The only difference in my config between the 2 are Username=

[main]
Description=ipsec
Host=10.0.10.1
AuthType=1
GroupName=test
GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=vpn
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=
DHGroup=2
ForceKeepAlives=0
enc_GroupPwd=
UserPassword=
enc_UserPassword=
NTDomain=
EnableMSLogon=0
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
PeerTimeout=0
EnableLocalLAN=1
SendCertChain=0
VerifyCertDN=
EnableSplitDNS=1
SingleDES=0
SPPhonebook=
X-NM-Use-NAT-T=1
X-NM-Routes=10.0.70.0/24

This particular patch was added and reverted. It may improve things for rum but it's obviously wrong, it panics with all Atheros cards. We don't have any hardware (or time) to replicate or work further on it with the upstream developers, someone with the hardware and the ability to get it running on a stock FreeBSD 8.1 can try to work further on it on the FreeBSD list thread or PR.

Now fixed.

If you want to have the fix now, apply the changes shown here: https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/22d323b338ef35be05dbd97eb33d8f07517c38fb

Thank You, I made the changes and it resolved the issue.

yes 3rd sept 2010. i'll do it as that format from now on but probably won't try for another week or so now. thank you.

Sorry to resurrect an old thread, but I've been having this issue, on my test firewall, for at least 3 months, now.  It's quite annoying, as it pops up fairly often, but not always.  I've tried various clients, mostly Firefox 3.6.x, on Linux, Mac, and Windows.  I've also tried Safari, on Mac, for client diversity.

The machine is a VIA Eden 1200mHz, using VIA Padlock hardware crypto.  It's running x86 code, of course, currently on 2.0-BETA4, Tue Aug 10 02:57:56 EDT 2010 release.  I've had this problem, on this machine, at least back to 2.0-BETA2.  I don't, unfortunately have any sort of trace, though.  I'd certainly be willing to collect info, though, if anyone has a suggestion on where to look.

I do have the following from /var/log/lighttp.error.log: (there are many repetitions of these)

2010-08-20 18:09:57: (connections.c.1698) SSL (error): 5 -1 22 Unknown error: 0
2010-08-31 19:53:28: (connections.c.1698) SSL (error): 5 -1 32 Broken pipe

These are not very specific, I know.

Thanks!

Solved like indicated in:
http://forum.pfsense.org/index.php/topic,28105.0.html

jimp, THANKS  ;D

Didn't want to run 2 VPN instances because then can't sync settings between boxes.

For reference, Outbound NAT on LAN method works flawlessly.
Master firewall is syncing NAT rules with backup (+ everything else)

Rules:

NATed source:ANY, destination:backup firewall LAN, NAT address: LAN CARP
NATed source:ANY, destination:master firewall LAN, NAT address: LAN CARP

This results in 1 bogus NAT rule per box, but I don't see a major problem with it. 
CARP IP on backup firewall is inactive and can't be routed to(even internally) it seems while in the 'backup' state.

It IS much cleaner than starting/stopping services or working with port forwards(as far as I can tell).

I ran into this issue recently with 2.0-Beta4

First the way the web interface wants subnets is x.x.x.x/y but the squid config file is expecting x.x.x.x/m.m.m.m
and while the acl is added the "http_access allow  allowed_subnets" lines is not added to the squid.conf file.
So anybody connecting to the proxy is rejected.

I tried added a outbound nat rule via the web interface but could not seem to get one that worked.
I looked at squid.inc and found the rdr rule that is it wants to add.
$rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";

I added this rule to /tmp/rules.debug and reloaded pf just to see if that would do it, and indeed that
redirect does work. The access.log for squid showed activity coming from the various machines on my network.

I'm not much of a php person so I'm a bit lost when it comes to debugging things and trying to figure
out why it is not working as expected.

BTW bugsfix, what additional NIC do you use? I am going to build a box based on NM10 (with D510 CPU) and am wondering what network card to add to the on-board adapter…

Both issues are resolved after upgrade to the 2.0-BETA4 (i386) build snapshot from Sun Sep 5 17:43:03 EDT 2010.

ok it's not pfsense, same behavior with straight freebsd8. good job in adding mlppp though!

No, I said "traffic will drop to 0, then eventually climb back up. You would see the same pattern if you reset firewall states". If you have a web page loading at the same momemt it will also freeze.

I don't assert that the states are dropped, but from a user's point of view that's exactly what it looks like.

I too can replicate this problem very easily.
Browser details are Google Chrome v5.0.375.127 for the Mac.

Dont see a redmine ticket logged though so I'll log it in case the original poster doesn't get around to it.

That's the answer I wanted !!
;D Thanks Ermal

Thanks, I switched channel and no more stuck beacon.

Thanks!

That was just the little piece I missed all the time to finally get the loadbalancer working  :D

Best regards,

Chris

Confirm the problem is fixed.

Thanks  ;D

console update worked well :-)

thx !

this vnstat2 reinstall on upgrade has been a issue since a long time, i had posted in redmine but not much work done on it, it seems to be an issue with the package manager.