@johnpoz:
While the ability for any software and your hardware/system to run for such a long time is nice.
That you would run your firewall on software that is no longer updated or maintained is BAD security.. 2.1.5 should of been updated when it went EOL.. Its still running esxi 3.5 that went end of extended support back in 2013 and end of even technical guidance back in 2015 is not good practice from any point of view especially security.
Agree with everything! This box, however, was only handling internal routing between some private networks. Didn't have access to the internet either - updating wasn't easily possible. Was also a low-priority segment - it's now being killed forever and nothing comes in place.
Hi,
I do not know what the pfsense UniFi interface IP is as I just use 192.168.0.10 (which is reachable from UniFi 192.168.1.*)
Could this be an issue? as devices are looking for it on 192.168.1?
There is nothing setup on the DHCP page I uploaded previously, everything is blank apart from what you have already seen..
Interestingly enough, after about 15 mins at 100% utilization, the process is no longer running and CPU utilization now back to normal
I still find it a bit strange the the update process would fully utilize the CPU for such a long time
Anyone else had similar experience?
So, I have been watching my disk space again and it is creeping up again. It is up to 45% since I posted that I had gotten it down to 10%, 25 days ago. I have not made any changes.
Blocking Youtube ADs is like playing whack-a-mole.... They host the ADs on the same domain as the video so it will work sometimes and not others. There are some youtube based AD feeds, but YMMV on their use.
If you see an AD on a web page, you can right-click on it from the browser and click "inspect". This will show the HTML of that element. If it contains a domain name, then it can be added to a DNSBL customlist to be blocked.
The Dell is neither I would expect that work. But it may have some Dell quirk.
115200 is the correct baud rate. If you're the serial console though you will need to boot from the USB image:
https://nyifiles.pfsense.org/mirror/downloads/pfSense-CE-memstick-serial-2.4.3-RELEASE-amd64.img.gz
Or set the console at boot:
https://www.netgate.com/docs/pfsense/hardware/boot-troubleshooting.html#booting-with-an-alternate-console
Steve
You may not need interfaces for each subnet unless you're routing between them in pfSense.
You will need whatever the upstream router is configured as a gateway in pfSense to add the static routes to.
Steve
A random reboot is usually physical or hardware. Things like power issues, overheating, faulty hardware and so on. That isn't 100%, but more often than not it's something along those lines.
The first thing to do is connect something to its serial console and have it log the output over time. Then, when it fails, see what showed up on the console. The logs won't tell you everything, but the console output will have more detail. For example, if there is an issue with the disk, it wouldn't be able to write the logs to keep the output, but after a hardware reset the disk may have recovered.
You would have to edit php file used when creating cert..
https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/system_certmanager.php
if ($act == "new") {
$pconfig['method'] = $_POST['method'];
$pconfig['keylen'] = "2048";
$pconfig['digest_alg'] = "sha256";
$pconfig['csr_keylen'] = "2048";
$pconfig['csr_digest_alg'] = "sha256";
$pconfig['csrsign_digest_alg'] = "sha256";
$pconfig['type'] = "user";
$pconfig['lifetime'] = "3650";
}
Keep in mind that would be reverted every time you updated pfsense and that file gets redone, etc.
@stephenw10 said in Strange Problem With Traffic Graphs After Fresh Install:
It's unclear what causes that presently. We are actively looking into it. It doesn't appear to be hardware related directly. Rather the update PID file is being removed prematurely for some reason.
You can add anything you think might be relevant here: https://redmine.pfsense.org/issues/8519
Changes will be in 2.4.4 though so testing can only be on snapshots.
Steve
Thank you for the reply on this. I'm glad to know that it isn't looking like a hardware issue.
Unfortunately I do not think I can add any relevant information as I didn't try digging in to see what happened.
You could only do policy based routing on traffic that entered the firewall via some other interface. So port forwards on WAN maybe or traffic from LAN3 for example. Traffic from the firewall itself cannot use it as it must hit a firewall rule with the failover gateway group defined going into the firewall.
https://www.netgate.com/docs/pfsense/book/multiwan/load-balancing-and-failover.html
Steve
So, due to the peculiarities of my install I needed console access before an install was completed.
As it happens, I was able to make a change and get the console output before pfSense loaded and over-wrote my configuration, which was just enough to get what I needed done.
I will try other options to make this persistent as was mentioned in a previous post, but for a single-use I was able to make the change and use it the way I needed to.
Hope this helps someone in future.
You can change the state timeouts in System > Advanved > Firewall & NAT.
You can choose a set of timeouts from the Firewall Optimization Options filed, choose 'conservative' there.
Or you can set individual timeout values at the bottom of that page.
That should only timeout if no traffic is using it though. If there really is nothing using it it would be better to change the keep-alive settings on the server to hold the state open.
Steve
You can load that automatically at boot by including in /boot/loader.conf.local:
if_urndis_load='yes'
You will still hit the old issues of failing to boot if that interface is assigned and the phone gets disconnected though.
Steve
Mmm, interesting suggestion. I would vote for that.
You should open a feature request for it at https://redmine.pfsense.org if you have not already.
Steve
I'm using lacp with 4 interfaces and vlans on the bond, running pfsense 2.4.3. I started radvd in debug mode but nothing that indicates what might cause the problem. It results in pings getting lost or go up all the way to 750ms whenever that spike happens. I also have some messages in dmesg about a "listen queue overflow". I am using snort, but not on the interfaces that I am having problems with, so I don't think it is related (just wanted to mention it as its an installed package).
Seems like adding TINC to the core and making it work with multi-wan would be a step forward in that market for pfSense .
Would love to have someone from Netgate chime into this.
There isn't a specific log entry for a configuration change or adding a new tunnel.
The IPsec log (Status > System Logs, IPsec tab) will have events related to IPsec but it doesn't necessarily indicate a new tunnel or a config change itself.
@rootvallum said in syslog-ng cpu 100%:
Storing last 6 months syslog-ng logs in compressed form , once i navigate to services and click on syslog-ng , it tries to sort log files and consumes all RAM and only option is to kill "sort" process using shell or reboot in most of the cases if server stops responding. there should be settings page on first click of syslog-ng service or disable log view through GUI option given to user. please suggest
Even after removing all Compressed files, same issue.
default.log is approx 12 Gb on daily basis .
@jimp can you guide please.
