pfSense on VPN2S intermittently goes unresponsive
-
@schung said in pfSense on VPN2S intermittently goes unresponsive:
I have a VPN2S
This? https://www.zyxelguard.com/VPN2S.asp
How is pfSense connected to that? Where are you trying to connect to it from?
Steve
-
@stephenw10 - I got my model numbers mixed up with another device. I actually have a netgate sg-3100 pfSense router.
-
Ah OK.
So there is nothing logged at all when it stops responding? in the main system log? Firewall log? OpenVPN log?
Check the uptime on the dashboard, is it rebooting? That would log a lot of stuff of course.
Are you able to connect to the serial console when that happens?
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/connect-to-console.htmlSteve
-
@stephenw10 there is nothing relevant logged, I checked all thr logs available via the UI. I've confirmed that the serial console stays up when the router becomes unresponsive, and the router has WAN connectivity (ping to WAN from the console continues to be successful). So the issue must be with the LAN link going down every once in awhile for no apparent reason. Any hints as to where I could look for the problem?
-
Did you try to ping out from the LAN to something? And that also failed?
Do you have devices connected directly to the 3100 LAN ports or is it going through another switch?
Is it possible there's a network loop being created and broken by STP?
Steve
-
@stephenw10 when pinging a LAN device (printer) from the console, I noticed the ping response time goes from 0.6ms to 30ms+ whenever the outage happens.
Does that provide any clues?
My network topology is as follows:
Modern - pfSense - wifi/switches - computers/devices
-
Hmm, well it tells us the LAN does not get disconnected entirely.
Do ping times to WAN side targets also increase? That could imply the 3100 is having to work very hard at something. You could try running
top -aSHat the console when it happens to see what's using CPU cycles.Steve
-
@stephenw10 Ran top, 99% idle. Nothing sticks out, WAN ping times don't increase. I did a factory reset of the 3100, still no improvement which means it's not a configuration issue. The network setup is a star configuration, there are no LAN loops (router to switches to PCs/Wifi). I think maybe it's a HW problem on the 3100 LAN port, my USB Ethernet dongles go bad after a while too and I'm thinking maybe it's similar with the 3100, looks like a HW problem. Any suggestions on how to deal with that?
-
You could test that by reassigning the LAN and OPT interfaces. You would only have one physical LAN port but for a test that's probably OK.
Or just use a different LAN port without re-assigning.
However if the port was going down you should see that in the system logs.
This 'feels' more like something on the LAN side using the pfSense IP or some ARP poisoning or similar.
Steve
-
@stephenw10 so it seems it may have been the WAN interface.
I took a 2-month trip for the summer and just got back, and the WAN port is now dead. No lights when I plug in an Ethernet cable (whereas all the other ports light up when I plug in that same Ethernet cable). So I suspect now the intermittent problems was the WAN interface starting to go bad, and now it seems it's finally dead.
I looked around but couldn't find a way to reassign physical ports on my 3100, is there a way to configure the OPT1 port as the WAN port?
Thanks.
-
Sure just go to Interfaces > Assignments and set the WAN to mvneta0. By default it's configured as mvneta2.
https://docs.netgate.com/pfsense/en/latest/solutions/sg-3100/io-ports.html#routed-ethernetYou will have to unassign OPT1 or use mvneta2 for that instead.
Steve
