That was exactly the problem! Silly me.

Thank you  :D

Just wanted to say after some troubleshooting on my own, I figured out the problem. It was various collisions on my USB NIC which was half duplex. Replaced it with a full duplex USB NIC and all is well now.

Even half duplex alone shouldn't cause those problems, though it will reduce available bandwidth.  Unless configured otherwise, Ethernet gear should auto-negotiate duplex and bandwidth.  There were likely other issues with that USB NIC.  Are there even USB NICs that are half duplex only?  Full duplex NICs have been made for over 20 years now.

Are both boxes running 2.4? One can't be using 2.3.x as that is incompatible.

^^^^
The problem with broadcasts is CPU load, not time on the wire.  With gigabit commonplace, how much broadcast or unsolicited multicast traffic is there, compared to desired traffic?  Incidentally, this is also the reason jumbo frames are often used in data centres, to reduce CPU load, for the amount of traffic carried.  As for enterprise, if all the clients support IPv6, as pretty much all do now, why even provide IPv4 on a server?  As for IPv6 only, that's already happening, as I mentioned with my cell phone.  There are also some ISPs that convert IPv4 traffic, from the Internet, to IPv6 to their customers.  In that situation, an IPv6 only local network is entirely possible.  Don't configure IPv4 addresses and no more ARP or DHCP broadcasts.

IPv4 will be around for a while yet, but it's declining.  Hopefully, one day we can get rid of it entirely.  At the moment, the only IPv4 traffic on my network is for those IPv4 only devices and accessing IPv4 sites on the Internet.  Declining IPv4 means declining ARP and other broadcasts.

You might want to sniff what actually happens when the files start moving ;)

Actually, I have.  Home group uses IPv6 link local addresses exclusively.  It does not work over IPv4 at all.  Anyone who tries to disable IPv6 on Windows, while using home groups will soon discover that.

Incidentally, there's a trend in data centres that reduces even the time on wire effect.  Spanning tree has long been used in data centres, but that forces all traffic into the best path to the root switch, leaving much of the network blocked.  Spanning tree is now being replaced by Shortest Path Bridging, where there's no such thing as a blocked connection.  Any link between switches can be used, if it's the shortest path.  SPB works by essentially creating VLANs between switches, by adding on another MAC header for transit between switches.

BTW, stating fact does not create FUD.  FUD is caused by misinformation, such as NAT is a "security feature" that IPv6 doesn't provide.  In fact, the security of NAT comes from the state full connections it needs to work.  Well state full firewalls do exactly the same thing.  Yet despite that, people still claim that NAT provides security.  Now that's FUD.

yes to 2.4.1 it had been running for about 10 days witrhout any issues.

A fresh install and restore of a backup is the likely next course of action.

Thanks, yes have seen the instructions on installing on Hyper-V thanks.

I've a had a quick look at the  Azure link, doesn't apper that I cna download it, to deploy on to Hyper-V.

Yer likely a driver issue of some description, although I have seen a few posts about 2.4.1 having issues with VLAN's for various reasons.

Thanks for the info and thoughts though.

unfortunately there is currently no api to automate stuff

Havn't heard of that happening.. might be gateway is detecting some up/down event on the gateway and resetting states? But i would expect that to happen only for gateway/route related changes being applied..

Is it checked?: System/Advanced/Miscellaneous "State Killing on Gateway Failure"

Any workaround for this?  I realize this thread is a couple months old, but I am experiencing the EXACT same issues, and I REALLY don't want to upgrade firmware.

On 2.2.6 here…

Only noticed it because I have the need to install a package, and it won't retrieve the list.  My pfsense box has been up over a year otherwise...

Thanks,

-Alan

I expect an alias would work, but I haven't tried using one.

@Fons:

Hi,

every time clients behind the pfsense-firewall are having a conversation using the ip-telephone on their desk the conversation is broken after 15 minutes.

the firewall is on the latest version. we have our own voip-central wich handles all calls. the voip-central connects to a sip-trunk thru the firewall.

neither me, our supplier or the manufacturer can find any setting on the telephones, the voip-central or on the providers end that could cause the sip-connection to break after 15 minutes (or any amount of time)

so I have two questions regarding the firewall:

could it be that some rule or setting could cause this connection break? and how to find this? is it possible that states are broken after a certain amount of time and not been being build up again in time? and how to set this?

