@eddie-raydian said in Fatal trap 12: page fault while in kernel mode after upgrade to 23.01:

@fsc830 first of all, this is not helpful and disrespectful to all users on the forum. If you cannot provide help or good feedback, I think we can all agree that it you should not post.

Second of all, asking, if a backup (or in case of VMware a snapshot) is available is a legitimated question to think about further steps.

Cant see, why this should be disrespectful.
But as you desired: I will not post to any of your questions again. 😎

Everything is now LIVE.
When I was out, I decided to try the site(s) and see what I got while totally away from the office, and I got the site but with a non-working SSL. OK, Good.
So, when I got back to the office just a few minutes ago, I grabbed the SSL cert I had installed the other day before creating the SSL through PFSense, and everything is working.
All sites are LIVE in front and behind PFSense.

Thank you, everyone, for all the help.
Have to say this community absolutely ROCKS!!!!

All the information to get the site(s) live was from this thread here, with the link(s) provided and the link(s) I provided.
So, if anyone has this same issue, all you have to do is follow everything from start to here, and you should be good to go.

I've tried to notate everything I had to do, so I can write an article for our Knowledge Base site.
Love sharing and exchanging knowledge.

@saqqara I don't have two LAN interfaces with the same IP address. The original is 192.168.1.0/24 and the new one is 192.168.2.0/24. But, with the spacing in my OP, it's a bit hard to see. I'll edit that to make it clearer.

BackupLAN is simply a backup interface. I recently lost access to my whole network (not just the internet) and one line in my logs implied there was a problem with the LAN interface that wasn't cleared by a reboot of the device. This is just something I can try if it happens again (to see if it's actually a problem on the LAN interface or something else).

@mer Well sadly, I am going back to 22.05. I am having too many DNS issues with Unbound (I've been posting in the pfSense and pfBlockerNG forums about this).

Any DNS queries for entries not (or no longer in) the cache are really slow. It causes my browsers to lag, app updates to fail, and worst of all: overnight backups are failing.

I'm just glad I ensure I have the previous good release + config file on a USB stick. I'll be repaving (and perhaps upgrading to ZFS in the process) in a few days. Can't take the network down without some notice...

@michmoor
I have two spare HP T730 boxes: one with the same Broadcom 5719 NIC and the other with Intel pro 1000. I tried using both but I am getting the same issue.

Furthermore, I have also tried disabling hardware offload with absolutely no effect.

The weird thing is that I am using a similar setup at my home with the same ISP with a broadcom NIC and that works fine

I have noticed that it usuallyt happens when the ARP entry for WAN gateway refreshes i.e. around 1200 seconds

Hi @stephenw10 , yes, they had external access only and were scanning the IPs. As you say its likely their scanner came back with "FreeBSD firewall" but no specifics. If I can get more details of what the scan actually found I'll post it, but I'll continue to work on the upgrade and ask for a re-scan when complete.

@vusq2023 said in netgate 1100 wifi setup through isp router/modem:

wifi connection through my isp router/modem

Sure. Note that will put the Wi-Fi clients outside your pfSense.

@vusq2023 said in netgate 1100 wifi setup through isp router/modem:

use the opt port for now to run another ethernet connection

Do you mean on the same network as LAN? Yes Netgate has instructions for removing the VLAN setup to do that. Otherwise sure you can plug something in and that will be a separate interface.

Yeah having servers and clients makes things confusing. A server running on TCP port 443 is going to see those packet size errors because https connection attempts if it's open to any external IP.

We probably need to see the OpenVPN logs from the client then. Ideally at the point it tries to connect but fails to pass traffic.

@troubleshooting74 said in synology agent:

pfsense where i'cant install agent

They have a agent for freebsd? I would find that surprising to be sure..

https://www.synology.com/en-ca/support/download/DS918+?version=7.1#utilities

I don't see a freebsd agent, only windows linux and mac

agents.jpg

Pfsense is not linux, it is based off freebsd - there is a difference between that and linux.. To have any hope of running the agent on pfsense you would at min need a agent meant to run on freebsd.

I think I have fixed it.
Since I've added to pfsense to see my ISP's router interface, I had to change the default gateway from auto to the proper gateway.
So far it seems to be working as it should!

@stephenw10 said in If Internet Down, Can't Get to pfSense Box?:

Perhaps when the WAN fails the modem creates an IP in the LAN subnet.

