Critical issues with 2.3CE nanobsd amd64 4g on SD card



  • Hello,

    since my previous configuration on 2.2.6 suddenly stopped DNS resolving at all (even after restoring a working config), I decided to restore to factory defaults.

    So today the first thing was the message for a new upgrade, did that.

    Now it is 2.3 (absolutely don't like the new theme, takes longer to load also) and the version check never ends. Why's that so?

    As this new pfsense is for a branch office, I am preconfiguring it currently behind our main pfsense, so WAN is static and it's still fresh, so nothing else configured than WAN and LAN gateways.

    Regards,

    Mel



  • Sounds like you're staging it in a way that it can't yet get to the Internet? That'll make it stick there (which will slow down the GUI in general some).



  • But it can get to the internet (after all it upgraded itself this way), ping works (for IP and DNS), client (I'm typing from it) has internet, too.

    I also don't see anything being blocked in the (for now used as WAN gateway on this pfsense) main pfsense.

    Where else can I check this?

    Edit: Just to see, I ticked "Disable hardware checksum offload" and rebooted, no difference. Ofc I can't get packages with this issue, too.



  • Maybe it's related, maybe not but I did not have this issue on 2.2.6

    When tryin to change a monitoring IP for a gateway I get the error message
    "Unable to open /cf/conf/config.xml for writing in write_config()"

    What can I do now?



  • So now I get these crash errors every few minutes after I did a reboot (and the pfsense is after the 3rd reboot able to check for packages and update status)

    Crash report begins.  Anonymous machine information:

    amd64
    10.3-RELEASE
    FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016    root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense

    Crash report details:

    PHP Errors:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  4. copy() /etc/inc/config.lib.inc:920
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  4. filesize() /etc/inc/config.lib.inc:927
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  4. fopen() /etc/inc/config.lib.inc:928
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  4. fwrite() /etc/inc/config.lib.inc:929
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  4. fclose() /etc/inc/config.lib.inc:930
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  3. safe_write_file() /etc/inc/config.lib.inc:565
    [13-Apr-2016 11:28:01 Europe/Berlin] PHP  4. fopen() /etc/inc/config.lib.inc:495

    The hardware is completely new (at least from a customer view), so the CF should work w/o problems. (was the 2.2.6 was pre-installed, bought so I would not have the work to do all this)

    So I tried to set nanobsd to read/write always but get this message

    Warning: copy(/cf/conf/backup/config-1460536801.xml): failed to open stream: Read-only file system in /etc/inc/config.lib.inc on line 920 Call Stack: 0.0002 231792 1. {main}() /usr/local/www/diag_nanobsd.php:0 0.2315 1227704 2. write_config() /usr/local/www/diag_nanobsd.php:134 0.2318 1228104 3. backup_config() /etc/inc/config.lib.inc:553 0.2324 1228368 4. copy() /etc/inc/config.lib.inc:920 Warning: filesize(): stat failed for /cf/conf/backup/config-1460536801.xml in /etc/inc/config.lib.inc on line 927 Call Stack: 0.0002 231792 1. {main}() /usr/local/www/diag_nanobsd.php:0 0.2315 1227704 2. write_config() /usr/local/www/diag_nanobsd.php:134 0.2318 1228104 3. backup_config() /etc/inc/config.lib.inc:553 0.2341 1234064 4. filesize() /etc/inc/config.lib.inc:927 Warning: fopen(/cf/conf/backup/backup.cache): failed to open stream: Read-only file system in /etc/inc/config.lib.inc on line 928 Call Stack: 0.0002 231792 1. {main}() /usr/local/www/diag_nanobsd.php:0 0.2315 1227704 2. write_config() /usr/local/www/diag_nanobsd.php:134 0.2318 1228104 3. backup_config() /etc/inc/config.lib.inc:553 0.2351 1234456 4. fopen() /etc/inc/config.lib.inc:928 Warning: fwrite() expects parameter 1 to be resource, boolean given in /etc/inc/config.lib.inc on line 929 Call Stack: 0.0002 231792 1. {main}() /usr/local/www/diag_nanobsd.php:0 0.2315 1227704 2. write_config() /usr/local/www/diag_nanobsd.php:134 0.2318 1228104 3. backup_config() /etc/inc/config.lib.inc:553 0.2361 1235512 4. fwrite() /etc/inc/config.lib.inc:929 Warning: fclose() expects parameter 1 to be resource, boolean given in /etc/inc/config.lib.inc on line 930 Call Stack: 0.0002 231792 1. {main}() /usr/local/www/diag_nanobsd.php:0 0.2315 1227704 2. write_config() /usr/local/www/diag_nanobsd.php:134 0.2318 1228104 3. backup_config() /etc/inc/config.lib.inc:553 0.2370 1234440 4. fclose() /etc/inc/config.lib.inc:930 Warning: fopen(/cf/conf/config.xml.49850): failed to open stream: Read-only file system in /etc/inc/config.lib.inc on line 495 Call Stack: 0.0002 231792 1. {main}() /usr/local/www/diag_nanobsd.php:0 0.2315 1227704 2. write_config() /usr/local/www/diag_nanobsd.php:134 0.2730 1259504 3. safe_write_file() /etc/inc/config.lib.inc:565 0.2730 1259696 4. fopen() /etc/inc/config.lib.inc:495



