I must confess that I didn't try rebooting the box(es) after the upgrade - I just assumed (wrongly?) that the generation of both keys was triggered by the upgrade, and not something that would happen again if they weren't there during the startup process.

Anyway, as mentioned before all my twenty or so pfSense installs are now on 2.2, and everything is working smoothly - my sincerest thanks to the developers, I wish every other piece of software in use on my customers was as reliable as this. Kudos!

Marcello
São Paulo - SP - Brazil

yep :)
10x cmb
how I succeeded:
*moving the firewall WAN rule to the top/down(which makes no sense to me)- not working
*delete/recreate rule in NAT - same result
*change admin access port  from 80 to 8080,create rule in NAT(without moving anything)…..working  8)

just for the record:
i don't know how,but if i change again admin access port from 8080 to 80,web server continues to be accessible from 'outside'

anyway,thanks for help,i appreciate it.
-in 2.2 i lost startup/shutdown/login beep

@stig.voss:

This is not a request for help or an attempt to revive the thread for a new question. But I would like to inform potential users of this device a bit about my experience it.

Since around Christmas I attempted to implement this device as the firewall appliance in my home network. At first it did show some symptoms of being unstable under heavy load and upon that cause some "re0: watchdog timeout" errors. I left home for some weeks and let it run as my gateway and firewall. During the weeks with low activity on the network, it showed no signs of this problem. Now, as I got home and have started using my network again, the device is doing the same tricks again. From time to time after pushing a couple of megabytes per second on my connection or on VPN, it will crash the connection. When streaming it will crash the connection. A basic synchronization with Google Drive seems to be able to do it. I have yet not found a specific pattern in the issue. There might be a solution out there, but I have not experimented further.

To visualize my experience, I will provide a chart of ping logging.

Performance wise, ignoring the timeouts, it easily handles my 150/150 Mbps connection and it pushes some 90-110 Mbps on OpenVPN.

Does this issue only occurs while connected through the VPN?

Ok I've now replicated this. The issue is a BIOS setting. The critical setting is that ACPI must be enabled in the Power Management Setup menu. It isn't if you've loaded the default values. If you've upgraded from an earlier bios without clearing the CMOS then it might be, hence the confusion. Nothing else seems to prevent it booting though you probably also want to enable DMA/UDMA in the Integrated Peripherals, On-board IDE menu.
Edit: The actual cause of this appears to be a regression in the gpioapu driver. https://redmine.pfsense.org/issues/4363. By enabling ACPI you are providing a value of some sort for smbios.system.product (even if that value is 0) and working around it.

So you must set this:

                    Phoenix - AwardBIOS CMOS Setup Utility                             Power Management Setup +=====================================================+========================+ |    ACPI Function            [Enabled]              |        Item Help      | |    Power Management          [Disabled]            |------------------------| |    Video Off Method          [Blank Screen]        | Menu Level  *        | |    Video Off In Suspend      [No]                  |                        | |    Suspend Type              [Stop Grant]          |                        | |    MODEM Use IRQ            [3]                    |                        | |    Suspend Mode              Disabled              |                        | |    HDD Power Down            Disabled              |                        | |    Soft-Off by PWR-BTTN      [Instant-Off]          |                        | |    CPU THRM-Throttling      [75.0%]                |                        | |    Wake-Up by PCI card      [Disabled]            |                        | |                                                    |                        | |    ** Reload Global Timer Events **                |                        | |    Primary IDE 0            [Disabled]            |                        | |    Primary IDE 1            [Disabled]            |                        | |    Secondary IDE 0          [Disabled]            |                        | |    Secondary IDE 1          [Disabled]            |                        | |    FDD,COM,LPT Port          [Disabled]            |                        | |    PCI PIRQ[A-D]#            [Disabled]            |                        | +=====================================================+========================+   ^V><:Move  Enter:Select  +/-/PU/PD:Value  F10:Save  ESC:Exit  F1:General Help     F5: Previous Values    F6: Fail-Safe Defaults    F7: Optimized Defaults

You probably want this:
Edit: Although some basic testing showed almost no improvement in drive speed.  :-\

