlan capable) (eth1 tagged and eth 3 untagged)

Ethernet 5 -> Management Computer
VLAN 4093 (eth 2 untagged and 5 tagged Later edit: eth 1, 2, 4 &5 untagged, 3 not a member ) - I thought this would connect to a VLAN 4093 on my pfSense box I created but it doesn't, it gets an IP for the LAN interface on my pfSense box.

I think this is OK as it allows me to be on the same L2 as my Unifi AP. I was able to have the Unifi AP adopt my computer with this setup.

Does this look right?

(Modesty…I'll comment on your post and do what I can to help!)

I've come across this on my box as well (same hardware).
It has happened about seven times in 2 months now, I've submitted the crash-reports, the times I've been able to, a couple of times it has just rebooted without any report, it just says a crash has happened when I login after the reboot.

@Harvy66:

Just making sure I'm reading this correctly. You said

However, looking at the pfSense monitoring (Status > Monitoring), there are no Quality issues reported.

then immediately after have a quality graph showing what looks like 100% packetloss around the time of the error log.

How is 100% loss not a quality issue?

Argh, the monitor shows local time at the bottom, but the times on the graph are UTC! I was confused on the times there. Here's the correct graph, and yes it seems the local link to the ISP went down. Narrowing the possibilities…

Thank you  @viragomann

" In the client config on A enter the head office and the site B LAN subnets  at "IPv4 Remote network(s)" "

This is what made it work. I was trying to do so since morning.

Regards,
Ashima

Humm. Interesting.

Stop the ntpd daemon in the GUI, goto shell access, and launch :

date

Note the time. Is it ok ?
Change the time with date. An hours or so.
The question is : the issue happens again, at what time ?
If the source of the issue comes from pfSense, the time will change. If the source is from somewhere else, like your PC that start a packet hail storm at 01h08, then it will still happen at the real 01h08.

Install the Cron package if you didn't do so already.

What does

ps ax

shows ?

And another shell access in parallel :

top -t -ocpu

Yesterday I performed the setup and I have to say nxfilter is running pretty well on my PFSense box. The instructions above are outdated. This is how the installation is performed (on latest PFSense version)

General > Advanced

Disable HSTS Disable WebConfig redirect TCP port Disable DNS Resolver Change PFSense Port

#FreeBSD 11 repos is found on

http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/

#install packages
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/wget-1.19.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/alsa-lib-1.1.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/freetype2-2.8_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/fontconfig-2.12.1,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/xproto-7.0.31.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libfontenc-1.1.3_1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/mkfontscale-1.1.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/mkfontdir-1.0.7.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/dejavu-2.37.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/giflib-5.1.4.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/java-zoneinfo-2017.c.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/javavmwrapper-2.6.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libX11-1.6.5,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/kbproto-1.0.7.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXau-1.0.8_3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXdmcp-1.1.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libxcb-1.12_2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libpthread-stubs-0.4.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/xextproto-7.3.0.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXext-1.3.3_1,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/fixesproto-5.0.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXfixes-5.0.3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/inputproto-2.3.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXi-1.7.9,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/renderproto-0.11.1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXrender-0.9.10.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libICE-1.0.9_1,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libSM-1.2.2_3,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXt-1.1.5,1.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/recordproto-1.14.2.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/libXtst-1.2.3.txz
pkg add http://pkg.freebsd.org/freebsd:11:x86:64/latest/All/openjdk8-8.152.16_3.txz

#get nxfilter

/usr/local/bin/wget http://www.mediafire.com/file/waa0sgqzabur2pb/nxfilter-4.2.1-p1.zip

#unzip

tar xzvf nxfilter-4.2.1-p1.zip

#change permissions

cd /bin
chmod +x *.sh

configuration -

/nxfilter/conf/cfg.default

listen_ip = xxx.xxx.xxx.xxx
http_port = 80
https_port = 4443
start_tomcat = 1
cluster_mode = 0
master_ip =
slave_ip =
blacklist_type = 5

Then you can fire up your config with startup.sh -d or use the script in this post.

@new-to-netgate:

Hi,
I'm running 2.4.2p1 on my own hardware.  It's been running fine for a year or so.  A few days ago I found an error message at login alerting me that there was a crash, and giving me a choice to report it to developers (did that).

The problem is now drop down menus don't work.  Here's what's in the crash :

amd64
11.1-RELEASE-p6
FreeBSD 11.1-RELEASE-p6 #8 r313908+a5b33c9d1c4(RELENG_2_4): Tue Dec 12 13:51:24 CST 2017    root@buildbot2.netgate.com:/builder/ce-242/tmp/obj/builder/ce-242/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[22-Jan-2018 21:29:46 America/Vancouver] PHP Parse error:  syntax error, unexpected 'if' (T_IF) in /usr/local/pkg/pfblockerng/pfblockerng.inc on line 1771

No FreeBSD crash data found.

Suggestions welcome :)

That line in the code on Line #1771 is for the download of Feeds. I don't see any issues with the code and can only assume that that you had a hard drive failure or a file corruption issue… I would just suggest a reinstall of the package.

For NAT: Create your own outbound NAT rules and switch to manual mode.

Your limitations are going to be how big your internet pipe is, how you configure the lan side, etc.  I personally would not put 1000 devices on the same segment - because that ends up being a lot of broadcast noise..

There will be a limitation of your state table, etc. If you only have 1 public IP to nat too that could end up being a limiting factor even if you had a 10ge pipe to handle traffic, etc.

But you could have 1000's of clients behind sure..

@johnpoz:

How does your blocking their C&C prevent that?

It doesn't always but it depends on the variant - for example CrytoLocker will stay dormant (and does not encrypt files) if it cannot reach the designated C&C server.

Has that kept it out?  No.  But you now have a hit on your DNSBL which you can use to isolate an infected machine.

@alex1962:

[Mon Jan 22 15:41:06 CET 2018] 'www.cybercrimine.com' is not a issued domain, skip.

Can't use https://crt.sh right now - better check with that site when it comes up again.

@alex1962:

if I analyze the start of pfsense I see a lot of faied pullup errors.
can it be connected?

Don't know what you mean.