pfSense - Did I just have very bad luck or is the package system not really that great?

I’ve been running pfSense as my firewall and router for some 6-9 months without any issues.
I was also running a nginx reverse-proxy, but because I have server with old hardware I need to access a web gui with a deprecated SSL version and nginx wasnt too happy about that, I figured I’d give HA proxy a chance, as I’ve seen many recommend it.

After installing it, I didn’t get it to work, but no immediate errors. After investigating some more I noticed that when installing the package, it gives an error for missing libraries. Some googling tells me this is a fairly common issue and I followed several guides to try to remediate the issue, but no luck. Finally I figured I’d reboot the machine for good measures, but luckily, just to be safe, I downloaded a copy of all my settings, and thank God for that… After reboot I was no longer able to boot. Ended u having to reinstall pfSense and reload the settings, as luck may also have it, it was at night and the rest of the family was asleep and did not notice downtime.

That said, after a fresh install of pfSense I was able to get the HA proxy to work.

Then I tried to install wireguard… Also having issues and here I actually don’t remember the entire process, but the end was that my semi-installed wireguard killed the network and I needed to remove wireguard from pfSense before I got back online. I also got spammed with error messages due to some macro-script trying to mount a interface with a network, but the network/interface was not configured according to the macro-script. This is also an issue I’ve found other people having…

Im thinking maybe I’ve been very unlucky with these packages, but my thinking, maybe it is better to keep pfSense as a firewall and router, and let VMs do the rest of what needs to be done.

I like the idea of having a all-in-one unit, but given these experiences, maybe this just leads to a single point of failure and it is better to keep services separated with containers/VMs to avoid such catastrophic failures… Also, I feel that the gui’s for the packages in pfSense have limited configuration and if one is to play with .conf-files it may not make sense to have it as a package in pfSense.

Anyone with similar, or opposite experiences?

I use pfblockerng and haproxy. I have had some weird issues haproxy, but it only seems to be haproxy I had had troubles with. I have tested suricata and snort before without issues. I can’t say I have ran into the issues you have had though. It almost sounds like you are having a hard drive issue. Some things aren’t committing to disk possibly.

I don’t really think it is a hardware issue, as I’ve had no problem with pfSense before, nor have I had any problems with any other VMs on the same machine.

I think that the HA proxy issue is due to some changes in libraries or dependencies after changing pfSense from 2.7.0 to 2.7.1.

This may or may not be responsible for the problems on the WG side as well.
I’m not the one to tell, but appears to me to be much easier to separate these things away from the firewall to make sure that if something of this breaks, the firewall will still work as it should and there is no down-time.

It may very well be that I was just very unlucky with the timing, but it did give me a bit of a scare…

Make sure you are on the latest version of pfsense before installing any packages. But we set up hundreds of pfsense every year and rarely ever have any issues.

Are you running it on bare metal?

Sounds like you have bad hardware or making other changes outside of the PFSense ecosystem.

So, when thinking back it all started with no packages being available in the package manager. Quick google-search helped me to find the solution and the challenges grew from there…

I had a fully upgraded 2.7.2 version, so shouldn’t be that.
I believe the original install was 2.7.1. and upgraded it at some point when 2.7.2 was released.

It is running on ESXi 8, so not on bare metal.

After a little digging, the error I got when installing HA Proxy was " Error “libssl.so.30” not found" when installing package "
A search for this yields a lot of options to try out, and maybe I was not critical enough to the advice offered so I just went ahead testing stuff… Ending up breaking the system anyhow…

The Wireguard-problem I only found one other forum-post somewhere having the same issue, but I wasn’t able to find it again with some searches now.

For what it is worth, I did not tinker with the underlying system before I had these issues, I wouldn’t want to do that with my firewall. This is also why I’m thinking that it may be better to keep some things separate. E.g. reverse proxy so you can tinker and make special adjustments if needed outside of the supported GUI-features…

I guess I should’ve tested these settings in a lab-copy of the live system, but I didn’t… Lesson learned (again )

Actually, also I’ve had issues with the OpenVPN client exporter as well, so it makes me question the setup totally.

