Thanks w0w, I'll read up on this thread and see where that takes me

Update:

I think in my situation my issue was caused by pf blocker.  I ran the 2.4 update via the shell not the GUI.  Update appeared to go thru fine.  Once the firewall rebooted, No internet.  All DNS errors.  Tried fixing the resolver.  No luck.  I tried to remove my installed packages.  The package manager show none installed.  Prior to the update I had pf blocker, Squid, Squidguard and LightSquid installed.

I pulled out my old firewall running 2.3.3 plugged it in and was up running fine,  the next morning, No Internet.  I rebooted the firewall, still not working.  DNS issues.  The pf blocker package was installed.  I removed it and everything immediately started working.

Not saying pf blocker is a problem, but in my case.  I should have removed it and reinstalled it after upgrading.  Now off to rebuilding the original firewall.

Hope this helps someone.

Randy

the problem has turned out to bee i cant install to the built in emmc drive.. but i had since bought a msata and it installed to that.

So After some digging, I think i found the answer… It is a routing issue.

When on 10.8.x.x (Strong VPN's internal IP), When trying to access my internal LAN, It has 100% packet loss.

I think i found the answer.

Thanks
Tyler

Edit:
I reconfigured the Outbound Manual NAT and got the routing issue fixed. It still looks like their is a port forwarding issue with OpenVPN on pfsnse 2.4.1

https://forum.pfsense.org/index.php?board=39.0

Look at the article on StrongsWAN at the top of this forum..  Plus more than a few examples in the included threads.

;)

Hi,
same problem of post #18 here on J3455M-E mobo; I was doing a fresh install because upgrading from 2.4.0 to 2.4.1 through the web console brought to an increase of load average always over 1.
Up to now the only solution was to install 2.3.4 version and wait for a solution on something that seems related to the last kernel.

Pleas euse the ADI image to reinstall and play back then the backup file.
That´s it, ready in ~15 minutes!

Like you mentioned, I think it may be a firewall rule issue. I am slowly getting better at understanding the logic to them but still struggle from time to time.

VL10 Rules
Before posting this reply, I created a rule at the top of VL10:

Source: VL10 net Port: * Destination: VL10 address Port: 53(DNS)

I have previously been successful using this rule which was created from the tutorial I linked above:

Source: VL10 net Port: * Destination: LOCAL_SUBNETS (an alias with all VLAN Subnets) Port: Allowed_OUT_LAN (an alias with DNS in it)

General DNS Resolver Options

Network Interfaces: VL10 is highlighted

Ping

$ ping -c 5 192.168.10.1 PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data. 64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.243 ms 64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.206 ms 64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.222 ms 64 bytes from 192.168.10.1: icmp_seq=4 ttl=64 time=0.189 ms 64 bytes from 192.168.10.1: icmp_seq=5 ttl=64 time=0.211 ms --- 192.168.10.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4049ms rtt min/avg/max/mdev = 0.189/0.214/0.243/0.020 ms

netstat -an

Proto Recv-Q Send-Q Local Address          Foreign Address        (state) tcp4      0      0 192.168.10.1.53        *.*                    LISTEN

DNS Resolver logs
I changed the verbosity level to 5, restarted the service and checked the logs setting so it would show 600 logs. I didn't see anything about binding to the IP. I searched for 192.168.10.1 as well.

I ordered 2 SuperMicro SATA SSDs and will be re-installing in a few days but would like to understand where I am going wrong.

Also, thanks for the help. I'm learning a good amount from this thread. Networking is one of my weaknesses

EDIT I found the issue with mine. I had set a NAT rule to forward 5353 to 53 when the DNSResolver "broke" so I could use the DNSForwarder. While troubleshooting, I deleted the firewall rule in the VL10 rules page but forgot to delete the VL10 NAT rule. Deleted the VL10 NAT rule and all is well now.

I feel accomplished and like a dumbass at the same time!

I need/want to do a fresh install on my /SG-4860 after a buggy snapshot screwed up my system. Reading the manual it talks about downloading

Yes and this is owed to the circumstance that the SG-xxxx units from pfSense or Netgate should be sorted with that
ADI image nothing more and nothing less. It came pre configured and is matching well to the SG-xxxx units.

pfSense-netgate-memstick-ADI-2.4.1-RELEASE-amd64.img.gz

from the portal ONLY if I have a subscription. So just want to be 100% clear, the subscription is the "Gold Subscription $99.00 for one year" and not a support subscription?

You will be able to download it here too, and not only over the subscription based Netgate account!
Please go here and chose the following: official pfSense download page

Version as example 2.4.1 ADI image download server

Please see the attached image to chose the ADI image

While I want to do a clean install, I don't really want to manually redo all my DHCP Static Mappings. Is there any way to export/import just those?

Do a config backup and export the config xml file first


pfSense 2.4.0-RELEASE Now Available!
You will need 5 minutes to read all, but it is worth the time, you will be sorted with any information you really need!

Replying to my own problem, for future readers who may have the same issue.

This RAID card does not make JOBD drives bootable. It seems like a weird arbitrary decision, but that's the way it is and I haven't found a way around it. Morphing the JODB drives into simple volumes seems to create the equivalent of individual RAID0 drives.  Which does not expose the hardware to FreeBSD/pfSense. So yes, I am seeing 4 logical drives, but to get the full ZFS-experience and reliability I understand the OS must see the hardware, not just logical volumes.

There seems to be no solution to this, besides getting a card with a proper pass-through mode. Which is what I am doing now.

I'm assuming you are wanting to setup also https filtering. If you are planning on doing ssl bumping, i recommend squid and diladele (QLPROXY)

Depending on how many devices you use, they are fairly cheap, but can get expensive.

https://docs.diladele.com/tutorials/filtering_https_traffic_squid_pfsense/index.html

This is a setup on how to get it configured.

@genccluber:

pls help me

FIrst check this tutorial . https://doc.pfsense.org/index.php/Boot_Troubleshooting and https://doc.pfsense.org/index.php/Installation_Troubleshooting

It helped me to install from a bootable USB Stick to a USB Stick - pfsense MemStick version.

BR,
Adrian

Edit the rule, make sure it has no schedule selected, then save. It should clear the old entry out of the rule.

@etian90:

Hi guys, I´m having the same problems with my snort, I can´t update my rules. do you know how I can do it manual? thanks

What error message is being printed in the log file viewable on the UPDATES tab in Snort?  There are basically only three things that go wrong here and those are:

1.  You are running pfBlockerNG and one of its IP address lists included the IP address pool of the Amazon Web Services network used by the Snort VRT to host their rule downloads.  That is probably the most common cause of this problem.  If you are using pfBlockerNG, disable it while attempting Snort rules updates.

2.  You have the OpenAppID rules download enabled but you are located in a country which is being blocked by GeoIP rules from accesing the university web site in Brazil that hosts the free OpenAppID rules download package.  If this is the case, you simply can't use those rules unless you can use a VPN so that you can appear to be coming from a different non-Geo Blocked country.

3.  Rarely, the Snort VRT folks have a problem with their automated system that posts the rules package files.  Sometimes the MD5 does not get updated or is missing entirely.  If this is the problem, it will fix itself soon.

Reading the error message you will find in the Rules Update Log will help you figure out which of the above three common problems you are experiencing.  If the message in your logs is something else, then post the entire message back here and we will see how to proceed.

You can't update the rules manually with the Snort package on pfSense.  Too much stuff has to happen in a concerted fashion to make that practical.

Bill