@stig.voss:

This is not a request for help or an attempt to revive the thread for a new question. But I would like to inform potential users of this device a bit about my experience it.

Since around Christmas I attempted to implement this device as the firewall appliance in my home network. At first it did show some symptoms of being unstable under heavy load and upon that cause some "re0: watchdog timeout" errors. I left home for some weeks and let it run as my gateway and firewall. During the weeks with low activity on the network, it showed no signs of this problem. Now, as I got home and have started using my network again, the device is doing the same tricks again. From time to time after pushing a couple of megabytes per second on my connection or on VPN, it will crash the connection. When streaming it will crash the connection. A basic synchronization with Google Drive seems to be able to do it. I have yet not found a specific pattern in the issue. There might be a solution out there, but I have not experimented further.

To visualize my experience, I will provide a chart of ping logging.

Performance wise, ignoring the timeouts, it easily handles my 150/150 Mbps connection and it pushes some 90-110 Mbps on OpenVPN.

Does this issue only occurs while connected through the VPN?

Ok I've now replicated this. The issue is a BIOS setting. The critical setting is that ACPI must be enabled in the Power Management Setup menu. It isn't if you've loaded the default values. If you've upgraded from an earlier bios without clearing the CMOS then it might be, hence the confusion. Nothing else seems to prevent it booting though you probably also want to enable DMA/UDMA in the Integrated Peripherals, On-board IDE menu.
Edit: The actual cause of this appears to be a regression in the gpioapu driver. https://redmine.pfsense.org/issues/4363. By enabling ACPI you are providing a value of some sort for smbios.system.product (even if that value is 0) and working around it.

So you must set this:

                    Phoenix - AwardBIOS CMOS Setup Utility                             Power Management Setup +=====================================================+========================+ |    ACPI Function            [Enabled]              |        Item Help      | |    Power Management          [Disabled]            |------------------------| |    Video Off Method          [Blank Screen]        | Menu Level  *        | |    Video Off In Suspend      [No]                  |                        | |    Suspend Type              [Stop Grant]          |                        | |    MODEM Use IRQ            [3]                    |                        | |    Suspend Mode              Disabled              |                        | |    HDD Power Down            Disabled              |                        | |    Soft-Off by PWR-BTTN      [Instant-Off]          |                        | |    CPU THRM-Throttling      [75.0%]                |                        | |    Wake-Up by PCI card      [Disabled]            |                        | |                                                    |                        | |    ** Reload Global Timer Events **                |                        | |    Primary IDE 0            [Disabled]            |                        | |    Primary IDE 1            [Disabled]            |                        | |    Secondary IDE 0          [Disabled]            |                        | |    Secondary IDE 1          [Disabled]            |                        | |    FDD,COM,LPT Port          [Disabled]            |                        | |    PCI PIRQ[A-D]#            [Disabled]            |                        | +=====================================================+========================+   ^V><:Move  Enter:Select  +/-/PU/PD:Value  F10:Save  ESC:Exit  F1:General Help     F5: Previous Values    F6: Fail-Safe Defaults    F7: Optimized Defaults

You probably want this:
Edit: Although some basic testing showed almost no improvement in drive speed.  :-\

                    Phoenix - AwardBIOS CMOS Setup Utility                               OnChip IDE Device +=====================================================+========================+ |    IDE HDD Block Mode        [Enabled]              |        Item Help      | |    IDE DMA transfer access  [Enabled]              |------------------------| |    On-Chip Primary  PCI IDE [Enabled]              | Menu Level  **        | |    IDE Primary Master PIO    [Auto]                |                        | |    IDE Primary Slave  PIO    [Auto]                |                        | |    IDE Primary Master UDMA  [Auto]                |                        | |    IDE Primary Slave  UDMA  [Auto]                |                        | |                                                    |                        | |    *** On-Chip Serial ATA Setting ***              |                        | |    On-Chip Serial ATA        [Disabled]            |                        | |  x PATA IDE Mode              Secondary            |                        | |    SATA Port                  P0,P2 is Primary      |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | |                                                    |                        | +=====================================================+========================+   ^V><:Move  Enter:Select  +/-/PU/PD:Value  F10:Save  ESC:Exit  F1:General Help     F5: Previous Values    F6: Fail-Safe Defaults    F7: Optimized Defaults

Steve

Yep so use the memstick-serial image and write it to a USB flash drive. Boot from that and use the serial console to reinstall to the SSD.

