QNAP pfSense dropout

ppal · Dec 12, 2024, 10:56 AM

I am running pfSense 2.7.2-RELEASE (amd64), built on Tue Mar 5, 2024, on a FreeBSD 14.0-CURRENT virtual machine hosted on a QNAP NAS. Connectivity is through a Wireless Access Point (WAP). Please note that I am not seeking feedback on the merits of using a NAS for a router—comments on that topic will not be helpful.

The setup works as expected under certain conditions, but I am encountering a problem with device switching:
1. If I use the internet on a laptop, everything runs smoothly without any issues.
2. When I switch to using an iPad, it connects successfully to pfSense but cannot access the internet. A reboot of the VM temporarily resolves this issue.
3. If I return to the laptop after using the iPad, the same problem occurs—pfSense connects fine, but there is no internet access until the VM is rebooted again.

The WAP works without issue with other routers, so it is unlikely to be the root cause unless there is some specific incompatibility. I suspect the issue might be related to the VM setup.

Could you advise what log details I should review to diagnose the problem?

stephenw10 · Dec 12, 2024, 2:19 PM

Hmm, so after having connected with an ipad the laptop no longer connects out?

Does that apply to any device? Only the first device to connect is able to connect out?

Is pfSense the DHCP server in that scenario? Do any number of clients pull a dhcp lease correctly? Do they all appear in the ARP table?

That is a bizarre problem! It 'feels' like a conflict somewhere. Like every device trying top use the same NAT state somehow....

Side note: I guess you managed to get it installed. Did you use the legacy image to do so? It might be worth investigating why the Net Installer doesn't work there.

Steve

ppal · Dec 12, 2024, 8:43 PM

@stephenw10 said in QNAP pfSense dropout:

Hmm, so after having connected with an ipad the laptop no longer connects out?
Ans: Yes.

Does that apply to any device? Only the first device to connect is able to connect out?
Ans: Also if go from ipad to another desktop - same issue. Reboot pfsense and then fine. (maybe I have some how limited the number of connections?)

Is pfSense the DHCP server in that scenario? Do any number of clients pull a dhcp lease correctly? Do they all appear in the ARP table?
Ans: pfsense is the DHCP server and ip is issued to all devices (even though they can't get to the internet they login to the NAS and pfsense without issues)

That is a bizarre problem! It 'feels' like a conflict somewhere. Like every device trying top use the same NAT state somehow....
Ans: (I have a feeling it is an ISP issue because I had one service where I had pfsense connected via PPPoeE (did not see this issue) but the one with the issue is DHCP connection. The one with the DCHP is from Telstra (Aust) and there is some suggestion that it relies on a "heartbeat" but i understand others have connected to Telstra without issues. (Perhaps there is a setting that i need to tweak)

Side note: I guess you managed to get it installed. Did you use the legacy image to do so? It might be worth investigating why the Net Installer doesn't work there.

Ans: I totally reinitialised the box wiped out everything and did the latest ISO install and it went fine. pfsense is all that it is doing. Nothing else is running or competing with the resources.

stephenw10 · Dec 12, 2024, 9:15 PM

Hmm, is it NATing outbound on WAN correctly? I could just about believe the upstream router is restricting you to a single IP if the internal IPs are somehow being routed directly.

Check the states in Diag > States. You should be able to see the translation on the WAN side state for each connection.

ppal · Dec 12, 2024, 9:29 PM

@stephenw10 said in QNAP pfSense dropout:

Hmm, is it NATing outbound on WAN correctly? I could just about believe the upstream router is restricting you to a single IP if the internal IPs are somehow being routed directly.

Which upstream router are you referring to? (Is it the one at the ISP?)

There is only one router on my end. Here's the setup:

NTD (Network Termination Device): It can supply up to four ISP services. I'm using two services from two different ISPs—one connected to a pfSense setup and the other to an AUS router. These two services are completely independent with no interaction or connection between them on my side.
The arrangement for the relevant service is as follows:

(ISP) → Fibre → (NTD) → (pfSense on QNAP) → WAP → (Clients)

What exactly should I be looking at? Thank you for your assistance.

stephenw10 · Dec 14, 2024, 4:08 AM

Yes I meant whatever is upstream of pfSense. So that could be the NTD or the next hop router at the ISP.

