That's normal behavior for every stateful firewall, after rebooting (if you don't have HA in place) you'll block traffic from connection states that were killed by the reboot but are still active and attempted to be used elsewhere. Devices will figure that out quickly and re-establish, it's safe to ignore.

Pushed a fix, thanks!

pmed you a link to my 2.1.5 the other is what i an running and when i went to mondays snaphot it has a hang issue with each upgrade

I get this when resolving IPv6 in firewall logs

dns_reverse.PNG
dns_reverse.PNG_thumb

Thanks again, jimp.

Ok, deleted the config, error msgs gone.

Did set up a new mobile ipsec config, works with WAN or GW Group addresses. As soon as i change the Interface to the Carp VIrtual IP it stops working (same way i did with openvpn).

btw. dhcp leases for the lan segment sync to both fws, but the status puzzles me:

dhcp_lan (LAN) recover 2014/09/29 18:37:09 unknown-state 2014/09/29 18:37:09
dhcp_opt3 (GUESTS) recover 2014/09/29 18:37:09 unknown-state 2014/09/29 18:37:09

except the timestamp same on both machines

Upd: Setting to all interfaces works on all interfaces, so just selective binding seems to be a problem

Grmbl. Nevermind this post.
Just found out that choosing a update location under Updater Settings holds the Stable release 2.1.x URL.
Changed it with the Beta update URL and now it works.

Here is more error information I found:

[2.2-BETA][root@apu22.localdomain]/tmp(9): cat PHP_errors.log [28-Sep-2014 10:38:41 Asia/Kathmandu] PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/local/lib/php/20121212/zmq.so' - Shared object "libzmq.so.1" not found, required by "zmq.so" in Unknown on line 0

Tried it again a couple of times, ran into the same problem.

I decided to dd if=/dev/zero of=/dev/sdb bs=16k
and then re-dd the same image.

Worked this time.

Recommend people move along and don't spend time on this.

I am having the same issue. We use Port forwarding on a DSL WAN connection (MTU of 1492) and we cannot pass traffic.

Hi,

FYI, with a clean install everything was working. Then I went to BandwidthD from the service menu, clicked Save to enable it (as it wasn't running, even though it was enabled) … so Save with no settings changes. Immediately the Web GUI was broken again ... :(.

Thoughts?

Thanks!

any update to this?

looks like i found the answer why

https://forum.pfsense.org/index.php?topic=81892.msg449020#msg449020

# This file is automatically generated. Do not edit config setup         uniqueids = yes         charondebug="" conn con1         aggressive = yes         fragmentation = yes         keyexchange = ikev1         reauth = no         rekey = no         reqid = 1         installpolicy = yes         type = tunnel         dpdaction = clear         dpddelay = 10s         dpdtimeout = 60s         auto = add         left = #.#.#.#         right = %any         leftid = #.#.#.#         ikelifetime = 86400s         lifetime = 28800s         rightsourceip = 172.22.24.0/24         rightsubnet = 172.22.24.0/24         leftsubnet = 172.22.22.0/24         ike = 3des-sha1-modp1024!         esp = aes256-sha1,aes192-sha1,aes128-sha1!         leftauth = psk         rightauth = psk

I noticed that the peer ID info is in the config, but there isn't anywhere to set it in the GUI.

        <ipsec><preferoldsa><client><enable><user_source>Local Database</user_source>                         <group_source>none</group_source>                         <pool_address>172.22.24.0</pool_address>                         <pool_netbits>24</pool_netbits>                         <net_list><dns_server1>pfsenselanip</dns_server1>                         <dns_server2>8.8.8.8</dns_server2></net_list></enable></client>                 <enable><mobilekey><ident>any</ident>                         <pre-shared-key>presharedkey</pre-shared-key></mobilekey>                 <mobilekey><ident>allusers</ident>                         <pre-shared-key>presharedkey</pre-shared-key></mobilekey>                 <mobilekey><ident>my@mailaddress.com</ident>                         <pre-shared-key>presharedkey</pre-shared-key></mobilekey>                 <phase1><ikeid>1</ikeid>                         <iketype>ikev1</iketype>                         <interface>wan</interface>                         <mobile><mode>aggressive</mode>                         <protocol>inet</protocol>                         <myid_type>myaddress</myid_type>                         <myid_data><peerid_type>fqdn</peerid_type>                         <peerid_data><encryption-algorithm><name>3des</name></encryption-algorithm>                         <hash-algorithm>sha1</hash-algorithm>                         <dhgroup>2</dhgroup>                         <lifetime>86400</lifetime>                         <pre-shared-key><private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>                         <nat_traversal>on</nat_traversal>                         <reauth_enable><rekey_enable><dpd_delay>10</dpd_delay>                         <dpd_maxfail>5</dpd_maxfail></rekey_enable></reauth_enable></caref></certref></private-key></pre-shared-key></peerid_data></myid_data></mobile></phase1>                 <phase2><ikeid>1</ikeid>                         <uniqid>54224312bae13</uniqid>                         <mode>tunnel</mode>                         <localid><type>lan</type></localid>                         <remoteid><type>mobile</type></remoteid>                         <protocol>esp</protocol>                         <encryption-algorithm-option><name>aes</name>                                 <keylen>auto</keylen></encryption-algorithm-option>                         <hash-algorithm-option>hmac_sha1</hash-algorithm-option>                         <pfsgroup>0</pfsgroup>                         <lifetime>28800</lifetime></phase2></enable></preferoldsa></ipsec>

@rcfa:

@BBcan177:

I think rcfa is asking if he can see the data stream like in wireshark to see what data link types are in his network?

Kind of both. Since I'm not familiar with low-level IP/network programming, I wasn't even aware of these Data Link Types. So when it first was said that it can't handle DLT_NULL I assumed that some interfaces just don't set a type (hence NULL), and that the software isn't able to handle that case.

From the code snippet however, it seems that there might be an (arbitrary?) number of DLTs, and that the software handles certain specific types, which seem to be DLT_RAW, DLT_EN10MB, 9, 11, 13, 113

Knowing that, the question is, given the various links I have (IPSec, OpenVPN, GRE tunnels, LAGG, etc.) how can I know (without trying to dissect source code), what link types these have, and thus, if the software will or won't work with them…

Start a tcpdump capture on each interface and then quickly stop it.  The data link type will be printed in the header information tcpdump prints when it starts.

Bill