Checking the logs when PFSense crashed.
-
For the past few days, when I wake up in the morning, I find that I am unable to connect to the internet. I have been resolving this issue by rebooting the power, but since there is no console port, I would like to check the PFSense logs that are likely recorded during that time.
I have only one connected PC, and it is in sleep mode while I am asleep, so I don't think there would be a large accumulation of logs on the PFSense side. Which log file should I look for?
-
Start here : Status > System Logs > System > General
The reason for a 'crash' isn't always present in the logs.
Example : what if pfSense couldn't access (write) to the disk anymore ? How could it log ? A situation like that will crash the device without leaving any trace.
Most hardware issues will also 'freeze' the machine.@Yet_learningPFSense said in Checking the logs when PFSense crashed.:
but since there is no console port
So you have a vga/hdmi monitor + keyboard.
What hardware , pfSEnse version ?
@Yet_learningPFSense said in Checking the logs when PFSense crashed.:
I have only one connected PC, and it is in sleep mode while I am asleep
When your PC goes into sleep mode, it will take down the network interface.
This will also take down the pfSense LAN interface.
Test this : add a small 5 $ switch between your PC and pfSense. -
@Gertjan "I checked the location of the logs you mentioned and examined the logs for the specified time. Suricata recorded a block log for 224.0.0.22. It's possible that blocking the IGMP packets caused the PC to be unable to join the LAN group, resulting in no internet connection.Next, I would like to configure the permit settings for the mentioned IP address on PFSense and recheck under the same conditions.
@Gertjan said in Checking the logs when PFSense crashed.:
Most hardware issues will also 'freeze' the machine.
Regarding the word 'console,' I, as a Japanese speaker, didn't have a good understanding of English vocabulary and misunderstood it as 'logging into the console via freeze.' I apologize for the confusion. I now understand that 'console' refers to devices such as keyboards and displays.I wrote that PFSense may have been frozen, but since the network icon in the bottom right corner of Windows 11 showed an online status mark, I also considered the possibility that it might be frozen, but the link itself could still be connected.
@Gertjan said in Checking the logs when PFSense crashed.:
What hardware , pfSEnse version ?
My hardware is MiniPC made by XCY corporation.
Intel(R) Celeron(R) 3205U @ 1.50GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
QAT Crypto: NoPFSense's version is...
2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLEI also confirmed from the General tab logs that when the PC enters sleep mode, the LAN also goes into a down state. In the previous version of PFSense, I could still use the internet after waking the PC from sleep, so I found it strange. However, the sequence seems to be as follows:
The PC enters sleep mode, causing the LAN to go into a down state and temporarily disconnecting the PC from the LAN group.
The PC wakes up from sleep mode and sends IGMP packets, but they get blocked by Suricata.
The PC does not register in the LAN group, resulting in no internet connection (also unable to connect to 192.168.1.1).I was concerned about why IGMP packets were being blocked, as I hadn't experienced this issue before with PFSense and Suricata. I'm relieved that we might have found a solution. Thank you for providing the location of the logs.
-
When pfSense crashes or freeze, the first thing you should do is de activating / removing packages like Suricata.
It's also known that Surricate can produce huge log files, so the file system (disk) fills up totally. And a full disk == the system goes down (an unable to log, as it is full).
@Yet_learningPFSense said in Checking the logs when PFSense crashed.:
The PC wakes up from sleep mode
You should see in the DHCP server log the entries that your PC re requested an LAN IP.
On the PC side, run :ipconfig /alland you should see that it obtained an IP, DNS, gateway etc.
-
@Gertjan Thank you for your continued support. I haven't removed the block rule for Suricata's IGMP packets yet, so I will try running "ipconfig /all" again tomorrow under the same conditions. I understand that Suricata sometimes mistakenly blocks various IP addresses, but I don't want to compromise security, so I'll leave it as it is. Since I've changed the target from WAN to LAN, the need to register the IP addresses of legitimate sites has decreased.
-
I would not expect any block on igmp to prevent you accessing the LAN from a client in that subnet.
-
@stephenw10 Thank you for your response. Even after restarting my PC, I was able to reproduce the same situation. So, while looking at the block log, I tried allowing not only 224.0.0.22 but also 192.168.1.255. Then, when I woke up today and resumed from sleep mode, the internet connection was automatically established, and I could browse websites as usual! It seems that allowing only 224.0.0.22 was not enough, as you pointed out. I feel relieved.
-
@Yet_learningPFSense I'm keeping an eye on it as it is, but I'm still online and disconnected. It seems better to put the L2 switch in between as was pointed out.
-
@Yet_learningPFSense said in Checking the logs when PFSense crashed.:
I'm still online and disconnected.
I'm not sure what you mean by that. The gateway shows as up but you cannot connect out?
-
@stephenw10 I could not use chatgpt and may have done a poor job of translating, but before the L2 switch was installed, I would wake up from sleep or reboot and the connection would stay online or be disconnected. The gateway was not up (the network icon was an X) and 192.168.1.1 was also not connectable.
I have been trying to put an L2 switch in between and so far the connection never seems to get disconnected. I will keep an eye on the status a little longer.
Translated with www.DeepL.com/Translator (free version)