The states should look something like:

LAN1 	icmp 	192.168.1.5:3 -> 1.1.1.1:3 	0:0 	10 / 10 	840 B / 840 B 	
PLUSNET 	icmp 	217.45.XX.XX:60209 (192.168.1.5:3) -> 1.1.1.1:60209 	0:0 	10 / 10 	840 B / 840 B

That is filtered for 1.1.1.1. You can see the source is translated by the outbound NAT from the internal address to the WAN address.

Both your clients should appear like that. The upstream device should see no difference between them as it only ever sees the WAN IP.

ppal · Dec 14, 2024, 4:08 AM

@stephenw10 - It will be working fine and then just lose connection login-to-view . The QNAP only has two NICS - common one for LAN and one for WAN. The switch is set as shown. Looks like a loss connection. Perhaps needs a dedicated NIC.
login-to-view

stephenw10 · Dec 14, 2024, 2:45 PM

Hmm, so it disconnects even if you just have one client connected? Not related to connecting a second client?

That log above seems to show the physical NIC losing link in the NAS which is not something pfSense would have control over in that setup.

ppal · Dec 14, 2024, 3:20 PM

@stephenw10 what would be the diagnostic report / filters that could show me connection and dropout times? Thank you for your help.

ppal · Dec 15, 2024, 4:11 AM

@stephenw10 psfSense shows 100% packet loss when it hangs up. Both WAN and LAN are shown as green and up.

stephenw10 · Dec 16, 2024, 1:06 PM

Do both NICs fail at the same time? Or is it still reachable internally via NIC2?

And, to be clear, you now think this is a general connection failure and not related to different clients connecting?

JonathanLee · Dec 16, 2024, 3:55 PM

I had an issue with a printer when it would go to sleep it would not let me print or find the printer. I created a dhcp record for it set it to static, added a dns host override for it and never had an issue again. I assume your QNAP goes to sleep when it’s not in use like my Buffalo NAS and that might be the issue… it’s sleeping on the job and needs to have the ability to be woke up, the static arp record might help it did for me.

ppal · Dec 16, 2024, 11:59 PM

@stephenw10 Hi only loss of internet. LAN is still accessible. I think that it is specific Bigpond (Australian ISP DHCP Login ) issue. I moved the QNAP to another ISP (TPG with PPPoE) which does not have disconnection issues. pfSense not playing nicely with Bigpond . Now trying with OPNSense to see if similar. (Connection is via the same NTD which has 4 ports for Fibre service - I have two activated.

ppal · Dec 17, 2024, 12:01 AM

@JonathanLee possibly a going to sleep issue but I have no hibernation turned on. Will see if I can implement your approach.

stephenw10 · Dec 17, 2024, 12:17 AM

@ppal said in QNAP pfSense dropout:

pfSense not playing nicely with Bigpond

Hmm, waaay back in the day there were some special options for bigpond. Anything logged in dhcp?

Does a pcap show it requesting leases? ARPing for stuff?

ppal · Dec 17, 2024, 12:46 AM

@stephenw10
Hi Stephen,

Thank you for your suggestions earlier. I’ll revisit pfSense after completing my testing with OPNSense. I noticed that another user had a similar issue (https://forum.netgate.com/topic/169400/pfsense-ipv6-with-telstra-nbn), but it seems they didn’t receive much assistance on the forum.

Apparently, there’s a detailed 32-step guide to get IPv6 working: https://whirlpool.net.au/wiki/pfsense_ipv6_telstra.

For now, even having IPv4 running reliably would be a great starting point!

Thanks again for your insights.

Best regards,

stephenw10 · Dec 18, 2024, 6:39 AM

Hmm, I'm never sure how similar services are between providers on NBN. That seems to be IPv6 specific though and you stopped seeing all connectivity.

ppal · Dec 18, 2024, 6:39 AM

@stephenw10 Hi

I have swapped the LAN and WAN ports. What would be the best package to monitor the connections.

stephenw10 · Dec 19, 2024, 9:18 PM

It should be detected and logged by the gateway monitoring anyway without a package.

However you can run something like mytraceroute on the firewall to see where it fails. Or something smokeping on a client behind the firewall.

ppal · Dec 19, 2024, 9:18 PM

@stephenw10 I found this https://www.telstra.com.au/content/dam/tcom/small-business/support/pdf/nbn-byo-%20router-guide.pdf - Looks like requires traffic shaping and requires. MTU 1500 or lower . Probably go for MTU 1492 and MSS 1452 and shape the traffic to my tier.