I have replaced the switch that died and now I'm working on tweaking and getting the network set up just the way I want it. Here's what I have so far...

IP - 500/500 Mbps fiber to the house with PPPoE configuration to the WAN of my pfSense router.

Cabling - All of the backbone wiring is brand new CAT8 cabling

Router - pfSense running in a VM on my server using 2 of the 4 ports of a quad gigabit network card.

Switching - 1 Unifi 8-port POE managed switch and 2 Flex-Mini POE managed switches.

Access Point - 1 Unifi AC-PRO access point.

I'm trying to set up a guest wifi network that gives me a sequestered network with a simple password for guests and that I can limit the bandwidth fairly easily.

I'm a little confused about what to set up in pfSense and what to set up in the Unifi Controller as it seems that there is quite a bit of overlap between what each can do. I have seen some tutorials about setting up a network like I want to but they all seem to be using an older version of the Unifi Controller than the current one and the options are definitely different.

Any guidance about this would be most welcome!

@wouwie said in kdb_enter+0x3b: movq:

@jimp pfSense-CE-memstick-2.5.0-DEVELOPMENT-amd64-latest supports the NIC again.
FreeBSD error?

pfSense-2.5 is based on FreeBSD-12 while pfSense-2.4.5 is based on FreeBSD-11. FreeBSD-12 has a rather big change with the way hardware vendors develop their NIC drivers. FreeBSD-12 uses the iflib API to wrap up a lot of NIC functionality with regards to communicating with the kernel. The iflib framework now takes care of a lot of things that formerly the individual hardware vendor software developers had to handle. My guess is the issue you were having with your hardware on FreeBSD-11 (11.3/STABLE in the case of pfSense-2.4.5) got fixed in FreeBSD-12.

It's in the Protectli knowledge base articles on installing pfSense 2.4 & FreeBSD 11.2. I've seen the issue reported with various devices using Braswell SoCs, not just those manufactured by Yanling (Protectli).

As an alternative to changing the BIOS settings as you have done, there is also a work around by entering a command during installation.

@kiokoman Thanks for the link. The upgrade log /conf/upgrade_log.latest.txt looks OK with a lot of expected stuff and no errors/warnings or anything else suspicious. Web UI also reports the expected version 2.4.5-RELEASE-p1 (amd64).

I hope to find some time to investigate why rebooting fails but it'll have to wait for a quiet time...

@kiokoman
anyway, the messages disappeared after the Realtek-Update. The network is always available, at least for the other devices in the network.

Balena Etcher works great.

https://www.balena.io/etcher/

@stephenw10 Thanks for the links that's some deep stuff. A bit too granular on that topic for me however I was able to takeaway the basics which is very interesting. I have my hands in so many jars this kind of info can bog me down for the simple fact of wanting to learn all about it and then realizing I don't really have a need or use for the level of understanding I achieved.

@stephenw10 thanks, it's ok

my issue seems to be that for some reason something still wants the old php stuff which has been zapped.
I'd load a new one but don't know how to get it,.
lots of message like;
Warning: PHP Startup: Unable to load dynamic library 'zlib.so' (tried: /usr/local/lib/php/20131226/zlib.so (/usr/local/lib/php/20131226/zlib.so: invalid file format), /usr/local/lib/php/20131226/zlib.so.so (/usr/local/lib/php/20131226/zlib.so.so: invalid file format)) in Unknown on line 0

note old version....

and in the old version directory all the files are now 0 bytes long.
I suspect it ran out of space at one stage of the upgrade.
I'd load new (old) copies but don't know where to find that old version of php pkg.

might have run out of space?
look in /usr/local/lib/php/20170718/
and see if stuff missing.

