If you were on 2.1, and you ended up with PHP 5.2.x, then somehow you downgraded yourself to 2.0.x.

Once you go up to 2.1, you can't back down to 2.0.x or you will have all kinds of problems, including what you saw (where it's trying to load PHP extensions from PHP 5.3, which don't work on PHP 5.2)

@databeestje:

For those that had graphs previously, I'm pretty sure I broke this. Let me know.

Yup, they broken :)  Scaling seems screwed.  My rrds show max values of ca. 300 mb/sec or so.  Now, give it a few years 5/6g we will be there …...

Problem seems to be the odd massive spike in values - see attached.

Also, under cellular RRD, the alphebetical default and disfunctional graph is PPP when one wants the working WAN.

PS.  Those spikes might be something related to my recent testing of PPP as I just did a large download and it seems to have graphed normally (difficult to see as spikes suppress everything (need log scale :)) .  Whatever the cause, the values are wildly wrong ...

Selection_004.png_thumb
Selection_004.png

Confirmed - thanks.

The NanoBSD thing is because some package installs don't do the right thing for the ro/rw switch so the counts get off and it sticks on rw, and some things can flake out.

That can't ever happen on a full install.

I'll have to wrap my head around the xauth thing they are talking about, right now I'm not groking it…
...aside from the fact that of course, if I know all configuration details I can spoof a server; but why would I give untrusted users access to trusted resources in the first place? I wouldn't have people VPN into the net that I want to protect if I can't trust them with the keys to do so. Also, there's the concept of encrypted configuration files that are being pushed e.g. to phones and other roadwarrior-type clients, which the users can't inspect, which would seem to me to also mitigate that issue.

Still, what I really think should be done, is to have the wildcard thing to be a configuration option. It's off by default, but you can turn it on at our own peril. I mean, we have other things along these lines on the System: Advanced:* pages, where one can, to suit particular requirements, enable/disable potentially problematic behaviors.

@jimp:

It's not a table there, but a bunch of div tags, sometimes they need some minor adjustments of a pixel or two to line up. Though they lined up for me when I looked it over.

Maybe funky stuff happens when the description text doesn't naturally fit into the provided space? The destination host name is somewhat long in my case, as is the description text.

Maybe that will sound a bit strange, but im not used to such high load situations -ok, since im using vm player for ages now, im used to just setup multiple vms. (lets dont hang on that demo, even 3 bars wt values are no problem).  Just had the code in my fingers and it was an idea i wanted to share. hm - but i like the idea of playing with the traffic graphs. will see :)

They don't have any usb ports (though they probably have headers) and they are all the spec mentioned above. Though you can swap out the 1.2GHz Celeron for a 1.4GHz P3 if you can find one.
It runs 2.1 no problems other than the ongoing slow remount issue with NanoBSD. The box has all Realtek 10/100 NICs which can sometimes give trouble. I'm not sure if anyone has reported if this has improved with 8.3 drivers?

It's not even close to a PE 860 in performance terms, maybe though you don't need it to be.

Steve

Edit: By all I mean the X500, X700, X1000 and X2500.

if no gateway is given, the choice is "none" which is valid.

if you have just a single gateway, this value is nill

Uhm, sure. I knew about the first part. I just didn't pay close attention to the URL, and thought it was already active, but it still seems to be DNSmasq rather than Unbound…
...still, if you need the functionality now.

I hope the fact that the menu entries are generic (DNS Forwarder) means that a switch-over can be fairly transparent, but that may also be one of the problems: since one can upgrade from 2.0.x to 2.1.x somehow the settings need to be converted so no bad things happen during the upgrade.

@jimp:

As for lists of ports, that's what port aliases are for.

Thanks for rubbing my nose in what should have been obvious. For some reason, in my mind, aliases were only for hosts and networks, totally missed the ports part. That will indeed make things a lot simpler already!
Major "Homer moment": Dough!

Glad to hear it's working for others! I wonder why last night's build killed my PPTP server? I could not get it working and rolling back to a build from Wednesday it was up just fine. I guess since traffic shaping isn't fixed for me anyways, I'll wait for the VLAN bug to be solved, and try again.

And make sure I'm on-site. Last night was adventurous. This install is about 30 miles from me. I did the firmware upgrade at 1:30am and boom - lost connectivity. Hoping there were Internet issues up there or something I waited until 2:30 to take off (again, I didn't KNOW I just killed PPTP, for all I knew, their whole network was down). Got there at 3:00am, had PPTP back up after giving up and rolling back by 3:40. Finished setup tweaks like fixing FreeRADIUS a bit after 4, and was in bed for the night about 5am…

@jimp:

There are many better ways to tunnel than that, but yes equipment may limit what you can do…

GIF and GRE are best for tunneling traffic in the clear. Failing that, OpenVPN+null cipher works.

That's the plan, as soon as I can deploy the nano-bsd based box to my collocation service, but I want to wait with that until 2.1 is stable and released, because if something goes bad with the upgrade process, etc. I'd have to get a plane ticket to Michigan to go there and fix things ;)

@jimp:

Feel free to open up a ticket in redmine for the AH bits, but that's something that will probably need someone with motivation+knowledge or funding to fully resolve.

If it is what I think it is, it's at this point primarily a GUI issue, i.e. the GUI creates a bogus configuration, because it doesn't allow deselection of all encryption methods and delivers the encryption algorithms from the ESP settings to the AH setup.
If there are problems with AH itself, that's another issue, but I don't even get that far, beause AH is configured improperly by the GUI from what I can tell.
I'll file a redmine ticket…

@rcfa:

It is, however, not one of these dog-slow CF cards, but probably about comparable in speed to a slow 2.5" drive.

Unfortunately in NanoBSD CF cards are booted with DMA disabled so it will be running at PIO4, quite a lot slower than a 2.5" HD, even if it's a super rapid UDMA card. I believe this is due to a bug in the way FreeBSDF handles IDE mounted CF cards? It's while since I looked into it. You could try try removing:

from /boot/loader.conf and see what happens. It may well fail to boot though so have a backup solution in place.

Steve

Dev feedback here :

https://redmine.pfsense.org/issues/2454

@databeestje:

The recommened method of submitting files is signing up at github, fork the pfsense repo.

Make changes, commit to your repo and then submit a pull request.

For a theme? What's the recommended method of swatting flies? An RPG?  :P  ;D

Seriously: Anyone with considerably more skill in this sort of thing than I, please upload to your github, package it up in a repo, or whatever.

"I'm a quick and dirty hacker, not a developer!"

@jimp:

It said your account was never activated.

Try it again now, I flipped the bit that should let it work.

Strange, because I thought I submitted things before, but it works now.

Thanks!

…update finished the course -  seems to was worth the 9$  :)  - im currently coding some gui extension.
see http://forum.pfsense.org/index.php/topic,49635.15.html