Hotplug event causes rc.start_packages: Restarting/Starting all packages

32G3LiQxu8

@gertjan could you point me where this is mentioned in the documentation?

If an organization is using Wireguard then the tunnel will go down because of a hotplug event regardless if that Wireguard tunnel is being used on that port or not. In my opinion it should be reworked

Gertjan

@32g3liqxu8

First things first : I get your point.

I made it a habit not to connect or disconnect anything to my main main router, pfSense, along time ago.
NO exceptions (only during major network re design, and that didn't happen for the last decade).
My main LANs goes to main switches, and then all lines go off to all the wall sockets every where.

This always makes me smile :

pfSense Plus package system has detected an IP change or dynamic WAN reconnection - 192.168.58.1 ->  192.168.58.1 - (so we will) Restarting packages

So, nothing changed - 'we know it' so we 'Restarting packages' => Wtf ?
But, it could be a WAN NIC that went down, so it lost its IP, and when it came back, it got (static or DHCP ?) the old IP back.
I tend to say : so do nothing ...... but I'm not an IP expert, I can understand that this leave the door open to a boat load of issues.

Wireguard gets kicked as firewall / routes / ACLs got changed ?

If WAN or LAN goes down/up, I can imagine that unbound, dhcpd, inginx (the GUI) has to be informed about this.

There could even be routes defined that become invalid - or became valid.

Instead of keeping in memory a matrix of who use what resources and when and what to what when things arrive, pfSense does its own housekeeping, and then, for every package installed, fires a Restart event.
Some packages don't have to handle this kind of event.
Others do.
IMHO, the Wireguard package is a bit to verbose right now - but I'm not suing it, neither do I know what interface groups are ;)

My opinion, as 'yet another pfSense user' : it's not a big deal as physical link can go goes down, and comes up again.
TCP is resilient to this.
UDP : we don't care ;)

@32g3liqxu8 said in Hotplug event causes rc.start_packages: Restarting/Starting all packages:

I use a separate port on my router for my work laptop

this is after all not a good idea ??!
I'm not saying it isn't - but : looking at te logs : I won't do that.

@32g3liqxu8 said in Hotplug event causes rc.start_packages: Restarting/Starting all packages:

When I boot up my laptop it causes pfSense to restart all packages which causes Wireguard and other services to go offline.

That is, they will go off-line for a couple of seconds ? More ?
I get it, phone calls or video chat will / might get interrupted.

stephenw10

It's firing off the newwanip script so it restarts packages that might be using WAN. But this appears to be an internal interface. Do you have a gateway on that interface? Static routes?

An alternative workaround here, to avoid using a switch, might be to create a single interface bridge on em5 and assign that as interface instead. Though I agree a workaround shouldn't be required there from what can see.

Steve

32G3LiQxu8

@stephenw10

OPT4 is an internal interface and I set a static ip address. Did I do this incorrectly?

I use policy based routing so all non OPT4 net traffic goes out WAN_DHCP. To give you a better idea of my setup, I followed this guide - WireGuard VPN Client Configuration Example to setup WireGuard as my Default Gateway. So, that is why I'm defining WAN_DHCP as my gateway in my firewall rule. I kept the rules simple since this is a work laptop and I connect using a work provided vpn.

Let me know if you think there is anything I should change based on what I described.

Thank you!

32G3LiQxu8

@gertjan

I agree, not a huge issue for me, as I'm just a home user, who just enjoys the software and networking but I figured I would report it for anyone who might use it more for running a business, etc. Thanks again for looking over what I provided. I provided some details above of my setup. Appreciate your help!

stephenw10

Ok, so the OPT4 interface doesn't have gateway defined in it's config but you could still have a gateway that is in the OPT4 subnet. You would only do that though if you need static routes via that to some other subnet connected there. Is that possible?

32G3LiQxu8

@stephenw10

I only have the one work laptop in that subnet. I just wanted it separate from my main LAN (Personal). It does not need to access another subnet.