(well actually four questions)

I hope someone can help us out on this.

regards, Fons

SIP has a reinvite interval of 15 minutes.  It's likely that the reinvite is being NATted and the port is being changed.  Do a capture on the LAN side of the router, wait the 15 mintues until the call drops, and view it in Wireshark.  When you inspect the call you'll see the ports next to the RTP in the chart.  See if they change after the 15 minute mark.  Then do the same thing on the WAN side and look for the same thing.  If the ports change on the LAN side but not the WAN then the router is doing something.  I've never seen a router do it, though, of any make.

Hegar and Johnpoz, thanks for your replies. I will try that today. I get why you ask why there is PFSense over PFSense but this is just a section of the network I am working on so it probably makes no sense to see an additional PFSense for no reason. I'll post what I find tomorrow.

Heh, I was hoping to get a hint without having to break out Wireshark.  But having done it, that traffic seems to be DHCP-related.  There is a ton of discovery, requests, offers and NAKs that never end.

cap1.png
cap1.png_thumb

If you set a 2.3.x box to see the 2.4.x repos then it won't see packages because the package repos it's aimed at are for 2.4

Understandable. :)

The list doesn't show local packages because of a different bug (fixed on 2.4.2).

Ah! Thank you!

As said above, im curious as why one system of a CARP cluster "automagically" has pfSense-2.3.5 (Meta package) installed while the other still has 2.3.4 (which is correct). Both are still on 2.3.4-p1 as we have to schedule downtimes first with customers. So I don't know where the Meta package change comes from (1) and why the systems (not only this two but 3 others, too) have started changing their update path back to current after 2.3.5 has been released. That's a bit of a mystery ATM as a simple pkg-static update shouldn't change a thing with the selected pkg repo.

Strange…

Thanks a lot for clarifying those other points!

Jens

Actually I've just upgraded a couple test systems here and the xdebug package is removed automatically, so there isn't anything to do manually, just upgrade when it's available.

"However I am unsure as to the level of security it is providing"

In what aspect?  Are you trying to control you users outbound access?  Are you wanting to look for bad traffic either inbound (that you have opened with a port forward) or your clients talking outbound to something or on your own network between vlans?  Like a infected client?

Out of the box all unsolicited inbound traffic would be blocked.  To be honest if you feel that deployment of pfsense was an uphill battle.. Advanced security features IPS/IDS is going more than likely just cause you grief other than any added security.. There is a large learning curve on such systems.

"intnet as the internal network for those vms"

This is gibberish…  intnet?  Not a term...

"but no other machines on the lan"

Pfsense would have ZERO to do with lan devices talking to each other.. Pfsense is a router/firewall - not a switch... Devices all on the same network 192.168.1/24 traffic would not go through pfsense unless it was setup as a bridge..

"but then I fired up another machine on the intnet"

Again not sure where you are getting this term "intnet" it is not a networking term.. Do you mean internal network?  internet?  What does intnet mean in your context?

Pfsense can for sure just route.. But why would you not firewall as well.. If you want to firewall/route between 2 networks and not NAT (network address translation)… Those would be how pfsense would do it between 2 lan networks.. It would really really help if you drew up your network as you want it to be so we could understand what your trying to accomplish vs using some nonsense term.. Been in the biz 30 some years and I not sure what you mean by intnet.. I would guess either internal network or internet.. But can not be sure from your context, etc.

Oh interesting. In my understanding if there was only one user this attack would not be possible and possibly if the user logging in already has the maximum escalated privileges this attack becomes much less useful. I understand that these are likely small enough use cases they would not warrant mitigation for the login page token expiry.

Thanks for the explanation!

i dont know if freebsd supports my controller card yet but i put a 30gb msata in and i have pfsence running now