Steve

you can gitsync RELENG_2_2 to get what's currently 2.2.1-DEVELOPMENT. Snapshots will be coming back soon.

@johnkeates:

Anyway, for now, disabling tx/rx offloading on pfSense's VIF/TAP is pretty much 'the fix'.

In my setup disabling TX offloading alone was sufficient and also consistent with my reasoning: Only the sending of packets from/via dom0 to pfSense (i.e. the TX-side) needs to have a correct checksum. RX offloading - whatever that does - is only relevant for the dom0/domU receiving packets from pfSense and that has never been an issue as for any packet received on the vif interface the checksum is anyways ignored in any case.

@johnkeates:

Furter investigations regarding pf or any other part after the interface on the pfSense domU might be useful to determine the source of the dropped packets and if it's configurable to stop dropping them.

Unfortunately I have no idea what's going on inside pf or pfSense, so that's for somebody else to comment …

Regards Atom2

Steps 4-8 should be enough with pfSense 2.2.

Seems to be layer 8 issue ;)  Having a lot of those of late.

Silly question  ;D  Have you "assigned" the interfaces ?

https://doc.pfsense.org/index.php/Installing_pfSense#Assign_Interfaces_on_the_Console

@stephenw10:

Nice.  :)

defently yes! i was about to get insane :D i think i tried to install it like 20 times

I ended up with a new install of 2.2 and importing config. Worked fine and was done in a few minutes.

I ended up with a new install of 2.2 and importing config. Worked fine and was done in a few minutes.

@exograpix:

I do agree some of your points, but in today's world nobody apart from big corporate will put a box for every other function. Pfsense as a firewall is good, but basic function like web filtering http/https is part of the utm device, which pfsense project claim to have.

Can you share a link where ESF has claim pfSense is a UTM? I dont recall them saying that, but the community has.

Run the minimum amount of TCP traffic necessary to replicate issues and packet capture it. Should see on one LAN or the other repeated retransmissions of large packets if it's an issue along those lines. With mssfix down to 1200 not having made a difference, I suspect that isn't the problem. Capture likely has clues as to what it is.

Try various ping sizes with DF set and see at what size traffic starts getting dropped.

I realize that it does work, but many people don't know (nor should they have to in my opinion) how to install packages that aren't in the package repository - that is kind of what it is for… So end users know it has been tested, works, and is authentic.

I'm not personally against unofficial packages though, and agree that is better than using pfBlocker (non-NG) in 2.2.

The BIOS for such an old board (remember it's a core 2 duo system) is as up to date as it's going to get.

I had seen the unknown power management option, and now all are set the same, to adaptive.

It seems to run at about the same temperature, or maybe even slightly cooler.  So maybe the displayed current CPU speed is calculated differently, between FreeBSD 8 & 10.  I assume there is lots of scope for such a minor change to have been made.

yes I did thanks for the correction.

Apparently the yacc parsing got more strict in pf. It used to accept those  (but we denied them). It was also the source of problem with some of the traffic shaping problems with DSCP and tag matching/setting. The latter of which have been fixed for 2.2.1.

Numeric aliases and interface names are definitely not allowed though, it's lucky they ever worked.

@stephenw10:

Ah, I missed you Doktor. Forum wasn't the same without you.  ;D

Ditto, ol' Doktornotor cracks me up.  ;D

@cmb:

@bradenmcg:

I would love to see something analogous to Cisco's "VTI" and Juniper's "ST" interfaces for VPN; most major firewall vendors have something similar to this, even "weird" stuff like Palo Alto support this (and PA doesn't do IPsec+GRE so I have no other way to replicate it against pfSense).

I would like to see that. It'd require a good deal of work, as there are missing pieces in underlying bits. Not on the near future road map at least.

That's what I've been reading, apparently neither BSD or Linux have the correct tunnel interface existing on the OS, making this more complicated.  That said, Ubiquiti has VTI in their gear, so it can't be too bad to do… I believe they are some form of *nix underneath, wonder if the source for this is open?

I may have to grab an EdgeRouter and stick it behind my pfSense box just for VPN purposes.  (I'm not likely to ever ditch pfSense at the edge, unless someone else starts supporting UPnP/NAT-PMP, since I have game systems.)