Would you consider what I reported a bug in the software or is that how it is supposed to behave?

stephenw10

It seems unexpected but I probably call it a missing feature. Most installs don't see an interface go up/down except in a significant network event and it's safer for those to restart packages than to leave then potentially running with the wrong IP.
However running rc.newwanip on something that isn't a WAN seems unnecessary and I don't see that here. For example connecting to LAN on a 4100 in 22.05:

Sep 16 00:32:08 	check_reload_status 	495 	Linkup starting igc0
Sep 16 00:32:08 	kernel 		igc0: link state changed to UP
Sep 16 00:32:09 	php-fpm 	38757 	/rc.linkup: DEVD Ethernet attached event for lan
Sep 16 00:32:09 	php-fpm 	38757 	/rc.linkup: HOTPLUG: Configuring interface lan
Sep 16 00:32:10 	php-fpm 	38757 	/rc.linkup: Gateway, NONE AVAILABLE
Sep 16 00:32:10 	check_reload_status 	495 	Restarting IPsec tunnels
Sep 16 00:32:14 	check_reload_status 	495 	updating dyndns lan
Sep 16 00:32:14 	check_reload_status 	495 	Reloading filter 

Something is different about my config there though since it doesn't list the static IP even though it is configured with one. It really looks like your config has caused pfSense to think opt4 is a WAN.
Are you able to upload that for review? Or replicate it in a very basic config that you can share?

Steve

32G3LiQxu8

@stephenw10

Is there a way I can direct message you a link to download my config from my cloud provider?

Also, would it break the config if I pulled out my workstation information and it would also have my wireguard config in plain text. I guess, which backup areas would you need to take a look at?

stephenw10

You can upload something to me here:
https://nc.netgate.com/nextcloud/s/yPwaeQLsdK5rK9r
You can remove any details you need to.

If you're able to upload the status_output diagnostic file that already has passwords and cert keys etc redacted:
https://docs.netgate.com/pfsense/en/latest/recipes/diagnostic-data.html#copying-the-diagnostic-data-archive

Steve

32G3LiQxu8

@stephenw10

Files have been uploaded. Let me know if you need anything else. Thank you for your help!

stephenw10

Hmm, there's really nothing significantly different in your config there. At least not currently.

Are you able to reproduce the issue and then upload a new status file? I don't see any connections to em5 in the logs in the last few days.

Steve

32G3LiQxu8

@stephenw10

Yes, however, it’s my work laptop so I won’t be able to do it at the moment. I will test it out after work and upload a new file for your review.

Currently, I have em5 attached to a switch so it doesn’t restart packages so that’s why you’re not seeing any information - I think.

stephenw10

Ah, yes, that would do it. Ok, let me know you're able to test it again.

Steve

32G3LiQxu8

@stephenw10

I uploaded a new status_output.tgz file for your review.

Off Topic
On something completely unrelated, was something recently updated and pushed out? The following occurred today:

Sep 16 18:53:37 	pkg-static 	86631 	pfSense-repo upgraded: 22.05_2 -> 22.05_5
Sep 16 18:53:37 	pkg-static 	86631 	pfSense-upgrade upgraded: 1.0_26 -> 1.0_27

Now, I am unable to check for any packages and it thinks I do not have any packages installed when I do.

pkg-static -d update

DBG(1)[69590]> pkg initialized
pkg-static: invalid url: /pfSense_plus-v22_05_amd64-core
pkg-static: Cannot parse configuration file!

SteveITS

@32g3liqxu8 I saw that error/issue also this afternoon.

stephenw10

Yup just hit it and found the cause. Working on it now...

32G3LiQxu8

@stephenw10

Thank you!

stephenw10

The repo issue is still being worked on.

The package restart issue is odd. Seems like there's a logic error there. I managed to replicate it on a different interface and the only difference is that it doesn't have 'track-interface' set for IPv6.

