No longer starts up after the restart

BBcan177

Are these Full installs of pfSense or are they Nano/Ramdisk type installs?

At bootup, what does it show on the terminal window? Also look at the system log for any errors.

iccws

The installation is on ESXi 5.5. After disable the pfblockerNG all is working. I have new installed pfsense and the same issue after "force update" pfblockerng

kejianshi

Was pfblockerNG a recent addition or recent update?

BBcan177

The only boot issues with pfBNG was with Nano/Ramdisk installs. On reboot the /var folder is wiped and this caused a 60 second delay per defined alias. This was fixed in the latest release where the aliases are archived and restored at reboot. This was only an issue for Nano/ramdisk installs with the older versions.

From what limited info is given, he doesn't seem to be running a Nano version.

Take a look at the pfblockerng.log for any errors. Also do you see any "-" in the widget packet counts? Maybe post a screenshot of the widget.

To start fresh, disable "keep settings" and disable pfBNG. Click "save" then re-enable these two settings. Then run a "Force Update". Follow the log output as it is presented in realtime and any errors will be indicated there.

kejianshi

I'm sure it can be fixed - But installing or updating that package would count as screwing with both boxes.

These things don't normally just become flakey without having been touched.

BBcan177

@iccws:

Hello together
i have or had running two pfSense 2.2.
Today I have both rebooted but without success. No machines is booting.

I would assume that he is referring to the same VM but different snapshots? Even if they were in carp, only the settings are sync'd, so I can't see how he can be having the same pfctl error (assuming this with limited feedback) on two different boxes.

iccws

Hello together
Thanks for your answers.
A short update:
One of the two boxes did never start up. I have it reinstalled. It was stopping on "configuring firewall".
After the new installation I have installed reverse proxy and postfix. All is working well.
The second box is also working well but when I enable pfblockerng, incoming and outgoing traffic is blocked without logging. I can see nothing.
The pfSense are installed on several ESX.

Very very short output from "System Log"
check_reload_status: Reloading filter
Mar 9 21:13:58 php: pfblockerng.php: [pfBlockerNG] Starting sync process.
Mar 9 21:13:58 check_reload_status: Syncing firewall
Mar 9 21:13:58 check_reload_status: Syncing firewall
Mar 9 21:13:50 check_reload_status: Syncing firewall
Mar 9 21:13:50 php-fpm[70844]: /pkg_edit.php: [pfBlockerNG] Starting sync process.

All time the same in the log.

Output from pfblockeng:
UPDATE PROCESS START [ 03/09/15 21:32:47 ]

[ pfB_Africa_v4 ] exists, Reloading File

[ pfB_Asia_v4 ] exists, Reloading File

[ pfB_Europe_v4 ] exists, Reloading File

[ pfB_NAmerica_v4 ] exists, Reloading File

[ pfB_Oceania_v4 ] exists, Reloading File

[ pfB_SAmerica_v4 ] exists, Reloading File

[ pfB_Top_v4 ] exists, Reloading File

[ pfB_PS_v4 ] exists, Reloading File

===[  Aliastables / Rules  ]================================

No Changes to Firewall Rules, Skipping Filter Reload

No Changes to Aliases, Skipping pfctl Update

UPDATE PROCESS ENDED

BBcan177

I would suggest that you read this thread :

https://forum.pfsense.org/index.php?topic=86212.msg486644#msg486644

Do you see any "-" in the widget packet count column?

You can enable "global" logging in the General tab or you can enable logging selectively in each alias.

iccws

Thanks for your answer BBcan177
But I think the problem is, the list have not all Countrys IP's. I can't find the IP of the country what I will permit. All is blocking without two countrys what I have unselected  but the IP is not in the list also it's also blocked

I will now read your link.

iccws

What for strange world…......
I have read your url and now all is working.
I have changed the settings. First I did block the world without two countries, bad idea! Now I have selected only two countries what is allowed and now it's working.

Thanks for your help!

BBcan177

Yes, it's not a good idea to block with almost all of the countries selected. In regards to your boot issue, you should have previously received "pfctl" memory failure notifications??

Also, unless you have open wan ports, you should use "permit outbound" rules as pfSense is a state full firewall by design.

pfBlockerNG, is more than a country blocker, you should read the thread I linked above for other threat source lists which can help protect your network from known malicious ips.