I have to agree with johnpoz. You have something going on with your DNS configuration. Have you checked your DNS settings to make sure you have a DNS server configured? Can you successfully look up A records for sites like www.pfsense.org and files00.netgate.com. If you can't do A record lookups you certainly aren't going to be able to do SRV record lookups.
There is an option under 'System -> General Setup -> DNS Server Settings' that allows your ISP DHCP settings to override the local DNS server settings. If you are using DHCP from your ISP and using their DNS servers make sure this is checked. This should not be unchecked unless you have your own DNS servers, you want to use different DNS servers (like google), or your ISP doesn't provide DNS via DHCP. If the box is unchecked you have to manually configure DNS servers.
If your box has Internet access to google's DNS servers you can test by using 18.104.22.168 as a DNS Server, uncheck 'DNS Server Override" and check the "Disable DNS Forwarder'. This will skip using the pfSense box for DNS and go directly to Google's DNS server. If this works then either your ISP isn't providing a DNS server via DHCP and you need to configure a DNS server manually or your own DNS server is filtering what you are allowed to resolve.
Hope this helps.
If your gateway monitoring isn't working post-2.3 upgrade, it's likely one of two things.
Verify advanced options are sane
Browse to System>Routing and edit the gateway that's down. Then click Save. That will trigger the input validation that makes sure the configuration is valid, especially the advanced options. You may have had options set for apinger that are not valid for dpinger. If you get any errors upon saving, fix them, save, and apply changes.
Set ping payload size
Some modems have a bug that makes them drop pings with 0 byte payloads. dpinger uses a 0 byte payload by default because there isn't a need to include one and unnecessarily chew up bandwidth. If you have such a buggy upstream device, you'll need to set the payload to something greater than 0. System>Routing, edit the gateway, go to Advanced, and set payload to 1. Save and apply changes.
Yes, it works again ;D
For all following - this has been resolved and I have now successfully installed 2.3.5 and cleanly upgraded to latest 2.4.1 via web console.
Root of boot / install failures was using a Prolific 2303 driver with Win 10.
Finally dug up a serial header to attach to desktop and bang! Booted right into installer and deployed to mSata drive on first attempt. For anyone that might run into similar issues, be very certain the serial connection being used is either direct or running under something other than Win10 on that particular serial-to-usb controller.
Sure you can do that. I've done exactly that myself.
There would be a few things to consider when importing the config. The interface names will be different, em* in VB and igb* on the 2440. When you import the config in the GUI is should ask you to re-assign the interfaces at that point but you should be sure to have console access to the 2440 in case there is still an interface mismatch and it asks you there.
The VB install will almost certainly not have a serial console by default. That should be overridden when you import it to the 2440 but you might want to enable dual consoles in System > Advanced > Admin Access tab.
You should always enable PowerD on an SG-2440 config to get the full CPU speed in System > Advanced > Miscellaneous tab. That obviously doesn't do much in VB.
However restoring a config is pretty easy using the ECL:
If you manage to break the config sufficiently on the 2440 you can always restore a backup by simply rebooting with a USB stick containing it attached.
If I was hitting that I would install 2.3.5 onto a new CF card and then restore the config from the old install.
That is by far the safest thing to do there. You will still have the old card to boot into if required.
When the update system reports Theres already an update running it means there's a pkg update running not an upgrade necessarily. So you probably had the dashboard open for example.
You should consider swapping out th ALIX (I'm guessing) for something newer though. End of all support for that is coming soon.
@stephenw10 you were right... when i used the boot selection menu, and boot the installer with UEFI, the installation boots afterwards. I was letting it auto-select the 1st bootable option, which might have been trying to boot the installer with legacy BIOS.
@mats said in Problem with upgrade from 2.3.5 to 2.4.3:
Thanks, It almost fixed my problem too.
I had to do a reboot after these steps and run an updte from the console followed by a final reboot but now it works
Tried this but it did not work for me. Ended up reinstalling from scratch to fix the botched upgrade.
