pfSense Plus and SG-3100
-
So after I went back to the factory settings and set it up again I had no problems with pfBlocker installed. Recently I set up an OpenVPN client and I am seeing the php cor edumps again. So maybe it is related to openvpn?
-
The problem is within PHP itself on 32-bit ARM platforms. It will manifest itself in different packages at somewhat randomly differing places. Almost every installed package in pfSense makes use of PHP GUI code at some point. Depending on exactly what parts and pieces of PHP are in operation at any given moment, the bug may surface- or it may not.
In the case of the Snort and Suricata packages, the bug is triggered by successive calls to the preg_match() regex function of PHP.
So trying to find a particular package to blame is pointless, unless you pin it where the actual problem lives -- in PHP itself. Adding or removing particular packages, or reinstalling them, or reconfiguring them may appear to give temporary relief, but it's not a real fix. The only fix is within PHP itself.
If you remove all packages and run a plain-vanilla pfSense setup on your SG-3100, it will probably run fine. That's because the base pfSense code, for the most part, appears to not be using the PHP functions that cause the problem on 32-bit ARM platforms. But a number of the add-on packages will call those troublesome PHP functions and thus trigger the bug.
-
Looks like pfSense Plus 21.05 just came out, and this issue is still not fixed. And no word from anyone at Netgate either in this forum or the redmine issue.
-
Try the patch to disable PHP PCRE JIT on #11466 Note 32.
You can install the System Patches package and then create an entry for the patch URL
https://redmine.pfsense.org/attachments/download/3707/patch-disable-pcrejit-arm.diffto apply the fix.Then run console menu options 16 and 11 to restart PHP and the GUI, or reboot.
-
Applied the patch, thanks Jimp.
Can you confirm if the D28821 fix was ported to 21.05 version?
I got a few php dumps before installing packets, while reloading filters. -
@mcury said in pfSense Plus and SG-3100:
Applied the patch, thanks Jimp.
Can you confirm if the D28821 fix was ported to 21.05 version?
I got a few php dumps before installing packets, while reloading filters.Yes, the patch from https://reviews.freebsd.org/D28821 is present in the FreeBSD source for 21.05.
-
@jimp has this patch been confirmed as a workaround for the php issue?
-
@jimp Do I need to run the patch for the new release, or is it already part of it?
-
@cornel The patch for the PHP crashing issue is in note 32 here and is not in 21.05. Apply via the System Patches package.
-
I was getting php errors in 21.05, so I applied this patch.. No more problems noticed.. It seems pretty stable now..
pfblockerng is running perfectly with this patch, along with openvpn and ipsec.
Didn't test snort/suricata..
-
@mcury Thanks!
I bit the bullet and pressed update...
Update was a total failure. Fortunately the pfSense support team is very responsive. A link for the download image was sent in the same minute as I created the ticket. Installed image, restored from backup, applied the patch and up and running again!
Errors I got in console after I pressed update were many lines of:
UFS /dev/diskid/DISK-E937110023s2a (/) cylinder checksum failed: cg 124, cgp: 0x0 != bp: 0xe911d0ad
UFS /dev/diskid/DISK-E937110023s2a (/) cylinder checksum failed: cg 125, cgp: 0x0 != bp: 0x381abb22
UFS /dev/diskid/DISK-E937110023s2a (/) cylinder checksum failed: cg 126, cgp: 0x0 != bp: 0x4eeb7142 -
I updated to 21.05 too, had no problems updating. Also applied the patch. Thanks for the help!
