Hello,

@dotdash:

I'm doing some more testing, but this seems to only happen when restoring a 1.2 config (with mis-matched interfaces) to 2.0AA.

Oh, yes, I noticed that several times. Restoring 1.2 config to 2.0-AA triggers automatic config translation/upgrade(?) while booting but it sometimes forget something and I had to start again from the scratch, moving 2.0-AA around is okay though. Never mind, it's still -AA.

cheers,

Hello ermal,

you quick! confirmed fix Tue Dec 9 03:19:14 EST 2008. thanks!  :)

cheers,

Hi,

I have seen "Division by zero" several times but dunno what's the trigger is/was, and that is seen too intermittently so I really don't care but I'd rather say it's a software issue, indeed. How about to load up some new snaps and keep eyes on it for a bit?

cheers,

on a upgrade the certificate is not upgraded, the webui is accessible on the same port as before but only http. That confused me for a bit too.

Try the latest build it actually should be solved with later snapshots.

ok

$ sysctl -a | grep enc
kern.timecounter.tc.i8254.frequency: 1193182
kern.timecounter.tc.ACPI-fast.frequency: 3579545
kern.timecounter.tc.TSC.frequency: 997508645
net.inet.ip.sendsourcequench: 0
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0x00000002
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000001
debug.dopersistence: 0
dev.p4tcc.0.%desc: CPU Frequency Thermal Control

$ sysctl -a | grep ipsec
net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.esp_randpad: -1
net.inet.ipsec.crypto_support: 50331648
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.esp_randpad: -1
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0x00000002
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000001

success, spaces are apparently evil

Dear ermal

I upgrade pfsense version to Mon Dec 1 04:58:27 EST 2008.
    It's okay to use ftp

Thanks ermal

Hi,

It seems to be fixed in my environment with Sun Nov 30 21:11:20 EST 2008 build.

@ArkAngel:

Going to the console and refreshing the display shows the IP of the LAN is gone, while the one for PPPoE is still there. Setting the IP again allow me to enter back the Web Interface.

That was ouch  ;D

cheers,

Thanks for the info, I'll try this out.
Better elaborations are welcome.

Thanks

Fixed, thanks.

@ermal:

You can by assigning the same interface twice in pfSense.
To allow this you have to modify interfaces_assign.php to show the plus sign even after all interfaces have been assigned.

I try to modify
interfaces_assign.php
line 393

and assign interface twice
but there were other errors

Use the "Floating Rules" tab and just create a rule to block udp packets on port 67 incoming from not your lan ~~network to any.
Do not specify the interface on the rule.

That should get you up and running.~~

I just updated to the latest SNAP:

2.0-ALPHA-ALPHA
built on Tue Nov 25 14:59:09 EST 2008
FreeBSD 7.1-PRERELEASE

and the issue still exists.  As before tests one and two pass fine but then I get stopped dead at test three (SSH) and four (VNC test).

Here's the logging output …..

Nov 27 10:11:56     LAN     192.168.22.22:5900     192.168.1.20:18340     TCP

The rule that triggered this action is:

@3 block drop in log all label "Default deny rule"
@30 anchor "spoofing" all
@31 anchor "loopback" all
@32 pass in on lo0 all flags S/SA keep state label "pass loopback"
@33 pass out on lo0 all flags S/SA keep state label "pass loopback"
@34 anchor "firewallout" all
@35 pass out all flags S/SA keep state label "let out anything from firewall host itself"
@36 anchor "anti-lockout" all
@37 pass in quick on le0 from any to (le0:2) flags S/SA keep state label "anti-lockout rule"
@38 anchor "packagelate" all
@39 block drop in log quick proto tcp from sshlockout:0to any port = rsh-spx label "sshlockout"</sshlockout:0>

matt have you gotten your pfsense working properly now? and also can u use a broadband connection from a pc to connect to your internet?

I downloaded 1.2.1 RC2 tonight,,, I'll play with this until tomorrow, then I'll install the RC2 and give the same thing a try. The reason I went to 2 alpha was to get bsd 7 and support of my wireless card, but I understand RC2 is also 7, so I should be good to go.

If anyone has any thoughts about where I can find logs relating to CP in 2 alpha before tomorrow morning please let me know and I'll post the log.

Cheers,

-tim

I have same setup, on my wireless interface I set the type to static, then gave it a subnet different from the LAN (i.e. if LAN was 192.198.2.1/24, I set wireless to 10.10.10.1/24).

Then I went to DHCP, setup scope to hand out in .50 to .100 (or whatever).

Then I went to rules, created an everything rule identical to the one for LAN to WAN, and it just worked.

Cheers,

-tim

@sullrich:

Did you change the password in the user manager for the admin account?

Yep, I can't use the auto upgrade facility as my CF card is to small. So I image the card, boot and then restore the config. Just to be sure I also opened the admin user in the user manager and re-entered the password for admin and saved it. The saved password works on the WebGUI just not SSH

what sort of wan is this.

The 127.0.0.2 dictates a down dynamic interface.

The exiting 15 is from when I kill it when it reconfigures. This is normal.

The touch filter_dirty is one I am still actively pursuing. It has to do with /tmp losing permissions.