From miniUSB port - shell (option 8), I entered both commands - reinstall (pkg install -f libiconv) and upgrade (pkg upgrade -f libiconv) and  rebooted after each command. Now the Monitoring page is working!!

Thanks for the help jimp. Much appreciated !!!

| Did you wait a minute and press enter on the console to refresh the menu? |

No i didn't wait a minute. maybe that was the problem.

| You also need to change your client IP in LAN into the new LAN subnet (or release/renew the client DHCP so it gets a new IP address in the new subnet), so that it will learn the new gateway IP and be able to find/connect to the webGUI at the new LAN IP address.
|

Yes a have done that.

@PiBa tested the patch and it works beautifully. Thanks so much :)

ok. i have using new server install on SSD.

but it is show wrong ipv6 information. what is mean ?

IMG_20170416_041153~01.jpg
IMG_20170416_041153~01.jpg_thumb

I swapped the SATA data and power cable.
It hasn't had this error since, but I'm keeping it logging to the external syslog. If it shows up again, I'll swap out the drive. thanks

Thanks for the quick fix jimp. Much appreciated  :)

This should be fixed now, Renato spotted the problem and I pushed a quick fix for it. Updating the package should be safe in any order now.

So likely the login session expired but the timer for refreshing the queue status was still tying to access the stats that were now telling the csrf token was not valid anymore.

This scenario should be fixed when this gets pulled: https://github.com/pfsense/pfsense/pull/3690

@virgiliomi:

OpenVPN 2.4 adds support for the AES-GCM algorithm, which takes full advantage of the AES-NI hardware acceleration without also requiring the CPU to compute the hash for authentication. Up until OpenVPN 2.4, the only way to use that algorithm with pfSense was IPSEC, I believe. That lets you use your CPU for other functions rather than supporting the VPN connection. (yeah, technically it's all built into the processor, so it's really doing everything anyway, but AES-NI with AES-GCM doesn't affect CPU cycles available for other tasks).

This is mostly not true/confused. AES-GCM is a new cryptographic mode that combines encryption and authentication instead of using a separate algorithm for authentication. (As was historically the case with AES+SHA1 or AES+SHA256 or AES+UMAC, etc.) GCM is dramatically faster than AES-CBC+HMAC on amd/intel architecture CPUs, especially those with the carry-less multiplication operators (PCLMULQDQ, etc.), because it pipelines well. It is not the case that AES-GCM "uses the AES-NI more", it's that the algorithm is simply more efficient on current CPUs. (The catch is that it's either slower or impossible to implement on other kinds of cryptographic accelerators, so it's generally less efficient on older mobile devices or things like intel's quick assist.) AES-GCM doesn't affect CPU cycles for other tasks any differently than AES-CBC except insofar as it may require fewer cycles. (You may be confusing AES-NI with older architectures which used a distinct processor for crypto: in those, you could do other things with the main CPU while the coprocessor was doing crypto.) You generally won't see a dramatic speedup moving OpenVPN to AES-GCM because its architecture prevents the CPU from being able to really crunch on large blocks of data. It'll be a somewhat more efficient (and more secure) option, but it won't work miracles.

FWIW, the lastest intel/amd CPUs include SHA acceleration, so there's hardware acceleration for both encryption and authentication with AES-CBC-SHA1 just as there is with AES-GCM (using AES-NI+PCLMULQDQ). AES-GCM is still faster. The fact that there is a faster cipher mode doesn't make a different cipher mode less accelerated–AES-CBC with AES-NI is still tremendously faster than AES-CBC without AES-NI.

The suggestion by chpalmer did work - and nice to know that it was an actual issue that has been fixed.

Thanks a bunch!

Marcello

I'm curious, was looking at the IKE peer identifier tried as a way to distinguish between policies.  I used this method on Cisco's IKEv2 implementation as a means of distinguishing between Microsoft's IKE ID of remote ip address using 0.0.0.0 (i.e. any ip address), Strongswan presents the EAP username as the remote fqdn, and Cisco Anyconnect using key id which can be entered manually.

This allowed me to 3 separate policies.  Also, it allowed me to reference a single algorithm policy with several configured so that the client can use the strongest one.

PR https://github.com/pfsense/pfsense/pull/3685 is awaiting review.

@jimp:

Apparently the driver is unstable with the options enabled that allow ALTQ to work. So they had to be disabled again. New build will be ready shortly with the drivers back to how they were originally (stable, but no ALTQ)

Yep, the new build did the trick.

@MattMeyer:

Time cannot fix that last problem.

I merely meant that over time we will find a way to solve it, not in the literal sense.  :)

Cannot be solved, it's a fundamental issue. Like I said, we may find some in-betweens that are convenient, but the actual issues will never be solved because it's impossible to solve.

You're asking, "Can we let the host know a secret without it knowing the secret?". The answer is no. What you can do it tell the host how to obtain a one-time use secret that you control.

This is why I used DRM as an analogy. "How can we let the end user access something with out accessing it". Obscurification is the best you can get.

If the host has all of the information needed to run your VM, then there's nothing you can do to stop them. You can obscurifiy some of that data, but the data is there. Only a matter of time.

PR https://github.com/pfsense/pfsense/pull/3685

Sorry for the long delay for such a simple PR, but I got a little busy last few days :P
PR submitted: https://github.com/pfsense/pfsense/pull/3683