pfSense computer bulid

[Val D.]

You have to be careful when you upgrade as anything can be broken.

This is not an issue for a home setup, especially when it's your setup and you know how it works and what it does. If something goes wrong, re-installing the whole operating system and restoring from a saved file configuration takes like 10 minutes on a fast hardware. Configuration file placed on the installation USB is used automatically. There is a useful Auto Config Backup feature, it saves like last 100 configurations on every change or on selected intervals. In a corporate environment hitting Update on something critical on the network, no matter what it is... it's a completely different process. I remember doing a week long preparation before someone hits Update at 2am Sunday.

 

[Chrisgtl]

Just upgraded to 2.4.5

This thing is just superb! Absolutely love this beast. Just added another Asus 86U too as AiMESH to extend WiFi to the garden. Now got full 5Ghz signal at the far end of garden. Sitting out with the Sonos by my side enjoying all this technology.

 

[avtella]

Just upgraded to 2.4.5

This thing is just superb! Absolutely love this beast. Just added another Asus 86U too as AiMESH to extend WiFi to the garden. Now got full 5Ghz signal at the far end of garden. Sitting out with the Sonos by my side enjoying all this technology.

I would go back to 2.4.4 (I’m on 2.4.5). Reason is there some sort of issue on 2.4.5 that’s becomes more pronounced especially with things like pFblockerng and some other packages enabled that can cause latency spikes.

2.4.4 and 2.5 Development version aren’t affected by this bug from what I’ve seen. It took a few weeks for the issue to become noticeable for me, not so much in regular use but when I played games I got ping spikes hitting 3K at times.

https://forum.netgate.com/topic/151...-cpu-spikes-causing-latency-outage-with-2-4-5

 

[Chrisgtl]

I would go back to 2.4.4 (I’m on 2.4.5). Reason is there some sort of issue on 2.4.5 that’s becomes more pronounced especially with things like pFblockerng and some other packages enabled that can cause latency spikes.


2.4.4 and 2.5 Development version aren’t affected by this bug from what I’ve seen. It took a few weeks for the issue to become noticeable for me, not so much in regular use but when I played games I got ping spikes hitting 3K at times.

https://forum.netgate.com/topic/151...-cpu-spikes-causing-latency-outage-with-2-4-5

I've got a backup from 2.4.4 if needed but I'll stick with 2.4.5 as I don't game and I'm not noticing any problems so far.

I've spent most of the last two weeks reading those forums as I'm learning as much as I can. There seems to be two camps regarding 2.4.5 -

 

[avtella]

Looks like the Devs were able replicate the issue and are working on a fix, some seem to have connection breaks as well. Hopefully another update soon.

 

[L&LD]

@avtella does this issue crop up frequently for pfSense? A recurring bug of some sort?

 

[avtella]

No, only in 2.4.5 from what I've seen, it's not in the previous version (2.4.4 - Free BSD 11.2) or even the next version in development (2.5 - FreeBSD 12.1) which I also occasionally have tried.

I think (I only quick glanced through some of the issue threads on the Netgate Forums, so hopefully I'm accurate lol) it may have to do with a change in a process called pfctl in FreeBSD 11.3 which pFsense 2.4.5 is based on, causing CPU usage to hit max and resulting in latency spikes, packet loss and network slowdowns.

The issue doesn't show up so much for me if I disable the pfblockerng DNSBL/TLD blocking functions, which seemed to further exacerbate the issue. That initially seemed to have led some pfblockerng users to think it was causing the issue while it was only exposing an underlying problem. I'm back to getting A+ on buffer bloat scores at the moment so that's good, but I'm too lazy to downgrade so I'll wait till next update turn on pfblocker blocklists.

A Netgate employee seems to have confirmed that they can replicate the issue as of yesterday and working on a fix, as mentioned previously.

 

[ddaenen1]

No, only in 2.4.5 from what I've seen, it's not in the previous version (2.4.4 - Free BSD 11.2) or even the next version in development (2.5 - FreeBSD 12.1) which I also occasionally have tried.

I think (I only quick glanced through some of the issue threads on the Netgate Forums, so hopefully I'm accurate lol) it may have to do with a change in a process called pfctl in FreeBSD 11.3 which pFsense 2.4.5 is based on, causing CPU usage to hit max and resulting in latency spikes, packet loss and network slowdowns.

The issue doesn't show up so much for me if I disable the pfblockerng DNSBL/TLD blocking functions, which seemed to further exacerbate the issue. That initially seemed to have led some pfblockerng users to think it was causing the issue while it was only exposing an underlying problem. I'm back to getting A+ on buffer bloat scores at the moment so that's good, but I'm too lazy to downgrade so I'll wait till next update turn on pfblocker blocklists.

A Netgate employee seems to have confirmed that they can replicate the issue as of yesterday and working on a fix, as mentioned previously.

I am also on 2.4.5 and haven't noticed anything significant in performance. What i have noticed is that sometimes i get gateway alarms in the log for both WAN_DHCP and WAN_DHCP6 with high RTT's (500ms- 600ms) but i don't really notie anything in performance drops. Is this the issue you are referring to?

 

[avtella]

Yeah, at times it got bad enough that eventually on occasion page load times or streaming were affected, also depends on if you additions like pfblockerng active which can aggravate it to noticeable levels. I'm running without any additional packages so its fine now since removing pfblockerng. I mean if its not really hampering you and family members aren't complaining, then stay on 2.4.5 that's fine and don't really bother about it, but I mentioned just in case anyone had it as bad as I did earlier.

 

[coxhaus]

This is one of the reasons I went away from pfsense a while back. In the old days you could wait to upgrade but now days with all the security issues you can't wait. pfsense needs to do a better job of not breaking their software they distribute. I felt it was not my job to completely test the software every time a new version came out. It seemed like work and I am retired now.

 

[L&LD]

Seems to be a recurring theme? I'm glad it reared its ugly head at me during my time of testing last year. This seems to be like wrt firmware options that are on unpredictable good/bad cycles since the beginning of time (not to say anything of the ease of bricking a router back then too).

 

[avtella]

Seems to be a recurring theme? I'm glad it reared its ugly head at me during my time of testing last year. This seems to be like wrt firmware options that are on unpredictable good/bad cycles since the beginning of time (not to say anything of the ease of bricking a router back then too).

Not recurring at least in my experience so far over past 2-3 few iterations at least in occasional testing, granted I really only moved to pFsense with 2.4.4. More of a FreeBSD regression than something they broke themselves. It definitely works fine out of the box on 2.4.5, as mentioned it was fine after removing pFblocker.

I’ve seen issues at times on DD-WRT and OpenWRT as well where in OWRTs case they once ended up breaking things by adding certain changes to the ATH10K firmware that were optimized for IPQ40XX chipsets which ended up borking the WiFi on QCA99XX based devices like my old R7800. It was of course fixed eventually.

Whatever the case it’s still night and day better compared to NG stock firmware lol which is my base line and a pretty low bar.