His cable modem uses 192.168.100.1, and the pfSense LAN is the default 192.168.1.1, so that can't (shouldn't) be the issue.
If pfSense obtained an 192.168.100.x from the cable modem as a pfSense WAN IP, this would break 'internet' access. But this shouldn't stop indefinitely the access to the pfSense GUI. There will be a delay, though.

Also, when WAN connects, "all hell breaks loose".
I mean : when you use the console access, option 8 (command line) and we tail every log file on the system, like :

tail -f /var/etc/system.log /var/log/resolver.log /var/log/dhsp.log etc etc etc etc

me you everybody will know what I mean. Thousands of log lines will show up an this is 'normal'.

Even the GUI web server is restarted, as it wants to listens to WAN.
If there is a stupid modem upfront that takes it time, or the upstream ISP DHCP server is somewhat slow, the creation of a working WAN connection can be slow.
During all this time, pfSense tries also to update some data that it want to get from sources on the Internet, like the package info and the current time (etc), then a delay is easily explained.

But again, eventually, it should show up.

That's why I proposed to go directly (enter it in the URL line of your browser) to the - not dashboard page - but another page like
http://192.168.1.1/system_usermanager.php as that page only needs local resources to get build.

@stephenw10 Yep its 10 years old.

Not easily. If anything is still present on the eMMC it will try to boot that unless you interrupt the process at the console.

If you hit the upgrade bug here and it's failing to boot from the eMMC because it cannot read in the loader file it will eventually try to net boot. It might be possible to setup an environment it would netboot from where the booted image has ssh enabled so you can reflash the eMMC from there. But doing that would be complex. Especially with no console to check what's happening.

Otherwise it's probably possible to flash the eMMC using jtag directly if you have the equipment to do that. I have never tried either of those though.

Steve

Something else in the route changed probably and the PMTU discovery is failing.

Set the re0 NIC back to MTU 1500. Test that, it should be idebntical to the other interfaces at that point.
It that still fails set the MSS on that NIC to something lower, like 1452.

Steve

@stephenw10 & @cmcdonald - Yes, a very big thank you for the dedicated work on the wireguard package.

I too am contemplating moving my VPN needs to Wireguard, but I’m missing some “guiding numbers” on expected wireguard performance from the different Netgate appliances.

it would be nice to have iPerf and IMIX numbers from Netgate just like we have on IPsec.

PS: Do you expect Wireguard to be integrated, or will it continue being a add-on package?

@stephenw10 said in Monitoring Gateway:

Hmm, you might try disabling ntop-ng as a test. It can use resources and cause problems. Though I don't see any direct evidence of that here.

I tried this from the beginning but without result.

@ki3den

I figured it out :) well, with some help from r/Networking, a mod there explained a bit about asymmetrical routing that I had forgot about - the switch is aware that the client device is directly connected, so it sends packets direct to the other device (?) I suppose. So that's why I was getting login/feedback from the switch in my session. But, this caused the state in the firewall to drop/timeout.

The underlying issue was... that I forgot the dang default gateway on the switches lmao 😲

edit: and, I still had both IPs on the switches.

@mattpdx86 You mentioned the server is in VMWare Fusion, is it NAT? or is it on the same network as the host (bridge mode)? Where is the Windows 10 device, is it also in VMWare? Maybe you mentioned it but I missed it if you did...
It's been a long time since I had to setup Fusion (people at work largely switched to Parallels) and I am not a MAC person... but I think the default is to NAT the VM. Bridged mode would give the VM an IP in the same network as the host is in, but NAT has a software firewall that may be an issue here if the server is natted. Same for if it's the Windows 10 machine if it is the natted one.

If they are on the same network, then PFSense has nothing to do with it at least in terms of firewall. It is best to have the Server 2012 box handle DHCP and DNS, and give out via DHCP, ONLY the IP of the 2012 box for DNS. Have the 2012 server then forward DNS to the LAN IP of PFSense, and let PFSense take it from there for any address that is NOT in your internal network. Otherwise, you need a host override for the IP of the server AND a host override for the domain name, pointing it to the server IP. If you have more than one server, point the domain override at the master roles holder (or the PDC Emulator role holder if the roles are split amongst several DCs). When joining a domain, the desktop is looking for the DOMAIN, not the server.

@stephenw10 Agree, but do you know how pfsense determines the WAN link is UP?

When I reboot with wrong credentials my WAN static IP is shown on the Dashboard which I can ping o.k, the UP timer is running but I can't do anything else and that puzzles me? My Pfsense box is behind an OpenReach fibre modem. Can that issue an IP address from the ISP which does nothing until the link is authenticated by the firewall?