Finally, before anybody comments, I know that the commonality with all these errors are the system admin (e.g. me), but I don’t think I’ve been able to ruin everything here I am not a complete noob to computers or networks… I built my first network and linux server in the 90s and currently have a network of 5 switches with vlans and whatnot fully functional … Not to mention pfSense works great out of the box, only issue I have are the packages…

So, maybe I should try a clean install in a lab environment to see if I can replicate the errors, and if not, then maybe I can try to do this again with my live pfsense.

If anything, next time I do something to the firewall I will have a fresh snapshot to revert to before it all goes dark

Puuh… I tend to write too long posts, thank you for reading all the way

Edit, I might have started with 2.7.0 actually, that may explain the HA Proxy issue if nothing else…

When I first started using pfSense, I tried running it as a VM. I got nothing but problems when I did that. I would highly recommend running pf on bare metal. It may not be your problem but just sharing my experience with running pf as a VM.

PFSense did a major upgrade with openssl going from ver 1 to ver 3, PHP plus other items. I believe from 2.7 to 2.7.1. You may have had 2.7 originally and and a poblem with the upgrade. You should have noticed that the packages did not install and gave an error for libssl.so.30. Always go to the Netgage forum and you have options to try. With a large upgrade like that, somtimes a fresh reinstall and importing the configuration file is a really quick exercise.

I doubt this is an issue because of running on a VM, although baremetal is preferred but not always feasible. I run mine in a VM and have no issues. A VM does introduce other variables though to consider.

Yeah, I think that is exactly what happened…
The update and a good sprinkle of unfortunate circumstances…

I do have couple of packages that works flawlessly, so that’s what was leading me to think that I just had a load of bad luck on this setup.

I will try to move the pfSense to a different server, and probably give the high availability option a try, even though I only have one IP and it is not static… Welcome headache!

I don’t have the most complicated setup, so I guess I will try to start over with a blank system, shouldn’t take more than an hour or two to replicate vlans and some firewall rules… Maybe even a good idea to revise the rules once a year, just like a fresh OS install

It is a very stable firewall. I believe HA will create more problems then it is worth on a firewall unless you really know what you are doing.

I’d like to think I know what I am doing at least…
And if I don’t, then there is learning ahead

My main idea is to have a failback if something happens and I am not home or I break something because I had a great idea to make new vlans or whatever…

It’s easier to get acceptance for spending too much time playing with computers if the home network doesn’t loose internet connectivity…

I think that you are overthinking this. As long as I have electricity and working hardware, PFSense will work just fine and I have zero concerns as to reliability.

You are 100% right.
And I know I am making this more complicated than what it needs to be, and thats kind of what makes it fun and interesting
There will always be a single source of failure as long as I have only one fiber modem, but basically for the sport of it, I enjoy making it highly complicated…

And to be fair, I’ve had my pfSense work perfectly fine for a long time as well until the above scenario broke it, but that’s when I was thinking maybe HA makes sense.

Did even try to set it up, but it appears that the CARP shared LAN IP ended up with some kind of loadbalancing and my speeds were horrible, so I disabled the backup-server and let the (new) main one run alone. Then it was back to normal and full speeds were achieved.
Will probably keep it like that for a while,but also on occasion boot up the backup just to sync settings and have it as a cold spare in case I need to take down the main one again. Or shift it to another host or similar…

I have had almost zero issues with PF since the day I installed it for the first time. There was a lic key issue be associated with my dev id once but nothing they couldnt fix in a jiffy at Netgate. My hardware is not that new either a server I had laying around the house installed in my rack and fired it up I have full SSL via LE on the management port. I use HA Proxy, OpenVPN, Wireguard, pfBlocker, Snort and ACME all of which installed perfectly right out the gate. I will say my learning curve having never touched it before really did create some headaches in the beginning (likely will again in the future)

image637×1070 58.9 KB

I run pfSense on an old bare metal box, HP T620plus 4/16GB, and have never had such problems with Haproxy, Wireguard, pfBlokerNG, etc…