@xero9 said in Upgraded from 2.4.3 -> 2.4.3_1. IPv6 problems:
Will report back if I have any more issues!
Maybe this one :
The latest upgrade ( 2.4.3-RELEASE-p1 ) came out about 2 month ago.
Better check out why you discovered this only yesterday.
Can you connect to the console?
Does the LAN show as UP there?
It sounds like some configuration issue in OVH to be honest. If the local client in the same subnet cannot connect to it something is blocking that traffic or it's trying to connect to the wrong interface etc.
@jahonix See my post with the steps we took. We did essentially what you did, but we also removed any references to the wan interface before we did the find-and-replace. Perhaps the cycling of OPT* interfaces was unnecessary, but it help us with consistent organization (since we have almost 2 dozen interfaces, organization is essential).
Edit : the problem is a console problem on bhyve. In fact pfSens boots correctly, but the console from vm-bhyve hangs. I had to dig my network in order to find that the LAN interface had the default setup which was (surprising !) 192.168.1.1. Just set my Laptop's interface to that network and voilà, I was able to configure the router with the correct IPs. More question to come in an other section of the forum.
@trumee said in ZFS feature set 2.4.4 vs 2.4.3:
The pool can
still be used, but some features are unavailable
# zpool get all zroot | grep feature@
and then check for which ones are "disabled"
As well was firewall rule(s), you'll need NAT for your VLAN 50
Incidentally, running a DHCP server on the Unifi box for VLAN 50 doesn't work very well - make sure you're running DHCP server for the VLAN on the pfSense box
@rbrtpfsense No you should not be concerned. This only indicates that you have not turned it on (Active) If you use EAS-NI crypto engine in your ipsec, then switch it on if needed. It's informative status of cryptoengine usage.
@johnpoz said in Ssh changes in 2.3.2 ?:
Not sure exactly what your looking for - but here is a blog post by the person that brought chacha20 to openssh and has some reasons why he did so, etc.
Thanks @johnpoz good article. I hadn't heard of these before.
There was a post that listed which algos were best/safe for OpenSSH-can't remember what else. Something with general best parctices would be helpful.
Does that happen for any log file, or only the system log file?
Have you changed any log settings such as the log file size or the number of lines displayed in the firewall GUI? Go straight to the log settings page, /status_logs_settings.php, and check.
Your adding normally non-existing issues : a system that runs virtual appliances shouldn't be made accessible by ordinary users, except for the services they offer remotely.
Only an 'admin' should access such a systems directly.
I jumped 2 or 3 versions (don't remember), because I'm not on site, and I don't like to make updates remotely. this time I did and it confirmed the reason why I don't do them... I was locked out of my remote site... I will try to analise this and report back...
hi, this caused me mass headaches too. Ive reverted back to 2.4.3 no p1. Didnt fancy patching things. Id have pulled the release and re-issued as I noticed that even with the issue the firewall was still passing traffic but was just completely open in some instances. :/
Solved it myself, turned out that there was some false metadata saying this was part of an array (it has never been, so I have no idea how). I used
graid remove Promise ada0 and it destroyed it. Now it's installing.
Well if your the owner of the this box, ie take a "modem/router/gateway" if this provides dhcp to your current network and you want put pfsense and your network behind this "box" then you can just let pfsense use dhcp on its wan (which is the default) or you could set it to be static depending on the network currently behind your "box"
That would be up to you.
Normally pfsense would replace this "box" and get dhcp from your ISP via a modem or a gateway in "bridge mode" so that pfsense gets a public IP on its wan from your ISP. But it does not have to be on the public internet it can be behind your box doing nat.
Then in general you would place the rest of your network behind pfsense. Where you could use the default network on pfsense lan of 192.168.1/24 or set this to be whatever you want. The only thing to make sure of is that network on the lan does not overlap the network on the wan of pfsense.