• My virtualized pfsense is no longer stable after updating packages.
    I see this in the console :

    vmx0 TX0: fail 'head > kring->rtail && head < kring->rhead' h 378 c 378 t 350 rh 379 rc 379 rt 350 hc 379 ht 350
    617.404235 [1766] netmap_ring_reinit called for vmx0 TX0

    Crash report begins. Anonymous machine information:

    amd64
    11.3-STABLE
    FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020 root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/sources/FreeBSD-src/sys/pfSense

    Crash report details:

    No PHP errors found.

    Filename: /var/crash/info.0 textdump.tar.0
    Dump header from device: /dev/gptid/3612226b-10fe-11e8-9ca2-000c29b82252
    Architecture: amd64
    Architecture Version: 1
    Dump Length: 96256
    Blocksize: 512
    Dumptime: Tue Aug 25 02:01:25 2020
    Hostname: XXXX
    Magic: FreeBSD Text Dump
    Version String: FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020
    root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/source
    Panic String: general protection fault
    Dump Parity: 4031454225
    Bounds: 0
    Dump Status: good

    Filename: /var/crash/info.1.0 textdump.tar.1.0
    Dump header from device: /dev/gptid/3612226b-10fe-11e8-9ca2-000c29b82252
    Architecture: amd64
    Architecture Version: 1
    Dump Length: 123904
    Blocksize: 512
    Dumptime: Tue Aug 25 03:34:54 2020
    Hostname: XXX
    Magic: FreeBSD Text Dump
    Version String: FreeBSD 11.3-STABLE #243 abf8cba50ce(RELENG_2_4_5): Tue Jun 2 17:53:37 EDT 2020
    root@buildbot1-nyi.netgate.com:/build/ce-crossbuild-245/obj/amd64/YNx4Qq3j/build/ce-crossbuild-245/source
    Panic String: general protection fault
    Dump Parity: 2615745553
    Bounds: 1
    Dump Status: good

    Any thoughts before trying restoring snapshot ?

    [1_1598367588690_info.0](Uploading 100%) [0_1598367588688_info.1](Uploading 100%)


  • i use suricata and inline mode blocking since june ... so far so good so why now it is crashing ? i think crash come from it. inline mode is not compatible with esxi and vmx driver ?

    the line i see in log seems to be suricata related when i stop service ... no line anymore ...

    I used snort until now ... but you remove barnyard fonctionnality ... so i switch to suricata AND HAVE STOP UPDATING IT (i have the last version with barnyard) ...

    it's very not easy to switch to other log monitoring solution (barnyard and snorby is sooo easy to deploy with docker and need very few ressources ....

    a docker with at least elasticsearch nodes / and some sort of grafana need soooo much ram ... and seem less easy to understand and deploy ...

    So for now i have switch to suricate LEGACY block mode and see if crash stops ...

    LONG LIVE BARNYARD !!!!! (and if you have easy solution to replace TELL ME HOW !!! ;)))

    have nice days people !


  • Barnyard2 is dead, so you really need to start looking for an alternative. It will no longer be in any of the IDS/IPS packages available for pfSense. In fact, Suricata upstream has totally removed Unified2 file support needed by Barnyard effective with version 6 which will be out in about a month or so.

    If you are trying to use the old version of the Suricata package with the latest pfSense update (2.4.5_p1), then you are going to have some issues. Switching to Legacy Mode Blocking will help with the netmap device incompatibility, but you may run into other stability problems due to the older shared libraries pulled in with the older Suricata package.

    The older Suricata binary also contained a netmap code bug that was fixed by Suricata upstream. By using the older Suricata binary in the older pfSense package, you very well may be encountering that Netmap bug and subsequent crash.


  • Thanks for your answer bmeeks ;) Switching to legacy mode seem to have fixed the crashes .

    Please tell me what are the alternative to have "the same thing" , to point me to the right direction ...

    the only way i see is to use packet traffik / graphdb or elasticsearch and a third content displayer like grafana ??? IT'S SUPER HEAVY TO DEPLOY and need third grade in IT management !!

    and worst , it need a lot of RAM (maybe ... 3 Go ???) ... a docker with snorby and a database it's 300 Mo RAM (for home use) ....

    rhhaaaa ... sun is shining, it's summer ! ... don't wan't to pass 15 hours to deploy that ... please tell me there is another easy solution to do the same thing ;)

    have nice days !


  • @maba said in Pfsense crash after package update ...:

    Thanks for your answer bmeeks ;) Switching to legacy mode seem to have fixed the crashes .

    Please tell me what are the alternative to have "the same thing" , to point me to the right direction ...

    the only way i see is to use packet traffik / graphdb or elasticsearch and a third content displayer like grafana ??? IT'S SUPER HEAVY TO DEPLOY and need third grade in IT management !!

    and worst , it need a lot of RAM (maybe ... 3 Go ???) ... a docker with snorby and a database it's 300 Mo RAM (for home use) ....

    rhhaaaa ... sun is shining, it's summer ! ... don't wan't to pass 15 hours to deploy that ... please tell me there is another easy solution to do the same thing ;)

    have nice days !

    Is Snorby still being actively maintained? I took a quick look at the Github site and all the changes seemed to be several years old. I once ran Snorby as well, but Barnyard2 and MySQL frequently misbehaved and pegged my firewall at 100% CPU. I also nearly always had issues trying to update Snorby through the very frustrating Ruby on Rails architecture. Not now, and never have been, a fan of Ruby ... 😞.

    The most common tools I've seen and heard about from users are Grafana and ELK (in various forms). The two most popular methods for exporting logs from pfSense to the database and monitoring platform are logstash and filebeats.

    pfSense user @kiokoman posted details about his Grafana setup in this thread.


  • snorby is old and abandonned ... it's nearly impossible to install on last debian with the ruby crap (dependency problems) ...

    But docker save the day ! it can install old crapy library on last version of server ;)) with docker, snorby is easy to install AND you can remove old ruby crap in one click if not needed anymore ;)

    Ok i will go with the ELK thing ... i will learn something at least ...

    thanks for your link ;) i will look ;) have nice days ;))