@ninthwave said in pfSense cannot get WAN IP after reboot:

@gertjan Thanks. I know how to use pastebin. My problem is I cant download the log with WinSCP.

5b83df89-0dcb-4369-877d-f9a37f3c6195-image.png

Can you guys starts another new thread? This is a year old already.

@rtkluttz

For reference I have esxi 7 running on a passively cooled i5 7200 u and I can get symmetric gigabit using vmx adapters.

Have you tried turning on/off the various options I listed in my previous post? Before concluding there is performance issue you have to make sure you have the right configuration for your hardware. FYI, You will have to restart pfsense after every change.

@johnpoz No doubt. I did at one point simply because I was lazy and didn't trust comcast to do the right thing if I swapped out a wrt54g. In my case, it actually saved me because my sg2440 fell victim to the red led of death, so moved one cable, rebooted wifes stuff and minimal downtime.
(that sg2440 was fixed under RMA and has been working fine, but I've got a 5100 on order just in case).

I always liked seeing the rules as applied (pf user before pfSense), that command helps me figure out exactly what is going on, you can mentally walk a packet flow.

@gertjan
I should've mentioned that I have the BIOS set to a graceful shutdown once the power button is pressed. I would never just push and hold the power button for a hard power down unless something was really wrong. pfSense has been pretty rock solid in staying up all the time.

Thank you for providing the link to the script. I'll be the first to say that I'm not a coder/programmer, but looking at the code in the script, I'm wondering if the ALLDEST is necessary? I guess by pinging whatever is chosen for ALLDEST you could tell whether or not any data was able to get in or out. I like the idea of checking the WAN to see if any data is able to pass, and if not, restart.

Interesting. So the xbox just doesn't allow connections from outside it's subnet? And there's no way to set it to do so?

Steve

@bcnx Glad you got it sorted.. Here all the time if you have questions - happy to help!

Hello,

I've solved the problem by increasing the max table entries allowed.

KR,
P' Bear

Guys, thank you, ended up with the console access and rebuilding the LAN configuration through it, all is working now...

@mrturner19 sure.. You could do it for 200 ips if had that many..

@gertjan I am aware that I am dealing with topics far far beyond my knowledge.

Thanks a lots
Ilario

@stephenw10, the User to Authenticate is mine. And i can Logon, also if the User was Expired the "Select Container" function woulden work. But it dose and i selectet a Container for Authentication.

@gertjan I guess that is the "nuclear" option to the original issue, remove the underlying functionality that caused the log entries to begin with...

@swemattias nic pass though to pfsense is simpler imo. Hardware off loading can also then still be used

You can re-install clean to wipe the drive. Open a ticket with us to get the recovery image if you need it: https://go.netgate.com/

But it will happen again if you have something configured to use space with no limit. Probably syslog-ng.

Steve

Ok, you probably need to use NetFlow data then.

@steve_b

I am looking into moving the users and the certificates of the pfSense machines to a dedicated solution.

Thanks for the help with this issue!

@slu said in Export CA | Do I have to pay attention to anything?:

You mean the CN name or something like this?

Yes. Or someones email address etc. Something you may not want public.

Steve

So you just need to redirect traffic to them in pfSense? You can just use port forwards for that. That's what Squid does if you set it to transparent mode.

Steve

Yikes that is ugly.

If it's that badly configured, have you tried logging into that random device with default credentials and turning off DHCP? :-)

@stephenw10

Hi Steve

I submitted a post earlier, here

https://forum.netgate.com/topic/166622/i-need-to-restart-the-ovpn-tunnels-after-a-pfsense-reboot/2

Read thru most however I have a protectli PFSENSE ( 2.5..2 ) box behind my ISP fiber modem.

In the setup i just put in my PPPOE username and password and it set it up and just works.

My ISP here in Dubai requires my wan to be connected on a certain port on the modem ( ONT4)

Otherr than that it just works and I am not a real technical guy.

Solved this issue. It appears that the most recent macOS update disabled the UART bridge used for serial comms. Re-installed the driver from Silicon Labs and everything is working.

@steveits lol you're amazing :D that's exactly it! Thanks a lot!! Cheers

@mgcsec said in pfsense packet process order:

@stephenw10
thank you!
and then where are local services/plugins involved?
for example Nginx in that chain?
NAT=>FW=>Nginx=>NAT=>FW=>Upstream?

For some services, yes, this is the processing order. But for others such as the IDS/IPS packages, this is the processing order:

IDS/IPS => NAT => FW (for inbound traffic on WAN)
IDS/IPS => FW => NAT (for inbound traffic on LAN)

Do that have the same capabilities? Try: ifconfig -vvvma

Are those vmxnet NICs the pfSense VM has assigned currently?

If not try assigning one to something and see if that responds to large packets.

This seems likely to be an issue with the bxe driver or the NIC itself but we need to confirm that by, for example, showing vmx is not affected.

Steve

Hi Steve - Brilliant suggestion.

Evidently my password manager was pre-empting my updates. Now email works!

Thanks,

Neil

Aside from pcscd, you should also disable log compression when rotating on there.

Given the output from top, it was the log compression that was having trouble keeping up with the rate of logs being written at the time.

Status > System Logs, Settings tab, set Log Compression to None.

@johnpoz root cause analysis was suggested in a different forum.

Wire shark did capture vlan traffic on port going to ESX host. But pktcap-uw did not capture any on vmnic. Promiscuous mode was enabled too.

Switch configuration is correct.

