Pfsense not correctly rebooting after mains fail/restore
-
This issue has bugged me for a while. My Pfsense firewall box is connected to the network providers modem to acces their fiber network . The WAN side is configured with my ppoe login credentials configured with OpenVPN. The ISP modem and pfsense box are on the same mains supply so both fail together. But when mains power is restored, pfsense dashboard appears to show a good connection with green ticks, but there's no Internet. If I force the Pfsense box to reboot from setup options, an internt connection is restored. Since I can access the GUI, I must have a working Ethernet LAN connection, even though there's no internet.
If I restore power to the ISP modem (which authenticates my login) wait, then restore power to the Pfsense firewall after a couple of minutes, I see the same green ticks but Windows now shows a solid internet connection.
Can anybody explain what may be going wrong? I wondered if it might be possible to delay Pfsense rebooting after a mains fail, but I think this is a box bios function, unless there's another setting in Pfsense configuration to pause a reboot then try again after say 2 minutes. I don't get many mains failures, but when I do my basic home network is offline until I force the firewall to reboot.
-
@voxmagna1 said in Pfsense not correctly rebooting after mains fail/restore:
The WAN side is configured with my ppoe login credentials configured with OpenVPN
You have an OpenVPN WAN?
Almost certainly what's happening here is something tries to connect at boot but fails because the modem is still booting. Then the modem boots sufficiently to bring up the WAN side Ethernet but because pfSense is still booting it ignores the link-up event resulting in not starting one of the required processes.
A simple fix for that is to create the file /boot/loader.conf.local and add to it a line like:
autoboot_delay="30"You can probably optimise that for minimal delay.
Or consider using a UPS.
Steve
-
Sorry, I didn't mean to confuse. WAN is connected to ISP modem and Pfsense box is configured for openVPN on fixed client IP addresses so I can route connected clients either via the VPN tunnel or bypass it for certain streaming sites that want to see my real IP. I spent a lot of time trying to get either or routing over VPN to work with firewall settings with some discussion and help from here but didn't succeed. My VPN and non-VPN routes are via blocks of IP addresses and by changing the client IP address I can choose the IP block and which way traffic goes. It also helps to make content filtering and client use easier to monitor, control, or create selective white and black lists for websites.
I think you fully understood my problem and I agree, the modem is still booting and seems to take a long time. In fact ISPs often tell their new customers to wait up to an hour to authenticate a new sign up. This shouldn't be the case here because they gave me a fixed IP address. I did log the handshake once and it seemed to take a long time to validate my credentials.
I'll try your suggested simple fix. I take it that's a new file in Pfsense OS and there's nothing I can do from within the GUI, will it stick across a Pfsense update? Both modem and Pfsense are on 12 Volt, I could use a large li-ion battery pack, solar charger, and some diodes to be off grid!
-
Yes that file doesn't exist by default. Entries there override whatever is set in the main loader.conf file. Yes it survives a pfSense upgrade.
Full 12V system is a fun option.
-
@stephenw10 Yes I tried changing the default 3 seconds in loader.conf but it got overwritten.
I created /boot/loader.conf.local and made the delay time 60 seconds to be sure - that's about when the modem lights change their status to show connection to the ISP network. All is now good after a mains fail and wifey no longer needs the webmaster to get her internet back! Thanks
-
It probably doesn't need to be that long since pfSense doesn't start to check for some time. But if you don't reboot often it doesn't really matter.
-
@stephenw10 Now we have established the cause and a solution, I'll recap on my earlier post trying to work this out. The dashboard always shows green ticks through the firewall and OpenVPN. The screen is no different showing no errors when Pfsense is booting before the modem and 'hangs', but the end result on connected clients is no network activity. Why is the dashboard showing all the interfaces WAN,LAN and OpenVPN as UP? I used to rely on that, but since I had this mains reboot problem I can't rely on it. It doesn't seem to use polling to update its status because I can shut down and restart Pfsense and still see all the interfaces showing green. How is this misleading Interface status determined? In the previous circular discussion I thought the problem was caused by DNS not up because I could see some data traffic. For whatever reason, if there's no internet connectivity as shown by Windows network status on the task bar, I felt Pfsense Dashboard should be telling me the same?
-
The interface status only reflects the local link status. The case of PPPoE or VPN it reflects if that has connected to the remote server.
A better indication is the gateway status on each WAN link as that proves that traffic can pass it. However even that only pings the gateway IP by default. For better status set the gateway monitoring IP on each link type to different remote IP like 8.8.8.8 or 1.1.1.1. That then proves traffic can pass each link from pfSense itself.
Clients could still be routed incorrectly or blocked though.
Steve
-
@stephenw10 O.K I've pointed the WAN interface to 1.1.1.1. If I disconnect the WAN cable to the modem and after quite a long time, or logging back in in to the Pfsense webgui, the WAN status is showing correctly as DOWN. But curiously if I restore the WAN link cable the WAN status quickly shows UP. Is there an explanation for this asymmetric behaviour? Thanks I'm pleased to have had your help on this long standing nuisance problem. Anybody else on a U.K Openreach fiber modem should find our discussion helpful.
-
The WAN interface or the WAN gateway?
The gateway monitoring averages ping response so it may not immediately show 100% loss. The WAN interface itself goes down or up though the monitoring process is stopped or restarted.
-
@stephenw10 I found an old post to follow settings to enter the External IP to Monitor. That led me astray because Pfsense version changes have moved settings. Anyway, I found it under Status\Gateways\Related Settings (screen top right)\Edit WAN_PPOE\Monitor IP for anybody else looking for it. I'll do a config backup so I don't have to remember the path again!
