Since 3 days: Unable to check for updates
-
on both systems.
2.0-BETA4 (i386) built on Sat Dec 11 05:06:09 EST 2010
2.0-BETA4 (amd64) built on Mon Dec 13 02:50:04 UTC 2010 -
I haven't updated in a while. When this thing happened to me it was because the pfSense boxes were missing default routes. What is the output of the shell command: netstat -rn
Did you update firmware or was it a fresh install?
-
Route is working.
But "telnet snapshots.pfsense.org 80" is not responding.
From LAN i can open http://snapshots.pfsense.org.[2.0-BETA4][admin@pfsense.hq2.local]/root(11): traceroute -n -w 1 snapshots.pfsense.org
traceroute to snapshots.pfsense.org (69.64.6.6), 64 hops max, 52 byte packets
1 10.125.0.1 6.266 ms 7.577 ms 5.947 ms
2 80.69.102.241 8.566 ms 5.506 ms 8.476 ms
3 80.69.107.105 6.075 ms 11.500 ms 6.988 ms
4 80.69.107.101 13.969 ms 7.700 ms 8.192 ms
5 80.69.107.201 52.649 ms 8.945 ms 7.664 ms
6 213.203.213.13 9.002 ms 19.210 ms 8.583 ms
7 212.162.49.33 8.676 ms 9.255 ms 10.199 ms
8 4.69.139.1 12.052 ms 9.804 ms 8.545 ms
9 4.69.143.166 13.255 ms
4.69.143.174 11.585 ms *
10 4.69.137.50 102.425 ms
4.69.137.54 100.727 ms
4.69.137.62 100.581 ms
11 4.69.143.222 104.349 ms 102.443 ms 102.442 ms
12 4.69.143.213 102.473 ms 104.601 ms 101.215 ms
13 4.69.148.105 119.646 ms 123.892 ms 126.509 ms
14 4.69.138.3 117.937 ms
4.69.138.19 114.033 ms
4.69.138.3 120.528 ms
15 4.69.140.229 123.030 ms 122.178 ms 123.839 ms
16 4.69.140.225 121.026 ms 118.301 ms 121.373 ms
17 4.69.140.221 126.844 ms 127.826 ms 126.471 ms
18 4.69.140.217 126.489 ms 124.715 ms 123.524 ms
19 4.59.184.6 130.320 ms 130.337 ms 132.088 ms#System aliases loopback = "{ lo0 }" FRITZNET = "{ em0 }" LAN = "{ re0 }" CABLE = "{ em1 }" TDSL = "{ pppoe0 }" pptp = "{ pptp }" IPsec = "{ enc0 }" OpenVPN = "{ openvpn }" Internet = "{ Internet }" #SSH Lockout Table table <sshlockout>persist table <webconfiguratorlockout>persist #Snort2C table table <snort2c>table <virusprot># User Aliases table <localnet>{ 10.19.8.0/22 } LocalNet = "<localnet>" table <privatenetworks>{ 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 } PrivateNetworks = "<privatenetworks>" table <remotenet>{ 10.19.0.0/22 } RemoteNet = "<remotenet>" # Gateways GWL3_Switch = " route-to ( re0 10.19.9.1 ) " GWCABLE = " route-to ( em1 178.202.184.1 ) " GWFritzbox = " route-to ( em0 192.168.178.1 ) " GWTDSL = " route-to ( pppoe0 217.0.118.161 ) " GWInternet_GW = " route-to { ( em1 178.202.184.1 ) } " set loginterface em0 set loginterface re0 set loginterface em1 set loginterface pppoe0 set optimization normal set limit states 96000 set limit src-nodes 96000 set skip on pfsync0 scrub in on $FRITZNET all random-id fragment reassemble scrub in on $LAN all random-id fragment reassemble scrub in on $CABLE all random-id fragment reassemble scrub in on $TDSL all random-id fragment reassemble nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules nat on $CABLE from any to any -> 178.202.184.244/32 port 1024:65535 nat on $TDSL from any to any -> 79.212.38.103/32 port 1024:65535 nat on $CABLE proto udp from any to any port 500 -> 178.202.184.244/32 static-port nat on $TDSL proto udp from any to any port 500 -> 79.212.38.103/32 static-port # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table <vpns>{ 10.19.0.0/22 } table <direct_networks>{ 192.168.178.0/24 10.19.9.0/24 178.202.184.0/23 79.212.38.103/32 10.10.10.10/32 } # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # snort2c block quick from <snort2c>to any label "Block snort2c hosts" block quick from any to <snort2c>label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout" # webConfigurator lockout block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout" block in quick from <virusprot>to any label "virusprot overload table" table <bogons>persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $FRITZNET from <bogons>to any label "block bogon networks from FRITZNET" antispoof for em0 antispoof for re0 # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $CABLE from <bogons>to any label "block bogon networks from CABLE" antispoof for em1 # allow our DHCP client out to the CABLE pass in on $CABLE proto udp from any port = 67 to any port = 68 label "allow dhcp client out CABLE" pass out on $CABLE proto udp from any port = 68 to any port = 67 label "allow dhcp client out CABLE" # Not installing DHCP server firewall rules for CABLE which is configured for DHCP. # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $TDSL from <bogons>to any label "block bogon networks from TDSL" antispoof for pppoe0 # block anything from private networks on interfaces with the option set antispoof for $TDSL block in log quick on $TDSL from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $TDSL from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $TDSL from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $TDSL from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" # loopback pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( em0 192.168.178.1 ) from 192.168.178.99 to !192.168.178.0/24 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( em1 178.202.184.1 ) from 178.202.184.244 to !178.202.184.0/23 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( pppoe0 217.0.118.161 ) from 79.212.38.103 to !79.212.38.103/32 keep state allow-opts label "let out anything from firewall host itself" pass out on $IPsec all keep state label "IPsec internal host to host" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on re0 proto tcp from any to (re0) port { 80 443 22 } keep state label "anti-lockout rule" # PPTPd rules pass in on $FRITZNET proto tcp from any to 192.168.178.99 port = 1723 modulate state label "allow pptpd 192.168.178.99" # User-defined rules follow pass in quick on $LAN from $LocalNet to $PrivateNetworks keep state label "USER_RULE: Allow traffic to private networks" pass in quick on $LAN $GWInternet_GW from $LocalNet to ! $PrivateNetworks keep state label "USER_RULE: Allow LAN to internet rule" pass in quick on $Internet proto esp from any to any keep state label "USER_RULE: IPSEC ESP" pass in quick on $Internet proto udp from any to any port 500 keep state label "USER_RULE: IPSEC UDP 500" pass in quick on $Internet proto tcp from any to any port 443 flags S/SA keep state label "USER_RULE: HTTPS" pass in quick on $Internet proto gre from any to any keep state label "USER_RULE: PPTP GRE" pass in quick on $Internet proto tcp from any to any port 1723 flags S/SA keep state label "USER_RULE: PPTP TCP" pass in quick on $Internet inet proto icmp from any to any icmp-type echoreq keep state label "USER_RULE: PING" pass in quick on $Internet proto tcp from any to any port 22 flags S/SA keep state label "USER_RULE: SSH" pass in quick on $IPsec from any to 10.19.8.0/22 keep state label "USER_RULE" pass in quick on $pptp from any to 10.19.8.0/22 keep state label "USER_RULE" # VPN Rules pass out on $CABLE route-to ( em1 178.202.184.1 ) proto udp from any to 178.26.171.103 port = 500 keep state label \"IPsec: KWH - outbound isakmp\" pass in on $CABLE reply-to ( em1 178.202.184.1 ) proto udp from 178.26.171.103 to any port = 500 keep state label \"IPsec: KWH - inbound isakmp\" pass out on $CABLE route-to ( em1 178.202.184.1 ) proto esp from any to 178.26.171.103 keep state label \"IPsec: KWH - outbound esp proto\" pass in on $CABLE reply-to ( em1 178.202.184.1 ) proto esp from 178.26.171.103 to any keep state label \"IPsec: KWH - inbound esp proto\" anchor "tftp-proxy/*" # uPnPd anchor "miniupnpd"</bogons></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></vpns></remotenet></remotenet></privatenetworks></privatenetworks></localnet></localnet></virusprot></snort2c></webconfiguratorlockout></sshlockout> -
Some more info from packet capture.