You don't appear to have any v6 connectivity there so to test it you would need to enable dhcpv6 on something in order to set opt4 to track it. If you can test that and confirm that prevents rc.newwanip running then we'll need to dig into that deeper.

Steve

32G3LiQxu8

@stephenw10

I turned on v6 connectivity on my WAN interface. I set OPT4 to track the interface gateway of WAN_DHCP6. I powered on my laptop, and I am not seeing the rc.newwanip for em5, but it does occur for WAN_DHCP6, and that's likely because the WAN_DHCP6 is offline. I'm not sure I set that part up correctly. I'm not very familiar with IPv6. Let me know if this is not a good enough test

Sep 17 12:35:36 pfSense check_reload_status[401]: Linkup starting em5
Sep 17 12:35:36 pfSense kernel: em5: link state changed to DOWN
Sep 17 12:35:37 pfSense php-fpm[42065]: /rc.linkup: DEVD Ethernet detached event for opt4
Sep 17 12:35:37 pfSense check_reload_status[401]: Reloading filter
Sep 17 12:35:38 pfSense check_reload_status[401]: Linkup starting em5
Sep 17 12:35:38 pfSense kernel: em5: link state changed to UP
Sep 17 12:35:38 pfSense php-fpm[42065]: /rc.filter_configure_sync: GW States: One or more gateways is down, flushing all states: WAN_DHCP6 
Sep 17 12:35:39 pfSense php-fpm[371]: /rc.linkup: DEVD Ethernet attached event for opt4
Sep 17 12:35:39 pfSense php-fpm[371]: /rc.linkup: HOTPLUG: Configuring interface opt4
Sep 17 12:35:39 pfSense php-fpm[371]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Sep 17 12:35:39 pfSense check_reload_status[401]: Restarting IPsec tunnels
Sep 17 12:35:40 pfSense php-fpm[69043]: /rc.newwanipv6: rc.newwanipv6: Info: starting on em0.
Sep 17 12:35:40 pfSense php-fpm[69043]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2603:900a:ff00:1b:596b:b440:d2fb:e381) (interface: wan) (real interface: em0).
Sep 17 12:35:41 pfSense nginx: 2022/09/17 12:35:41 [crit] 71665#100551: *7384 SSL_write() failed (13: Permission denied) while processing HTTP/2 connection, client: 192.168.1.51, server: 0.0.0.0:443
Sep 17 12:35:42 pfSense php-fpm[371]: /rc.linkup: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1663432542] unbound[69211:0] error: bind: address already in use [1663432542] unbound[69211:0] fatal error: could not open ports' 
Sep 17 12:35:44 pfSense rc.gateway_alarm[18167]: >>> Gateway alarm: WAN_DHCP6 (Addr:fe80::2bc:60ff:fe93:419%em0 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Sep 17 12:35:44 pfSense check_reload_status[401]: updating dyndns WAN_DHCP6
Sep 17 12:35:44 pfSense check_reload_status[401]: Restarting IPsec tunnels
Sep 17 12:35:44 pfSense check_reload_status[401]: Restarting OpenVPN tunnels/interfaces
Sep 17 12:35:44 pfSense check_reload_status[401]: Reloading filter
Sep 17 12:35:44 pfSense php-fpm[69043]: /rc.newwanipv6: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Sep 17 12:35:44 pfSense check_reload_status[401]: Reloading filter
Sep 17 12:35:45 pfSense check_reload_status[401]: updating dyndns opt4
Sep 17 12:35:46 pfSense php-fpm[69043]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Sep 17 12:35:46 pfSense php-fpm[42065]: /rc.filter_configure_sync: GW States: One or more gateways is down, flushing all states: WAN_DHCP6 
Sep 17 12:35:47 pfSense php-fpm[39466]: /rc.filter_configure_sync: GW States: One or more gateways is down, flushing all states: WAN_DHCP6 
Sep 17 12:36:00 pfSense sshguard[43717]: Exiting on signal.