@shimano:

Anybody has any news regarding this issue ?

Hi Shimano,

Thank you for providing the additional details.  I see from your replies that you are experiencing much the same issues as me, including the variations of behaviour across multiple platforms. I see no need to further badger you with interrogatory questions about why you're using a caching proxy, just to have you answer with the overtly obvious purpose of what a caching proxy does, so I'll move on to focus on the technical aspects of TCP/IP that would exhibit this type of performance behaviour differences between a router and a proxy, based on some years of experience working in multi-platform / multi-os environments and seeing this problem crop up when mixing various network connectivity topologies.

The basic jist is that although TCP/IP is the communication protocol that is common to all devices involved, how each OS & device implements it's version of TCP/IP tends to be unique; with Windows being a common culprit to suffer the most issues when something doesn't work right.

What I'm eluding to is a quite common problem in a mixed platform environment when using a proxy vs. a pure switch / router.  To be more specific about the TCP/IP protocols involved in this type of problem are things like MTU/MSS size, Path MTU discovery (PMTUD) (aka Black Hole Detection), traffic congestion controls, etc.

First, to understand the difference in behaviour between using squid and pfSense as a pure router; I'll clarify that Squid Proxy is not a router, so trying to compare pfSense acting as a pure router vs. a caching proxy is going to lead to chasing red herrings.

To explain a bit more detail; When only routing, TCP/IP protocol negotiation takes place between the client and the server, transiting the router.  So things like PMTUD and congestion controls are negotiated end to end (client <-> server).

But a proxy is an intercessor in the communication links between the client and server, such that the communication links are split up into two portions; the client to the proxy, and the proxy (acting as an external client on behalf of the internal client) to the server (client <-> proxy <-> server).

So, when the client negotiates it's TCP session, when transiting through a router, there is a single TCP session between client and server, but when using a proxy you have two separate TCP session, one from the client to the proxy, the other from the proxy to the server.  Both of these sessions must independently negotiate their TCP session parameters.

Thus it is in the nature of the differences of various OS TCP/IP implementations is where all the fun begins.

Squid is known for not playing well with PMTUD, especially if there is an upstream link, such as a VPN, involved that may be reducing the expected packet sizes, or interfering with PMTUD.  As well, Windows is somewhat notorious for signification performance issues if PMTU / Black Hole Detection, et all, can not be negotiated correctly.  Which is why Windows seems to be more impacted than 'nix clients.  And on occasion, you may even need to disable PMTUD / Black Hole Detection when using a proxy, to work around packet sizing issues that may not be otherwise resolvable.

And that's the short answer.

Much more involved answer includes digging into the protocol handshake to verify if PMTU discovery, among other things, is taking place or not when squid is used.  This involves doing some diagnostic testing to verify that TCP/IP packets are not being fragmented upstream, as well as packet traces of the communications from squid to the target server to see if proper packet sizing negotiations are taking place or being interfered with in some way.

Since these are pretty common problem, there's already quit a bit of info on the internet about dealing with PMTU / Black Hole Detection problems that you can search for.  To get you started, here's a good article describing these type of issues with squid & windows.

https://squidproxy.wordpress.com/2007/06/05/thinsg-to-look-at-if-websites-are-hanging/

Anyway these types of problems tend to be site / link specific, so you'll have to do some digging on your end to verify if this is the problem that is occurring for you.

And if you still need help diagnosing your issue, I would suggest that you provide more detail about your use case configuration, and how you are using your VPN link, in order for others to understand where your in/out packet flows are between your internal, external & VPN networks, and better understand where protocol negotiation issues may be occurring.

Hmmmm….

http://devpit.org/wiki/ZFS_Quick

DO NOT set recordsize > 128 KB on the filesystem containing /boot. (At least on FreeBSD 11.0 or before.) It will seem to work at first, until some day after you run freebsd-upgrade and new boot files are written with big blocks. Then gptzfsboot will fail with the error "blocks larger than 128k are not supported". To fix: boot from installation media, import the zpool, use "zfs set recordsize=128K tank/." to stop the effects on new files, and then rewrite the startup files with: "cp -PRp /boot/ /boot-new/ && mv -i /boot /boot-broken && mv -i /boot-new /boot && rm -rf /boot-broken". It may be surprising that rewriting these files actually gets the boot loader working reliably again even if there are larger blocks remaining outside of /boot, but it worked experimentally at least a few times.

Both 2.4.3r and 2.4.4a have the correct upgrade code to give valid xml for the new switch setting.

If you were using the 2.4.x development repo and simply upgraded from a 2.4.3a snap you will now get 2.4.4a. You need to select the Current Release Candidate repo in System > Updates to get 2.4.3r.