[2.0-BETA4][admin@pfsense.hq1.local]/root(8): telnet snapshots.pfsense.org 80
Trying 69.64.6.6…
telnet: connect to address 69.64.6.6: Operation timed out
telnet: Unable to connect to remote host17:52:43.442120 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 3836, offset 0, flags [DF], proto TCP (6), length 60) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7ef (incorrect -> 0x6bbc), seq 2475046977, win 65228, options [mss 1460,nop,wscale 3,sackOK,TS val 150860580 ecr 0], length 0 17:52:46.441518 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 35871, offset 0, flags [DF], proto TCP (6), length 60) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7ef (incorrect -> 0x6004), seq 2475046977, win 65228, options [mss 1460,nop,wscale 3,sackOK,TS val 150863580 ecr 0], length 0 17:52:49.641525 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 51717, offset 0, flags [DF], proto TCP (6), length 60) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7ef (incorrect -> 0x5384), seq 2475046977, win 65228, options [mss 1460,nop,wscale 3,sackOK,TS val 150866780 ecr 0], length 0 17:52:52.841553 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 36006, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0 17:52:56.041532 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 65414, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0 17:52:59.241529 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 51073, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0 17:53:05.441530 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 9832, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0 17:53:17.641545 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 41951, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0 17:53:41.841542 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x10, ttl 64, id 36724, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.27769 > 69.64.6.6.80: Flags [s], cksum 0xd7e3 (incorrect -> 0xa3fa), seq 2475046977, win 65228, options [mss 1460,sackOK,eol], length 0 [/s][/s][/s][/s][/s][/s][/s][/s][/s] -
Look at ifconfig -a, arp -a, and netstat -rn
What has the MAC of 00:01:5c:31:0d:80 ?
Does a capture of a LAN host going to the snapshots site also look the same?
-
00:01:5c:31:0d:80 is the cable provider gateway
ifconfig -a
em0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6a media: Ethernet autoselect status: no carrier em1: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6b media: Ethernet autoselect status: no carrier em2: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6c media: Ethernet autoselect status: no carrier em3: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500 options=219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic>ether 00:0f:c9:04:db:6d media: Ethernet autoselect status: no carrier em4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=2098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:0f:c9:04:db:6e inet 10.19.0.10 netmask 0xffffff00 broadcast 10.19.0.255 inet6 fe80::20f:c9ff:fe04:db6e%em4 prefixlen 64 scopeid 0x5 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active em5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=2098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:0f:c9:04:db:6f inet6 fe80::20f:c9ff:fe04:db6f%em5 prefixlen 64 scopeid 0x6 inet 178.26.171.103 netmask 0xfffffc00 broadcast 178.26.171.255 inet 192.168.100.199 netmask 0xffffff00 broadcast 192.168.100.255 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active pflog0: flags=100 <promisc>metric 0 mtu 33128 enc0: flags=0<> metric 0 mtu 1536 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 nd6 options=3 <performnud,accept_rtadv>pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128</performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic></broadcast,simplex,multicast>arp -a
