So you're saying you tried to import just the <ipsec>section of a config from 2.1.5 to 2.2?

That has never and will likely never be supported.

If you import a config between versions it must be the entire config, not a section. Otherwise the upgrade code cannot make the proper changes it needs to make.</ipsec>

Ok, let's do a simple math.

According to my firewall rules posted above, all transmission traffic out should go through PT interface, right?  And the upload speed was limited to 120kB/s, and the real speed is above 110kB/s, let's say 100kB/s, then please note that my pfsense is up about 14 hours for now, total uploaded data should be 146060*100kB/1024/1024=4.8GB. Please check the attached image, and see the out packets statistics, it's only 537.67MB. Obviously not right.

Besides, there is no cloud service or something else that will upload data.

PT_traffic.PNG
PT_traffic.PNG_thumb
uptime.PNG
uptime.PNG_thumb

@doejohn:

An install from scratch - old config happily survived

Factory-reset - Old interface assignments (and maybe other settings? I don't know) still survived

Called the menu to re-assign the interfaces - How can I be sure everything else is at factory reset? Since the interface settings survived the factory reset, maybe some other settings survived too?

The NICs in the default config are assigned as em0 and em1, so on that hardware, a reset to factory defaults would leave you having to re-assign interfaces. The installation process wipes out the entire storage medium, so there's no way that config survived on there. You have an SD card in it that has the config on it that's getting loaded maybe? Your USB flash drive would be completely clean upon rewriting the nano image to it.

I have no idea where the config managed to survive.

I did not use a CF card at all

I used the dd program on linux to write the image onto the raw USB thumb drive. That should have wiped everything what was stored before on that drive, IMHO

My UNIX knowledge comes mostly from linux, so I have no clue about the partitioning scheme on BSD. AFAIK, the partitions are somehow further divided into slices or something. Maybe one of those slices on the SSD happened to survive somehow?

Maybe the config is stored on the USB thumb at some point (e.g. when booting life and before choosing the "install" menu)? That might be an explanation: when doing a second install without re-writing the image onto the USB drive with dd, the interface assignment (which happens before the "install" menu can be chosen) might have survived on the USB drive. Although I am sure, I did the "dd" operation multiple times, I can not swaer that I did the "dd" before every installation attempt.

That's probably true but you'd like to think it shouldn't be possible to do that.

Steve

after setting a source ip mask on the limiter i noticed a lot of entries in systenlog as below, i guess the verbosity needs to be reduced a little

Jan 10 13:30:02 kernel: Bump sched buckets to 256 (was 0) Jan 10 13:30:02 kernel: Bump sched buckets to 256 (was 0) Jan 10 13:45:01 kernel: Bump sched buckets to 256 (was 0) Jan 10 13:45:01 kernel: Bump sched buckets to 256 (was 0)

actually i have a match rule with the limiter set and scheduled for a specific time but outside of the time also the limiter seems to still restrict bandwidth

Yeah load balancing, I figured something regarding load balancing was breaking it but wasn't really sure how to fix it till I realised I could just create a firewall rule to pass out a single wan interface

Sorry, I didn't express myself clear.

I just got the latest snapshot(Fri Jan 09 09:55:04 CST 2015), and all interfaces are up, but the tap interface still not work until I go to the "Interfaces" menu, save and apply OpenVPN tap interface without any changes, because I can get ping replies from the other side after that.

Everything is back to normal with:

2.2-RC (amd64)
built on Fri Jan 09 09:55:04 CST 2015
FreeBSD 10.1-RELEASE-p3

Thanks for all your hard work.

@doktornotor:

Pretty sure your issues will go away as soon as you've uninstalled Snort, no matter if it's 2.1.5 or 2.2-RC

Snort should have no bearing at all on the OP's reported issue.  Snort does not fiddle with firewall rules in any way.

Bill

Custom (ipv4) only.

Yeah but AES-GCM has more requirments than plain AES-CBC/XTS speedup.

See the 2.2 section here:
https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages

pkg install curl

On NanoBSD you will need to switch the disk to RW first.
https://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write

@va176thunderbolt:

I believe something in last nights build broke it. I cannot get a tunnel that was working back up unless I disable it.

The logs on both side are showing this:
ipsec_starter[52396]: /var/etc/ipsec/ipsec.conf:22: syntax error, unexpected STRING [\tcompress]

The original commit had a typo that would do that, which was fixed not long after. Upgrade to the latest and that should work.

Cannot see any error anywhere in what you posted. Are you talking about this?

https://forum.pfsense.org/index.php?topic=86448.msg474183#msg474183
https://forum.pfsense.org/index.php?topic=86489.0

@phil.davis:

My apologies to all concerned. I thought all those warning messages had quite simple generic code changes, and did a bit of testing of functions, but did not notice closely enough the difference in the returned array from read_dummynet_config(), for example. Obviously I was wrong about the changes being invisible to the callers!

It happens, I overlooked it as well.

Yes, I read that in redmine. Probably better just to hide the messages for now, as they don't do any harm anyway.

Hardware RAID is good if it is true full-hardware RAID and the controller is fully supported, but it all has to be managed by hand. Though it is more robust. A disk failure on hardware RAID may not cause problems with the system the same way that a hardware disk problem could cause them if they were directly attached, but that's all a crap shoot.

Software RAID is "good enough" for most deployments, it's supported in the installer, and in 2.2 there's a management GUI for adding/replacing drives even.

What sucks is crappy fake RAID that's really software/drivers with a little stub of hardware support to arrange the disks. That's not worth anyone's time.

They don't have static mappings though from what you mentioned previously. If you use static mappings and want name resolution, they must contain hostnames.