Messages

Sorry you guys had to waste the effort and money on it. I feel your pain, but will have to leave it at that (for now, at a minimum).

Being so strongly associated with pfSense, I just wanted to leave a note that I'm no longer involved there, and had no involvement in any of this.

I heard pfsense/FreeBSD-src repo is no longer being updated the past few months (e.g. they're not building from the github repos and not making the OS source available). I don't follow things there, fully consumed with work at Ubiquiti, but there are a number of little birdies that get in touch from time to time. :) That leaves OPNsense the only truly open source BSD firewall distro under active development.

Ah c'mon, you know it's available.  ;)

Here are the kernel bits, public, for FreeBSD 10.1.
https://files.pfsense.org/cmb/10_1-HEAD-wireless-ath.diff
https://files.pfsense.org/cmb/10_1-HEAD-wireless-ath.tgz

FreeBSD 10 to 11 has a network code split and it's almost impossible to backport driver fixes.

Far from almost impossible, we've done it multiple times with net80211 and ath(4) and it wasn't even all that difficult.
https://doc.pfsense.org/index.php?title=2.2.1_New_Features_and_Changes#Misc_Binary.2FOS_Changes
https://doc.pfsense.org/index.php?title=2.2.2_New_Features_and_Changes#Wireless

The non-cosmetic stuck beacon issues are gone since the initial back port in 2.2.1.

FreeBSD 10.1 to 10.2 itself hasn't updated Atheros drivers

Might I recommend:
https://github.com/pfsense/FreeBSD-src
10-STABLE with -CURRENT's net80211 and ath(4).

Same will hopefully hit stock 10-STABLE soon.

There are some GUI input validation changes and back end config changes that go along with that to prevent getting into circumstances that are known to be problematic still. You'll find the details here, interfaces.inc and interfaces.php.
https://github.com/pfsense/pfsense

The GUI + driver changes (in combination only) will fix this bug.
https://github.com/opnsense/core/issues/217
and a variety of similar issues, plus OP's stuck beacon issues, and more.

Congrats on the thousands of spam bots. Or maybe you have thousands of lurking users with 0 posts who are big fans of SEO, weight loss, pornography, and all the other things typical to back link spam.

Couple tips. Bad Behavior is a good plugin to cut way down on the abuse with minimal false positives. And you can clean up much of the mess with:

Code Select Expand

delete from smf_members where posts=0 and website_url <> ''

s/delete/select/ first to verify what you're deleting.

been using pfsense for the past 3-4 years for our various offices and i loved the fact i could always build it myself unless that is you all know what happened  :-X

Nothing happened to prevent you from doing that. But you were building from pfsense-tools as recently as a couple months ago, so you're obviously aware of that.

More recently, -tools doesn't even exist anymore, you can build 2.3 strictly from what's publicly available on github.

Though you're wasting your time building yourself IMO, whether pfSense or OPNsense.

JimT is testing and reviewing his fix as time permits. A bit more work on that and we'll put it into our power cycle test harness and get it upstream once confirmed, hopefully MFCed into FreeBSD 10.2. We'll have no issue getting it in upstream once we're confident it's correct, multiple FreeBSD committers already involved.

My problem's well documented, Franco. Compete on something other than FUD and lies.

The "licensing issues" garbage is very simple, very black and white. Either all of OPNsense's code has "licensing issues", or you can continue to pull in code changes. There is no in between. Hint: it's the latter.

Here are two changes you should pull in, see my previous post.
https://github.com/pfsense/bsdinstaller/commit/a9cb05bfd831f76b0b87b7c3808759f238f80405
https://github.com/pfsense/pfsense/commit/ed97bf788e77adace331d32112cb5665195d9b23

The license you claim is such a problem is OpenSSL's license, with s/OpenSSL/pfSense/. No one's starting OPNOpenSSL screaming from the rooftops because it's "not open."

I hate politics, and we all have much better things to do with our time. But if I'm forced to defend my company and project, I'll do so. I've never heard a peep from anyone claiming we were going closed source until you guys started putting out garbage, and now it's something I have to defend against routinely.

The root cause is an issue with pw not issuing fsync where it should, leaving the files in an inconsistent state, where if you have an unclean shut down within some time after touching the passwd or group file, you'll end up with them being blank, or if not using SU, with random bits of other files in /etc/.

Same happens on stock FreeBSD if it occurs shortly after running pw. One of our (pfSense) developers will get a fix for pw into FreeBSD, but for the time being, setting sync is confirmed to 100% resolve the problem. That's a reasonable solution for firewall use cases.

It's easily replicable on OPNsense and pfSense because we write the passwd and group files on every boot, which is much more than what a stock FreeBSD install would generally do. Nature of the beast for what we're doing, though we'll make it idempotent in the future in pfSense.

Since setting sync, we have systems that have been through several thousand power cycles (snmpset to IP PDU scripted in a loop for days and days) immediately after writing the passwd and group files (which is what triggers the problem), and have had 0 problems.

There is a much worse problem of some sort with OPNsense that I hit the very first time I pulled the power plug on it. Clean install, boot to the console menu, yank the power plug. Completely trashed filesystem. Couldn't touch it without kernel panic (attached). The only relevant diff I saw between OPNsense, stock FreeBSD, and pfSense in that regard is you're running SU without J. FreeBSD 10.1 is SU+J by default, pfSense 2.2.3 and newer is SU+J by default (and pre-2.2.3 was no SU, no J). I went through several hundred of power cycles without sync in tracking the root cause, only a handful of those on OPNsense as another point of comparison, but it's the only thing that ever ended up with anything worse than blank or corrupted passwd and group files. Guessing you probably want SU+J so you're out of what's probably a much less tested code path, at least if my suspicion of it being SU without J is down the right path.

We decided not to support the import due to licensing issues

Are you ever going to stop lying about "licensing issues", Franco? All our code is under the same license today as the code you forked. If there were "licensing issues" to pulling it in (which there aren't), then your entire code base would have same "issues."