178-26-171-103-dynip.superkabel.de (178.26.171.103) at 00:0f:c9:04:db:6f on em5 permanent [ethernet] ? (192.168.100.199) at 00:0f:c9:04:db:6f on em5 permanent [ethernet] 178-26-171-254-dynip.superkabel.de (178.26.171.254) at 00:01:5c:31:0d:80 on em5 expires in 1184 seconds [ethernet] pfsense.hq1.local (10.19.0.10) at 00:0f:c9:04:db:6e on em4 permanent [ethernet] switch1.hq1.local (10.19.0.1) at 00:24:a8:d1:b1:c0 on em4 expires in 866 seconds [ethernet]netstat -rn
[2.0-BETA4][admin@pfsense.hq1.local]/root(6): netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 178.26.171.254 UGS 0 13160 em5 8.8.8.8 178.26.171.254 UGHS 0 140 em5 10.0.0.0/8 10.19.0.1 UGS 0 54465 em4 10.19.0.0/24 link#5 U 0 439 em4 10.19.0.10 link#5 UHS 0 0 lo0 83.169.185.33 00:0f:c9:04:db:6f UHS 0 0 em5 83.169.185.97 00:0f:c9:04:db:6f UHS 0 0 em5 127.0.0.1 link#9 UH 0 281 lo0 172.16.0.0/12 10.19.0.1 UGS 0 1917 em4 178.26.168.0/22 link#6 U 0 431 em5 178.26.171.103 link#6 UHS 0 0 lo0 192.168.0.0/16 10.19.0.1 UGS 0 12346 em4 192.168.100.0/24 link#6 U 0 22 em5 192.168.100.199 link#6 UHS 0 0 lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%em4/64 link#5 U em4 fe80::20f:c9ff:fe04:db6e%em4 link#5 UHS lo0 fe80::%em5/64 link#6 U em5 fe80::20f:c9ff:fe04:db6f%em5 link#6 UHS lo0 fe80::%lo0/64 link#9 U lo0 fe80::1%lo0 link#9 UHS lo0 ff01:5::/32 fe80::20f:c9ff:fe04:db6e%em4 U em4 ff01:6::/32 fe80::20f:c9ff:fe04:db6f%em5 U em5 ff01:9::/32 ::1 U lo0 ff02::%em4/32 fe80::20f:c9ff:fe04:db6e%em4 U em4 ff02::%em5/32 fe80::20f:c9ff:fe04:db6f%em5 U em5 ff02::%lo0/32 ::1 U lo0from lan:
18:19:31.088984 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 126, id 29945, offset 0, flags [DF], proto TCP (6), length 48) 178.26.171.103.61899 > 69.64.6.6.80: Flags [s], cksum 0xf5e8 (correct), seq 465221272, win 8192, options [mss 1460,nop,nop,sackOK], length 0 18:19:31.214411 00:01:5c:31:0d:80 > 00:0f:c9:04:db:6f, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 44, id 36224, offset 0, flags [DF], proto TCP (6), length 48) 69.64.6.6.80 > 178.26.171.103.61899: Flags [S.], cksum 0xe973 (correct), seq 3346687466, ack 465221273, win 65535, options [mss 1460,sackOK,eol], length 0 18:19:31.214864 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 126, id 9312, offset 0, flags [DF], proto TCP (6), length 40) 178.26.171.103.61899 > 69.64.6.6.80: Flags [.], cksum 0x1a46 (correct), seq 1, ack 1, win 64240, length 0 18:19:34.538216 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 126, id 29286, offset 0, flags [DF], proto TCP (6), length 40) 178.26.171.103.61899 > 69.64.6.6.80: Flags [F.], cksum 0x1a45 (correct), seq 1, ack 1, win 64240, length 0 18:19:34.663185 00:01:5c:31:0d:80 > 00:0f:c9:04:db:6f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 44, id 26650, offset 0, flags [DF], proto TCP (6), length 40) 69.64.6.6.80 > 178.26.171.103.61899: Flags [.], cksum 0x1536 (correct), seq 1, ack 2, win 65535, length 0 18:19:34.663281 00:01:5c:31:0d:80 > 00:0f:c9:04:db:6f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 44, id 3364, offset 0, flags [DF], proto TCP (6), length 40) 69.64.6.6.80 > 178.26.171.103.61899: Flags [F.], cksum 0x1535 (correct), seq 1, ack 2, win 65535, length 0 18:19:34.663614 00:0f:c9:04:db:6f > 00:01:5c:31:0d:80, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 126, id 43592, offset 0, flags [DF], proto TCP (6), length 40) 178.26.171.103.61899 > 69.64.6.6.80: Flags [.], cksum 0x1a44 (correct), seq 2, ack 2, win 64240, length 0 [/s] -
This appears to be the same problem I'm seeing. TCP / UDP traffic is blocked if it originates from the pfSense box, but traffic passes fine from all other interfaces. Routing looks correct. I can post details as well if that will help.
My WAN IP is assigned via PPPoE.
-
Under System > Advanced on the Network tab, ensure that the boxes are checked to disable hardware checksums, tso, and lro.
If they're already disabled, try enabling them, though from the ifconfig output, Checksums and TSO appear enabled.
-
I tried on and off and rebooted.