  • OK I am rolling back now, thanks for the trouble.

    I now took a brand new SDHC CF card, wrote the nanobsd amd 64 4g on it, set it all up and the moment I change the gateway's monitoring IP I get this crash report again.

    Crash report begins.  Anonymous machine information:

    amd64
    10.3-RELEASE
    FreeBSD 10.3-RELEASE #6 05adf0a(RELENG_2_3_0): Mon Apr 11 18:52:07 CDT 2016    root@ce23-amd64-builder:/builder/pfsense-230/tmp/obj/builder/pfsense-230/tmp/FreeBSD-src/sys/pfSense

    Crash report details:

    PHP Errors:
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  4. copy() /etc/inc/config.lib.inc:920
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  4. filesize() /etc/inc/config.lib.inc:927
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  4. fopen() /etc/inc/config.lib.inc:928
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  4. fwrite() /etc/inc/config.lib.inc:929
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP Stack trace:
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  1. {main}() /usr/local/www/system_gateways_edit.php:0
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  2. write_config() /usr/local/www/system_gateways_edit.php:544
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  3. backup_config() /etc/inc/config.lib.inc:553
    [13-Apr-2016 12:15:16 Europe/Berlin] PHP  4. fclose() /etc/inc/config.lib.inc:930

    And on this new install pfsense was also not able to check its version.

    Anyway, then I enabled OPT1 again, changed the name, set it up as static, too, put the IP in and save + apply.
    After that (so when it was all applied and the new name was working) I wanted to add the gateway (still at this menu) and bam

    Unable to open /cf/conf/config.xml for writing in write_config()

    I doubt two new, from different companies, CF cars are at fault.

    So I have to roll back.

    Oh, the funny thing: The issue I had when I created that topic is then gone when I enable ALL interfaces. When OPT1 was enabled, pfsense was able to check for updates (though there is not active link on OPT1, only WAN and LAN have active links and cables connected). Before that: endless mode.

    EHM, where do I get an old 2.2.6 version? I don't have one for nanobsd and on http://files.pfsense.org/mirror/downloads/old/ I only see 2.2.5.

    EDIT: So on 2.2.5 everything works, but you cannot upgrade to 2.2.6 only to 2.3



  • Check out here for 2.2.6:
    http://files.pfsense.org/mirror/downloads/
    (seems they forgot to move the files to the /old/ subdirectory)


  • Rebel Alliance Developer Netgate

    Sounds like the disk was stuck read only. If that happens again, go to Diag > NanoBSD and see if you can nudge it RW. And while you're there, just set the box to keep it RW permanently.



  • @jimp:

    Sounds like the disk was stuck read only. If that happens again, go to Diag > NanoBSD and see if you can nudge it RW. And while you're there, just set the box to keep it RW permanently.

    I did write that I tried that and was not able to do so, see my 2nd last comment, bottom part.
    And as it was with both CF cards it's a pfsense version issue to me (which I was not able to resolve, thus not able to change any config, thus am running 2.2.6 now again where everything works fine.)

    I don't tend to mess with 2.3 more for now, I don't have a spare pfsense with CF to play around with. My focus is to have a working firewall for our branch office.



  • What CF cards are those specifically (make and model), and what hardware are you using?



  • @cmb:

    What CF cards are those specifically (make and model), and what hardware are you using?

    Was a prebuild pfsense from a german official reseller (on your list)

    AMD APU1D4 [3x 1Gbit Realtek; 1GhZ Dualcore; 4GB DDR3]
    came with 8GB Transcend SDHC Class 10 (TS8GSDHC10)

    The other CF I tried was a PNY 32GB SDHC Class 10 (SD32GBHC6-EF)



  • Ah, APU so SD rather than CF. Thanks for the info.