                    Phoenix - AwardBIOS CMOS Setup Utility                               OnChip IDE Device +=====================================================+========================+ |    IDE HDD Block Mode        [Enabled]              |        Item Help      | |    IDE DMA transfer access  [Enabled]              |------------------------| |    On-Chip Primary  PCI IDE [Enabled]              | Menu Level  **        | |    IDE Primary Master PIO    [Auto]                |                        | |    IDE Primary Slave  PIO    [Auto]                |                        | |    IDE Primary Master UDMA  [Auto]                |                        | |    IDE Primary Slave  UDMA  [Auto]                |                        | |                                                    |                        | |    *** On-Chip Serial ATA Setting ***              |                        | |    On-Chip Serial ATA        [Disabled]            |                        | |  x PATA IDE Mode              Secondary            |                        | |    SATA Port                  P0,P2 is Primary      |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | +=====================================================+========================+   ^V><:Move  Enter:Select  +/-/PU/PD:Value  F10:Save  ESC:Exit  F1:General Help     F5: Previous Values    F6: Fail-Safe Defaults    F7: Optimized Defaults

Steve

Yep so use the memstick-serial image and write it to a USB flash drive. Boot from that and use the serial console to reinstall to the SSD.

Steve

you can gitsync RELENG_2_2 to get what's currently 2.2.1-DEVELOPMENT. Snapshots will be coming back soon.

@johnkeates:

Anyway, for now, disabling tx/rx offloading on pfSense's VIF/TAP is pretty much 'the fix'.

In my setup disabling TX offloading alone was sufficient and also consistent with my reasoning: Only the sending of packets from/via dom0 to pfSense (i.e. the TX-side) needs to have a correct checksum. RX offloading - whatever that does - is only relevant for the dom0/domU receiving packets from pfSense and that has never been an issue as for any packet received on the vif interface the checksum is anyways ignored in any case.

@johnkeates:

Furter investigations regarding pf or any other part after the interface on the pfSense domU might be useful to determine the source of the dropped packets and if it's configurable to stop dropping them.

Unfortunately I have no idea what's going on inside pf or pfSense, so that's for somebody else to comment …

Regards Atom2

Steps 4-8 should be enough with pfSense 2.2.

Seems to be layer 8 issue ;)  Having a lot of those of late.

Silly question  ;D  Have you "assigned" the interfaces ?

https://doc.pfsense.org/index.php/Installing_pfSense#Assign_Interfaces_on_the_Console

@stephenw10:

Nice.  :)

defently yes! i was about to get insane :D i think i tried to install it like 20 times

I ended up with a new install of 2.2 and importing config. Worked fine and was done in a few minutes.

I ended up with a new install of 2.2 and importing config. Worked fine and was done in a few minutes.

@exograpix:

I do agree some of your points, but in today's world nobody apart from big corporate will put a box for every other function. Pfsense as a firewall is good, but basic function like web filtering http/https is part of the utm device, which pfsense project claim to have.

Can you share a link where ESF has claim pfSense is a UTM? I dont recall them saying that, but the community has.

Run the minimum amount of TCP traffic necessary to replicate issues and packet capture it. Should see on one LAN or the other repeated retransmissions of large packets if it's an issue along those lines. With mssfix down to 1200 not having made a difference, I suspect that isn't the problem. Capture likely has clues as to what it is.

Try various ping sizes with DF set and see at what size traffic starts getting dropped.

I realize that it does work, but many people don't know (nor should they have to in my opinion) how to install packages that aren't in the package repository - that is kind of what it is for… So end users know it has been tested, works, and is authentic.

I'm not personally against unofficial packages though, and agree that is better than using pfBlocker (non-NG) in 2.2.

The BIOS for such an old board (remember it's a core 2 duo system) is as up to date as it's going to get.

I had seen the unknown power management option, and now all are set the same, to adaptive.

It seems to run at about the same temperature, or maybe even slightly cooler.  So maybe the displayed current CPU speed is calculated differently, between FreeBSD 8 & 10.  I assume there is lots of scope for such a minor change to have been made.

yes I did thanks for the correction.

Apparently the yacc parsing got more strict in pf. It used to accept those  (but we denied them). It was also the source of problem with some of the traffic shaping problems with DSCP and tag matching/setting. The latter of which have been fixed for 2.2.1.

Numeric aliases and interface names are definitely not allowed though, it's lucky they ever worked.