Only data point which I still could not figure out is wireshark trace contains icmpv6 but not icmp dhcp discovery.

Neither ipv6 is enable on pfsense or unifi.

@rbarden
I use NTOP-NG.
But nothing is "free" in terms of cpu cycles or promiscious mode on the netcards.

/Bingo

thank you

That doesn't seem like a huge number for 5 mins. I would expect far more if you were actually being used as part of an attack. That seems like it could just be a bad DNS server configured.

Steve

Can you ping6 to other internal hosts?

Is pfSense handing out those IPs via dhcpv6? That would imply it's receiving a prefix from the ISP.

Steve

@ev4nsp479 Do you have a spare switch you can put between them?
Comcast hardware sometimes will care if the MAC of your router changes unexpectedly, but powering off their router should start fresh.

Hmm, so if you just lose upstream connectivity there's not much pfSense can do. You probably need to find out exactly how it's failing. If the gateway is still responding try a traceroute when it's working and when it fails. Where is it failing?

@jimp
Thank you!! That got it.

I copied the files from the netgate fw up to my PC. I don't know why, but the netgate sg3100 did NOT have
UCD-DISKIO-MIB.txt
UCD-SNMP-MIB-OLD.txt
so I copied them from the net-snmp 5.9.1 source tarball.

I'm still missing the MIB for begemot.203
$ snmpwalk netgate-fw begemot.203 2>/dev/null
BEGEMOT-MIB::begemot.203.0.0 = INTEGER: 0
BEGEMOT-MIB::begemot.203.100.0 = STRING: "/usr/local/etc/rrdbot"
BEGEMOT-MIB::begemot.203.101.0 = STRING: "/var/run/snmp-regex.sock"

and this is wrong:
$ snmpwalk netgate-fw begemotIfMaxspeed 2>/dev/null
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.1.0 = Counter64: 2500000000 bps
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.2.0 = Wrong Type (should be Counter64): Timeticks: (100) 0:00:01.00
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.3.0 = Wrong Type (should be Counter64): Timeticks: (0) 0:00:00.00
BEGEMOT-MIB2-MIB::begemotIfMaxspeed.4.0 = Wrong Type (should be Counter64): Timeticks: (100) 0:00:01.00

but I can live with that.

I can't tell if I'm missing some more MIB file[s] or the BEGEMOT-LM75-MIB is broken, but
$ snmpwalk netgate-fw sysLocation
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorTemperature ::= { lm75SensorEntry 7 }
Undefined identifier: lm75SensorEntry near line 153 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorParent ::= { lm75SensorEntry 6 }
Undefined identifier: lm75SensorEntry near line 145 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorPnpInfo ::= { lm75SensorEntry 5 }
Undefined identifier: lm75SensorEntry near line 137 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorLocation ::= { lm75SensorEntry 4 }
Undefined identifier: lm75SensorEntry near line 129 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorDesc ::= { lm75SensorEntry 3 }
Undefined identifier: lm75SensorEntry near line 121 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorSysctlIndex ::= { lm75SensorEntry 2 }
Undefined identifier: lm75SensorEntry near line 113 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75SensorIndex ::= { lm75SensorEntry 1 }
Undefined identifier: lm75SensorEntry near line 105 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: lm75Sensor ::= { begemotlm75Objects 1 }
Undefined identifier: begemotlm75Objects near line 64 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Unlinked OID in BEGEMOT-LM75-MIB: begemotLm75Objects ::= { begemotLm75 1 }
Undefined identifier: begemotLm75 near line 58 of /usr/local/share/snmp/mibs/netgate/BEGEMOT-LM75-MIB.txt
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorIndex ::= { lm75SensorEntry 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorSysctlIndex ::= { lm75SensorEntry 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorDesc ::= { lm75SensorEntry 3 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorLocation ::= { lm75SensorEntry 4 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorPnpInfo ::= { lm75SensorEntry 5 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorParent ::= { lm75SensorEntry 6 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTemperature ::= { lm75SensorEntry 7 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensor ::= { begemotlm75Objects 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTable ::= { begemotLm75Objects 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: begemotLm75Objects ::= { begemotLm75 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensors ::= { lm75Sensors 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: loosTempSensorEntry ::= { lm75SensorTable 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTemperature ::= { lm75SensorEntry 7 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorParent ::= { lm75SensorEntry 6 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorPnpInfo ::= { lm75SensorEntry 5 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorLocation ::= { lm75SensorEntry 4 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorDesc ::= { lm75SensorEntry 3 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorSysctlIndex ::= { lm75SensorEntry 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorIndex ::= { lm75SensorEntry 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75SensorTable ::= { begemotLm75Objects 2 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensor ::= { begemotlm75Objects 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: begemotLm75Objects ::= { begemotLm75 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: lm75Sensors ::= { lm75Sensors 1 }
Cannot adopt OID in BEGEMOT-LM75-MIB: loosTempSensorEntry ::= { lm75SensorTable 1 }
SNMPv2-MIB::sysLocation.0 = STRING:

so I deleted BEGEMOT-LM75-MIB.txt and all the errors went away :)
$ snmpwalk netgate-fw sysLocation
SNMPv2-MIB::sysLocation.0 = STRING:

Thanks again!!

Thank you both (@SteveITS and @stephenw10). I sincerely appreciate your help. I'm grateful for the insight.

Matt

@stephenw10 Thanks Steve your reply is really appriciated I'll go down the update route hopefully reslove the issue
All the best, John