Both should work fine on the SG-3100 right now but more testing of the RC is appreciated.  :)

Steve

Thanks for your help Steve_B, I tried to delete that schedule and it just wouldn't. I eventually decided to manually edit the config.xml (not the safest things I know) and remove the schedules from there. This seems to have worked and I no longer get any errors or crashed.

Once again, thanks for pointing me in the right direction.

This forum has a lot of good things that I have not known.
Thanks for all the good forum.

While 2.4 isn't alpha anymore, the following posts might help people upgrading from 2.3.X to 2.4.X:

https://forum.pfsense.org/index.php?topic=140169.0

Thank you once again!

I can now confirm that this fix works.  I am running in a KVM/QEMU VM on AMD A8 based host under CentOS7, and using Opteron_G5 as the CPU type for the guest OS.


It works now thanks!

I have now upgraded to 2.4.3.a.20180306.1433, and IPSec is working again with strongswan-5.6.2_1.

Thank you for the help!

I had this same problem the other day with the same revision. My box most likely encountered this same error. And it seemed to have dropped the config file.

This simplest fix I found for this was manually assigning the LAN and WAN interfaces from the shell. At that point I was able to regain local access to my gateway. And then I just simply updated to the patched development build in the repository and reloaded my working config file.

Seemed a bit faster then manually going in with nano and applying the patch.

Let me know if this works for anyone else, although I suspect only a few of us applied the revision causing this issue.

Both loader.conf anf loader.conf.local are in place and in my case are not changed at all.

Since I don't use this setup anymore I can not comment problems you are facing now. I just know that shaper working on pf side and limiter is working on ipfw side, since it's two different firewalls there may be conflicts in their work.

I suggest you to create new topic in https://forum.pfsense.org/index.php?board=26.0

There were some changes to VLANs but the configuration upgrade process will handle those. Nothing would remove firewall rules, either.

Sounds like something made the upgrade fail to run all the way through properly. The rules may appear to be missing since the interfaces changed.

Did/do you see any errors in the logs or on the console?

Try restoring a config.xml backup of that system from 2.3 and see if it works properly that way.

As KPA corretly suggested, Github is the only place to find that. Specifically https://github.com/pfsense/pfsense/commits/master

Doh, looked right past what was staring me in the face.  :o

But it seems that this over-site is what flushed out the configuration saving problem.

Now that I've liberally sprinkled semicolons everywhere, I have been able to confirm that there is still some intermittent strangeness occurring when saving OpenVPN client configurations; specifically, the active running configuration gets updated, but the configuration database is not updated with the changes and is not isolated to the custom options section as it occurred with a couple of other gui checkbox settings as well.

So far here's what I been able to confirm:

Make a change to an OpenVPN client configuration and save that configuration.
Wait for client link and any restarted services to recover and link to stabalize.
Re-open client configuration edit pane.

At this point the client configuration will show the old configuration prior to being edited and saved.

Then to verify what state the current running OpenVPN configuration is at, go to ssh and login into firewall and open the active OpenVPN configuration file for the specific client (ie /var/etc/openvpn/client1.conf).

The configuration file will have the new saved changes active and running.

In order to eliminate any gui and browser cache issue at this workstation, go to a complete different computer, open a fresh browser window, login to pfSense and open the configuration editor for the specific OpenVPN client.

On this other computer the gui also shows the previous un-edited version of the configuration.

Go back and re-list the active OpenVPN configuration file to be sure nothing has changed and it still shows that new configuration settings.

Re-edit and re-save the configuration again, and repeat above, and now the new configuration settings are saved and appear in both the edit gui and the active configuration.

So, behavior also explains why configurations are breaking after a reboot; In the case where missing semicolons resulted in a broken configuration, editing to fix that results in the active config file being updated, and the link now working, but after reboot and the config file get's regenerated again from the old broken configuration because the change did not get updated to the configuration database.

I have not notice a cause as to when things don't get saved correctly other than using the procedure as describe above to note when it doesn't get saved in the gui, but isolated that the configuration change is being acted on, thus confirming that configuration changes are being generated to the active running configuration, but not being saved to the stored configuration database.

DO you see something in unbound logs?    Status/System Logs/System/DNS Resolver?

EDIT:
I've found something similar — https://redmine.pfsense.org/projects/pfsense/repository/revisions/4aa33c9557c95f2d909d00b62a4e660210be9971
but I don't see anybody reported exactly the same issue, you should create one.

I installed the driver, and that seems to be okay.

However I can’t get gwled or blinkled to start… is it just me?