@kiokoman

Redmine issue created:
https://redmine.pfsense.org/issues/11878

For this particular issue it would be the same on both

@daplumber and now an official Comcast Advanced Gateway, and an Arris S33. I don't think it's the CM.

Props to @Beerman

I was having the same issue at a site where fortunately the VPN is not mission critical. Your post pointed me in the right direction and it's now resolved.

New CA, server cert, user cert applied to the existing OpenVPN setup, new client config exported and it all works like it should.

It can be fun if you are into such things. In my younger days I did this with embedded systems things. Many of those used Intel or Texas Instruments embedded microprocessors with the code in EPROM. Dump the EPROM using a reader, start at the power-on reset vector in the EPROM code for the CPU and start disassembling the binary. I often wrote my own disassemblers using the datasheets from the CPU manufacturers to get the binary opcodes and their assembler mnemonics so I could properly code the disassembler.

I did it to satisfy my curiosity and not for nefarious purposes. Mostly just to see if I could do it. My wife did question my sanity at times when she found me poring over a stack of paper from a dot-matrix printer composed of pages of assembly code. I would be writing in comments as I figured out what a section of code was likely doing.

Luckily I recovered ... 😀, and no longer suffer from that yearning.

@virgiliomi

I think multiple factors may cause the crash, I think it involves FRR and wireguard.

i have report to wireguard admin.

@kinch

Yes that is exactly what I observed. It was a mix of new defaults in line with best practices that come with FRR 7.5 vs the 7.3 you would have been running on pfSense 2.4.5 as well as some bugs that are now in redmine.

If you see your BGP session as "Established" but your prefixes are not being announced checklist here:

In your environment, are the prefixes to be announced in your local RIB or are they not ? If not, you need to set a flag no bgp network import-check

This is sort of exposed in the GUI but currently broken because if you uncheck it in the GUI the new FRR 7.5 default means it is inherently enabled anyway. Thus you need to work with RAW CONFIG for now.

Do you have any sort of filtering for your announcements ? A route map or prefix list ? Or do you just go Services -> FRR BGP and drop the prefixes in there. If so, you will need to enable a policy to satisfy the new default of bgp ebgp-requires-policy

You could, but probably should not disabled this check with

no bgp ebgp-requires-policy

This is exposed in the GUI and seems to work but it is not regarded best practice. Better you create a prefix list with the stuff you want to announce and then attach it to your neighbor(s).

Edit: Since this effects 2.5.0-release and we are no longer using a dev snapshot: There is more detail in this thread I have in the FRR sub-forum

sysctl dev.cpu dev.cpu.3.temperature: 59.1C dev.cpu.3.cx_method: C1/hlt dev.cpu.3.cx_usage_counters: 32910065 dev.cpu.3.cx_usage: 100.00% last 214us dev.cpu.3.cx_lowest: C1 dev.cpu.3.cx_supported: C1/1/0 dev.cpu.3.%parent: acpi0 dev.cpu.3.%pnpinfo: _HID=none _UID=0 dev.cpu.3.%location: handle=\_PR_.P003 dev.cpu.3.%driver: cpu dev.cpu.3.%desc: ACPI CPU dev.cpu.2.temperature: 59.1C dev.cpu.2.cx_method: C1/hlt dev.cpu.2.cx_usage_counters: 37679235 dev.cpu.2.cx_usage: 100.00% last 236us dev.cpu.2.cx_lowest: C1 dev.cpu.2.cx_supported: C1/1/0 dev.cpu.2.%parent: acpi0 dev.cpu.2.%pnpinfo: _HID=none _UID=0 dev.cpu.2.%location: handle=\_PR_.P002 dev.cpu.2.%driver: cpu dev.cpu.2.%desc: ACPI CPU dev.cpu.1.temperature: 59.1C dev.cpu.1.cx_method: C1/hlt dev.cpu.1.cx_usage_counters: 32443366 dev.cpu.1.cx_usage: 100.00% last 337us dev.cpu.1.cx_lowest: C1 dev.cpu.1.cx_supported: C1/1/0 dev.cpu.1.%parent: acpi0 dev.cpu.1.%pnpinfo: _HID=none _UID=0 dev.cpu.1.%location: handle=\_PR_.P001 dev.cpu.1.%driver: cpu dev.cpu.1.%desc: ACPI CPU dev.cpu.0.temperature: 59.1C dev.cpu.0.cx_method: C1/hlt dev.cpu.0.cx_usage_counters: 35826705 dev.cpu.0.cx_usage: 100.00% last 195us dev.cpu.0.cx_lowest: C1 dev.cpu.0.cx_supported: C1/1/0 dev.cpu.0.freq_levels: 3600/19240 3200/14577 2800/10578 2400/6951 1900/4162 1400/2887 dev.cpu.0.freq: 3600 dev.cpu.0.%parent: acpi0 dev.cpu.0.%pnpinfo: _HID=none _UID=0 dev.cpu.0.%location: handle=\_PR_.P000 dev.cpu.0.%driver: cpu dev.cpu.0.%desc: ACPI CPU dev.cpu.%parent:

@bcruze no worries. The images for official Netgate appliances are never available on the website. Those are CE images for use with amd64 devices. I could use one on my SG-5100 for example. However, for the official images you will always have to request them from Netgate via a support ticket. They are super quick to respond when you do. I tend to do a clean install every time a new version is released so I back up my configuration, send the request to Netgate, and then get down to business once they give me a link to the image.

@behemyth

"When it is ready" (tm)

@griffo said in Updated and not sure what state it's in:

I've always logged in as root.

I just tried 'root' : works also. had the menu etc.
That is : it works for 2.4.5-p1 - I just noticed that your using a newer version....

@mfld

i have reply it. I have been reporting this problem for several years, and Jim doesn't believe it. This problem has always existed in this 2.5 system.But it runs much better in the 2.4.x system.I’m not a programmer, so I don’t know what has changed in the system, only Jim knows what has changed in the system.

@netnerdy Looks like this isn't completely true. Authentication seems to go away if I kill and restart wpa_supplicant. Instead I tried reruning the whole script (pfatt.sh) after the boot sequence. When I do that, I get a hard crash and the firewall reboots.

@jimp I am seeing that my sg-3100 on reboot is stuck at the blue lights (circle) flashing in a fast mode. None of the other lights flash either. This is a working device that has caused issue on reboot. Any ideas?

Thanks in advance

@jimp I'm fine with the update freeze, but I wanted to try wireguard on my 7100, and it isn't showing up on the 27 Nov build of 2.5.

Is that a bug in my upgrade or a difference between CE and Netgate builds?

Can confirm this is fixed. Just ran the 5th Feb 2021 ISO and it works.
Thanks for the quick fix!

@viktor_g

i done it. https://redmine.pfsense.org/issues/11369

https://redmine.pfsense.org/issues/11365

Thanks for the quick response. Will create a thread as suggested. Thanks.

@quarkz
thanks, i didn't find that on a previous search

@qsystems said in From 2.4.5_1 to 2.5.0.a.20210115.2350 - ipsec mobile client vpn certificate based no longer working:

Deleted all mobile configs and put back in the active config, unchecked group authentication under mobile client - extended configuration. It now works.

Could be related to group authentication, see https://redmine.pfsense.org/issues/10748

@viktor_g

Oh many thanks, removing all the P521 CAs, now Squid sees another type!
Thanks a lot for your help!

Best,

alt text

alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text
alt text

If you're just testing now (in the current snapshot) it should be in there already.

You can check /etc/inc/util.inc on line 2363. Should include ^wg.

Steve

@jegr

Seems already be fixed.

https://redmine.pfsense.org/issues/11249

@kiokoman said in Remove VMware MSI-X from the PCI blacklist.:

@Cool_Corona
it work ok with hw.pci.honor_msi_blacklist=0 the problem is that there should be no more need for it

Just to chime in here: setting it to 0 did help a lot in my ESXi deployment by bringing down IRQ CPU utilisation by ca factor 10 (with passed through Intel NICs).

It should be made the default or at least added to the tuning section in the docs not only for vmxnet NICs (already in there since some weeks ago) but also intel NICs passed through to a virtual pfsense.

@impatient
2.5.0.a.20201231.0250 is fine.

@techlw Seems so, tested it shortly four months ago and it seemed fine then.