Just upgraded from 2.3.3 to 2.4.0, bug is fixed, Problem solved! :D

No, if you are restoring from older version to new or upgrading, then this section is just moved, but it would be good if pfsense cleans unmodified/unused values and leaves or merges only user modified entries.

Too quick, my bad…
First dashboard viewing after the update, showed outbound traffic graphs but after a refresh, it stopped working.
So still an issue for me.

https://redmine.pfsense.org/issues/7102#note-9

yeah I know, but its still shrewd to have it not listening as one should never rely on just one security layer.

yeah anytime you change the file structure your going to have to reinstall stuff.

Here's a procedure that may be better for testing this without the VM/hard reset induced gap.  Basically run the backups manually from command prompt.  Then after applying the patch, halt to stop cleanly.  Using halt should be more UFS friendly than doing a dirty/hostile hard reset.  Whereas ZFS doesn't seem to mind the hard reset.

Enable RAM Disk

Percolate some monitoring data for a few minutes.

Run the backups manually from console command prompt.
/etc/rc.backup_aliastables.sh
/etc/rc.backup_dhcpleases.sh
/etc/rc.backup_rrd.sh

Apply the patch.
playback gitsync –minimal --diff --show-files git://github.com/NOYB/pfsense.git RAM_Disk_Management

Stop and restart so the system upgrades.
halt

Check upgrade result.
a) Verify monitoring graphs and RAM disk backup files.
b) Reboot
c) Verify monitoring graphs and RAM disk backup files.

Ok thanks Chrys.  I have tried a new ssd but it still crashed after that.  I will test the ram if I get any more , latest snapshot so far so good…

is there lag between commit and code on updates?

I updated this morning but no DUID box in WAN settings.

Apologies I just read marjohn's post and it is there, I was looking in wrong place.

OK, so I apparently misread things in one place or another and was wrong here. OpenVPN docs can be quite detailed but they lacked some detail here that could have made things much more clear.

The OpenVPN 2.4 client installs a service, OpenVPNServiceInteractive ("OpenVPN Interactive Service") and sets it to run.
As long as that service is running, the OpenVPN 2.4 GUI will talk to the service and it does not require Admin privileges.

So the manager is no longer needed, it seems. More testing would be appreciated.

While I am updating it for OpenVPN 2.4, I'm going to remove the manager from the OpenVPN client export package as it is no longer necessary.

Just wanted to update for closures sakes

After a few weeks of trying to fix it i think i finally have my zotac box stable, no "watchdog timeout" and loss of WAN IP under heavy load in about 8 days. Longest run ever.

Need to test for a longer period of time for stability , but what i did was compile the latest realtek freeBSD driver (1.92) and load it on start up using kldload. Seems ok for now.

Before all this NOTHING was working stable. Always crashed on the WAN ip (watchdog timeout) no matter what interface it was assigned to (re0 - re1)

Nothing needs selected for OpenVPN to utilize AES-NI. The OpenSSL engine has its own code for handling AES-NI that works well without using the BSD Cryptodev Engine.

Source: https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported#OpenVPN

Not sure where "OpenVPN should be set for AES-128-CBC and have cryptodev enabled for hardware acceleration" comes from, I think it might be valid for ALIX boards with "Geode LX Security Block" selected.

Thanks  for sorting. Seems all good now.

@PiBa:

Yes that is the general idea behind it, get the headers just before they are 'required', and quite a bit 'cleaner' than my previous solution :D. its even including some cleanup and a bugfix for another provider. If you could verify that it works properly for you as i don't use CloudFlare which seems to be the most curl involved option in that location.. Ill send a pullrequest to get it integrated.

Sorry I didn't test this sooner but this worked!  I'll have to make a new thread requesting to add a checkbox or something to only use the domain part of the update. I did fix it myself by adding a condition that if there is only an underscore in the hostname, then only use the domain part.

Yeah confirmed…
Disabled Ipsec, rebooted only one box and all works as expected...

great thanks :)

@amiskell:

Simple solution is to create a dataset for those types of applications (ntop/squid/etc) and put a quota on them so they can't exceed a certain capacity with their outputted data.

you beat me to it, if there is concern on here about zfs filling up then it may be a good idea to have the installer set a quota for the data filsets to 95% or so of capacity making the deadlock situation impossible.

I have a lo of experience with both zfs and ufs on FreeBSD tho and I am very confident in saying zfs is by far the safer filesystem.

My pfsense box has a 60gig ssd of which 3.3gig is used, I think I will be ok. :)