I see:
[2.4.5-RELEASE][admin@]/conf: ls -la /usr/local/lib/php/20170718/
total 4232
drwxr-xr-x 2 root wheel 1024 Oct 9 11:02 .
drwxr-xr-x 5 root wheel 512 Oct 1 05:30 ..
-rw-r--r-- 1 root wheel 41696 Mar 23 2020 bcmath.so
-rw-r--r-- 1 root wheel 22136 Mar 23 2020 bz2.so
-rw-r--r-- 1 root wheel 16112 Mar 23 2020 ctype.so
-rw-r--r-- 1 root wheel 88256 Mar 23 2020 curl.so
-rw-r--r-- 1 root wheel 191912 Mar 23 2020 dom.so
-rw-r--r-- 1 root wheel 42832 Mar 23 2020 filter.so
-rw-r--r-- 1 root wheel 14040 Mar 23 2020 gettext.so
-rw-r--r-- 1 root wheel 259664 Mar 23 2020 hash.so
-rw-r--r-- 1 root wheel 461776 Mar 23 2020 intl.so
-rw-r--r-- 1 root wheel 43048 Mar 23 2020 json.so
-rw-r--r-- 1 root wheel 71680 Mar 23 2020 ldap.so
-rw-r--r-- 1 root wheel 1074168 Mar 23 2020 mbstring.so
-rw-r--r-- 1 root wheel 40768 Mar 23 2020 mcrypt.so
-rw-r--r-- 1 root wheel 471088 Mar 23 2020 opcache.so
-rw-r--r-- 1 root wheel 185504 Mar 23 2020 openssl.so
-rw-r--r-- 1 root wheel 34272 Mar 23 2020 pcntl.so
-rw-r--r-- 1 root wheel 108048 Mar 23 2020 pdo.so
-rw-r--r-- 1 root wheel 28656 Mar 23 2020 pdo_sqlite.so
-rw-r--r-- 1 root wheel 120272 Oct 2 01:39 pfSense.so
-rw-r--r-- 1 root wheel 34880 Mar 23 2020 posix.so
-rw-r--r-- 1 root wheel 49840 Mar 23 2020 radius.so
-rw-r--r-- 1 root wheel 30080 Mar 23 2020 readline.so
-rw-r--r-- 1 root wheel 34248 May 5 04:05 rrd.so
-rw-r--r-- 1 root wheel 95232 Mar 23 2020 session.so
-rw-r--r-- 1 root wheel 11912 Mar 23 2020 shmop.so
-rw-r--r-- 1 root wheel 59448 Mar 23 2020 simplexml.so
-rw-r--r-- 1 root wheel 91904 Mar 23 2020 sockets.so
-rw-r--r-- 1 root wheel 48416 Mar 23 2020 sqlite3.so
-rw-r--r-- 1 root wheel 16392 Mar 23 2020 sysvmsg.so
-rw-r--r-- 1 root wheel 9464 Mar 23 2020 sysvsem.so
-rw-r--r-- 1 root wheel 12648 Mar 23 2020 sysvshm.so
-rw-r--r-- 1 root wheel 21416 Mar 23 2020 tokenizer.so
-rw-r--r-- 1 root wheel 53120 Mar 23 2020 xml.so
-rw-r--r-- 1 root wheel 34416 Mar 23 2020 xmlreader.so
-rw-r--r-- 1 root wheel 48032 Mar 23 2020 xmlwriter.so
-rw-r--r-- 1 root wheel 48376 Mar 23 2020 zlib.so
-rw-r--r-- 1 root wheel 85680 Mar 23 2020 zmq.so
[2.4.5-RELEASE][admin@]/conf: cd /etc

@akuma1x gotcha thank you

That is up to FreeBSD.

-Rico

Final update: Seems like Intel’s fixes in FreeBSD from Sept 4 have been absorbed into the latest pfSense 2.5 builds and even the driver issue with the 2.5 Gbps and 5 Gbps Eth modes with firmware 7.3 and newer seem fixed.

@jimp said in No pfSense upgrade and packages available:

if you power off (not reboot, actually unplug) and power back

I could read that as "rip out the power and put it back.
Hummmm.

Let's copy your detailed steps here :

Navigate to Diagnostics > Halt System Click fa-stop-circle Halt Wait for the device to shut down. Monitor the console to ensure that the shutdown completes. Only now unplug the power adapter And plug the power adapter back in

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html

You may remove the cert from the revoked list again,

@juniormaxx said in can i update my certificates in pfsense?:

've tried adding the new ones and keep getting errors.

Did you select the correct CA and cert type?
Which cert is the problem, user, server?

What error do you get?

Okey, I found the problem. Actually, it was because the vswitch has some rejected policyes by default. On a Standard/Distributed vSwitch's port groups (which you would like to bridge) set up "MAC address changes" and "Forged transmits" to Accept in the security settings. Then the bridge interface will work.
This should be a reminder who has the same problem in the VMWare environment.

@pmadem said in Hardware recommendations:

Do you have any recommendations ? 😉

I'm correcting myself now and exist an Intel NUC with dual NICs, but it’s just yet to come:

https://liliputing.com/2020/09/intel-tiger-canyon-details-leaked-intel-nuc-with-tiger-lake-chips.html

Plus, with the new Intel PHY (2,5 GbE), we’re looking forward to it...
https://ark.intel.com/content/www/us/en/ark/products/184676/intel-ethernet-controller-i225-v.html

sorry - been away for work.

I am trying to get the SG1100 to work as a transparent firewall....but for whatever reason as soon as i configure it as per the instructions on the netgate forums - it stops working.

So - i guess the real question is - can the SG1100 ACTUALLY be used as a transparent WAN-LAN firewall without NAT- i.e

Cable Router - Wan SG1100 - firewall bits n pieces (No NAT) - Lan out - internal router (NAT)

WITHOUT NAT - as i would prefer my internal router to do NAT - i dont have any issues with it working now - so id prefer not to change as i have everything working fine.....i literally just wanna throw the SG1100 in front so i can use PFBLOCKER, etc to try and get rid of some of the everyday crap bombarding our devices, and so i have a VPN endpoint for work.

As my cable router is ISP Dynamic IP - how is the SG1100 able to get the upstream router when its dynamic in that circumstance. I think this is where the problem is - because we dont get assigned static upstream IP's....the SG1100 has no idea where to send it - because there is no way for me to get the upstream router details.

Any help would be great.

Other than using that distro that will not be named here..

Your blocking on SA, ie syn,ack - this screams out of state traffic and asymmetrical traffic flow.

First question I would ask is what IPs are you using internal on your network? 81.x and 136.x are not rfc1918 space.. You shouldn't be using public space you do not own, even if internally..

But blocking of SA means that the firewall did not see the SYN (S) to create the state. This is normally because of some asymmetrical routing problem.

How did 81 talk to 136 on port 9999? If not through your stateful firewall so it could create a state, then yes the return traffic sent to your firewall - ie the SA, would be blocked because it doesn't match a state.