-
System 1 [i386]:
em0: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0x9f00-0x9f1f mem 0xfd9c0000-0xfd9dffff,0xfd9fc000-0xfd9fffff irq 16 at device 0.0 on pci1 em0: Using MSIX interrupts with 3 vectors em1: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0xdf00-0xdf1f mem 0xfd5c0000-0xfd5dffff,0xfd5fc000-0xfd5fffff irq 17 at device 0.0 on pci2 em1: Using MSIX interrupts with 3 vectors em2: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0xcf00-0xcf1f mem 0xfddc0000-0xfdddffff,0xfddfc000-0xfddfffff irq 18 at device 0.0 on pci3 em2: Using MSIX interrupts with 3 vectors em3: <intel(r) 1000="" pro="" network="" connection="" 7.1.8=""> port 0xbf00-0xbf1f mem 0xfdbe0000-0xfdbfffff,0xfdbc0000-0xfdbdffff irq 19 at device 0.0 on pci4 em3: Using an MSI interrupt em4: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.3=""> port 0xaf00-0xaf3f mem 0xfd8e0000-0xfd8fffff irq 19 at device 10.0 on pci5 em4: [FILTER] em5: <intel(r) 1000="" pro="" legacy="" network="" connection="" 1.0.3=""> port 0xae00-0xae3f mem 0xfd8c0000-0xfd8dffff irq 18 at device 11.0 on pci5 em5: [FILTER]</intel(r)></intel(r)></intel(r)></intel(r)></intel(r)></intel(r)>System 2: [amd64]
rlphy0: <realtek internal="" media="" interface="">PHY 0 on miibus0 rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto em0: <intel(r) 1000="" pro="" network="" connection="" 7.1.8="">port 0xc200-0xc21f mem 0xf30c0000-0xf30dffff,0xf3000000-0xf307ffff,0xf3100000-0xf3103fff irq 36 at device 5.0 on pci0 em0: Using MSIX interrupts with 3 vectors em1: <intel(r) 1000="" pro="" network="" connection="" 7.1.8="">port 0xc220-0xc23f mem 0xf30e0000-0xf30fffff,0xf3104000-0xf3107fff irq 40 at device 6.0 on pci0 em1: Using MSIX interrupts with 3 vectors</intel(r)></intel(r)></realtek> -
sysctl -a | grep tso
The values don't change if i change it in the gui.net.inet.tcp.tso: 1 hw.bce.tso_enable: 1 dev.em.0.mac_stats.tso_txd: 0 dev.em.0.mac_stats.tso_ctx_fail: 0 dev.em.1.mac_stats.tso_txd: 0 dev.em.1.mac_stats.tso_ctx_fail: 0 dev.em.2.mac_stats.tso_txd: 0 dev.em.2.mac_stats.tso_ctx_fail: 0 dev.em.3.mac_stats.tso_txd: 0 dev.em.3.mac_stats.tso_ctx_fail: 0 dev.em.4.mac_stats.tso_txd: 0 dev.em.4.mac_stats.tso_ctx_fail: 0 dev.em.5.mac_stats.tso_txd: 0 dev.em.5.mac_stats.tso_ctx_fail: 0 -
I have an amd64 firmware I built without a certain patch that was added last week. It has fixed a few issues for me and I'm curious if it would fix them for you as well.
Try to load this firmware on the amd64 system (be sure to grab a config backup just in case) and see if the behavior changes. I'm running this firmware on an amd64 VM of mine so it should be OK.
http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101212-2328.tgz
Either try that with a console update by URL, or if that doesn't work, download it to a client machine and then upload it using the GUI.
-
The amd64 system is off-site.
And i couldn't be there the next 3 days.
You don't have the i386 version? -
No, I don't have an i386 builder setup on my workstation right now. I might be able to set one up but it probably wouldn't be today.
-
OK, I got one for i386 done now.
The URLs for both are:
amd64 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101212-2328.tgz
i386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz
Give it a try, see if it helps.
-
Do these snaps come online so one can update?
I just cant get the 2.0 running…..everything seems fine, but it aint routing....
Dont have any logs, because I got so pissed that I deleted the VM :D
-
Do these snaps come online so one can update?
I just cant get the 2.0 running…..everything seems fine, but it aint routing....
Dont have any logs, because I got so pissed that I deleted the VM :D
The links I posted are not full installs, just firmware updates, and they were only intended to be used to assist the person who started this thread. If your problem isn't exactly the same, start a new thread.
-
Thx buddy!
I did…
http://forum.pfsense.org/index.php/topic,31066.0.html
:)
Do these snaps come online so one can update?
I just cant get the 2.0 running…..everything seems fine, but it aint routing....
Dont have any logs, because I got so pissed that I deleted the VM :D
The links I posted are not full installs, just firmware updates, and they were only intended to be used to assist the person who started this thread. If your problem isn't exactly the same, start a new thread.
-
I've installed the i386 update and that has solved the problem for me. Thanks JimP!
-
Thank you.
It's working.
What's the trick? -
There is a patch meant to fix pf's behavior with TSO and checksums, but it seems to be causing a few other problems.
EDIT: I disabled the patch in the repo and have a new snapshot building now. The next new snapshot dated after this update should be OK.