    All our release testing on APUs is with Sandisk SD cards, which do fine with the mount speed. I have some other cards that are slow to re-mount though, will give one of those a shot.



  • I usually call them CF somehow I'm used to, but yeah, I should correct it to SD I think.
    Sorry for the misleading.

    Do you test with a specific type of SanDisk? I might consider getting one of those to have better compatibility with your upcoming releases then. (And I'd need an other backup card anyway in case an update went terribly wrong so the guy at the branch office could switch cards in a worst case scenario)


  • Rebel Alliance Developer Netgate

    For those who are seeing "Device busy" or similar and unable to force the disk read-write, try the following (preferably from the console):

    umount -f /cf; fsck -t ufs -y /cf; mount -f -o rw /cf

    Not something we'd normally recommend but somehow it seems that just the /cf slice is getting wedged for some people at the OS level.

    Once that is done, set the permanent RW flag on Diagnostics > NanoBSD.

    If you're running on an APU+SD card, I'd seriously consider reinstalling from a memstick-serial image as a full install. Activating the option to keep /tmp and /var in RAM will keep writes low, and the sizes can be tweaked so you have decent space there. Your overall experience is likely to be much better that way on APU than with NanoBSD. Short of using an mSATA anyhow.



  • @jimp:

    If you're running on an APU+SD card, I'd seriously consider reinstalling from a memstick-serial image as a full install.

    Any recommendations for a good memstick, maybe a type you test with?

    Oh, and - that would only increase the performance for the one who administrates it, right? Not the firewall performance itself.


  • Rebel Alliance Developer Netgate

    @Melphiz:

    @jimp:

    If you're running on an APU+SD card, I'd seriously consider reinstalling from a memstick-serial image as a full install.

    Any recommendations for a good memstick, maybe a type you test with?

    The specific memstick doesn't matter much for what I meant – that's only used for the installer. I test using a wide variety of USB thumb drives for installing pfSense, but at the moment my favorites are this PNY 16GB drive and these Sandisk Cruzer 16GB drives.

    @Melphiz:

    Oh, and - that would only increase the performance for the one who administrates it, right? Not the firewall performance itself.

    It depends on the specific features used. It wouldn't affect packet processing, though it might affect daemons on the firewall that might touch the disk for one reason or another. If you're primarily using basic firewall/routing/NAT functions it wouldn't likely be any difference in speed.



  • I'm using it for firewalling (dual wan), snort (one wan gateway only) and openvpn client.
    Would it still be ok to keep running the SD (tbh I had no idea when I purchased this model, I just didn't want to spend too much money for a 1-2PC branch office being connected to our main office ^^)



  • You just use the memstick image to boot the appliance into the installer, just as you would do with a CD-ROM, if you had a drive in it. You do a full install on the SD card.



  • Oh, I see, then I misread it at first. Will try this when I get the SDHC-Card 16GB, SanDisk Extreme Pro 95MB/s, maybe 2.3 will run on it like it should (the firewall goes live next week, so there's still time to mess with it ^^)



  • Note that when installing "Full" on flash-based media (CF or SD or DOM, etc), my advice would be to avoid creating a Swap partition.
    If there's a swap partition present pfSense will mount it - and using flash media as swap space can be really hard on flash wear. Of course, if swap space is really used - but to be on the safe side, I'd suggest not to use swap at all - on NanoBSD it didn't exist anyway - on embedded platform swap was not present…

    I guess there should be an extra option during setup - Automatic install on flash-based media, to avoid automatic creation of swap space.



  • @jimp:

    For those who are seeing "Device busy" or similar and unable to force the disk read-write, try the following (preferably from the console):

    umount -f /cf; fsck -t ufs -y /cf; mount -f -o rw /cf

    Not something we'd normally recommend but somehow it seems that just the /cf slice is getting wedged for some people at the OS level.

    Once that is done, set the permanent RW flag on Diagnostics > NanoBSD.

    Jimp, is this safe to do over SSH from a LAN computer that I am RDP'd into? (I am not onsite)


  • Rebel Alliance Developer Netgate

    @Technigogo:

    @jimp:

    umount -f /cf; fsck -t ufs -y /cf; mount -f -o rw /cf

    Jimp, is this safe to do over SSH from a LAN computer that I am RDP'd into? (I am not onsite)

    We have done that exact thing remotely several times with no ill effects, but there is always a chance it could go sideways so I can't say it's completely safe.


Log in to reply