QNAP pfSense dropout
-
By 'locked up' I assume you mean just stopped passing traffic because it looks like you were still able to login to it?
-
@stephenw10 The issue is with the WAN—packet loss and loss of internet—but I can still access the system via LAN. Rebooting sometimes resolves it, but only for hours or minutes.
I suspect it’s a settings issue. I’ve had similar issues with this ISP when running pfSense on an old PC. However, the ISP-supplied router runs without issues for months, so the service itself seems fine.
I’m considering a Netgate appliance to remove uncertainties, but I believe the problem lies with the QNAP VM. I’ve experienced the same issue with OPNSense and SOPHOS Home on the VM: internet loss while LAN stays functional.
Swapping the LAN/WAN ports yields the same result, so it doesn’t seem to be a port-specific problem.
-
Hmm, well those tests seem to imply the VM setup is an issue I agree. However if it does the same thing using pfSense baremetal on an old PC that implies it isn't. So hard to say at this stage.
Probably need a new baremetal test to confirm if you can.
-
@stephenw10 some digging - Upstream Traffic: Set DSCP to 0. - how do I get to this setting. Somewhere in the firewall ?
To use a non-Telstra-provided Gateway, the device must:
• Support WAN on an Ethernet port. If not, please consider purchasing a business gateway from us.
• Support xDSL port for VDSL with Vectoring (FTTN & FTTB deployments only).
• Use Ethernet full duplex with auto-negotiation on so that the gateway signals to UNI-D (nbn network
termination device port) that it’s full duplex capable, avoiding duplex mismatch (excluding FTTN &
FTTB deployments).
• Operate as a gateway with a single MAC address assigned to the port.
• Not configured as a bridge or hub.
• Support NAT.
• Use DHCPv4 to ‘request’ the IP address (this is essential to create the IP session on our service
edge. The DHCP response will contain DNS information, as well as the allocated static address). The
network will return both IPv4 and IPv6 assigned address information.
• Be configured to transmit all upstream data untagged.
• Not use 802.1p priority or VLAN tagging as this will be ignored (subject to change).
TELSTRA CORPORATION LIMITED (ABN 33 051 775 556) | PRINTED 24/10/2016 BYO GATEWAY GUIDE WITH TELSTRA BUSINESS BROADBAND ON THE NBN
PAGE 2/4
• Be configured to mark all upstream traffic to ‘DSCP 0’ (zero).
• Ensure the L2 maximum frame size (also known as Maximum Transfer Unit - MTU) of no larger than
1500 octets.
• Shape upstream traffic to the Speed Level of the service purchased (e.g. shape upstream to 5Mbps
on a Speed Level 2 service i.e. 25Mbps downstream, 5 Mbps upstream).
https://www.telstra.com.au/content/dam/tcom/business-enterprise/support/pdf/byo-gateway-guide-telstra-business-broadband-on-nbn.pdf -
pfSense can match on DSCP but does not set it:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#diffserv-code-point@ppal said in QNAP pfSense dropout:
Shape upstream traffic to the Speed Level of the service purchased (e.g. shape upstream to 5Mbps
on a Speed Level 2 service i.e. 25Mbps downstream, 5 Mbps upstream).This looks like a more likely potential problem if they enforce that by blocking traffic when it's not shaped.
-
@stephenw10 I added a 4 NIC Card into the NAS. Default Install and then set MTU to 1462. Now getting
Jan 22 08:27:00 php-cgi 21877 servicewatchdog_cron.php: Service Watchdog detected service kea-dhcp4 stopped. Restarting kea-dhcp4 (Kea DHCP Server)
Jan 22 08:27:15 php-cgi 95738 notify_monitor.php: Message sent to pranesh@pal.id.au OK
Jan 22 08:28:00 php-cgi 64510 servicewatchdog_cron.php: Service Watchdog detected service unbound stopped. Restarting unbound (DNS Resolver)
Jan 22 08:28:00 php-cgi 64510 servicewatchdog_cron.php: Service Watchdog detected service kea-dhcp4 stopped. Restarting kea-dhcp4 (Kea DHCP Server)
Jan 22 08:28:20 php-cgi 95738 notify_monitor.php: Message sent to pranesh@pal.id.au OK
Jan 22 08:29:00 php-cgi 42905 servicewatchdog_cron.php: Service Watchdog detected service unbound stopped. Restarting unbound (DNS Resolver)
Jan 22 08:29:00 php-cgi 42905 servicewatchdog_cron.php: Service Watchdog detected service kea-dhcp4 stopped. Restarting kea-dhcp4 (Kea DHCP Server)
every minute filling my Inbox. Any thoughts? -
Don't run the service watchog like that? Really it should only be used for troubleshooting.
If it's not enabled do those services just stop?
What NIC was it? Are you passing through the NICs to the VM?
-
@stephenw10 Yes the NICs allocated to VM via virtual switches. NICs is QNAP badged with intel chipset. The services stop when email notification is turned off. When notification is turned on the WAN connection is maintained but email sent every minute . Don’t know why disabling email stops WAN.
-
Check the dhcp and resolver logs if nothing is shown in the system log. They must be stopping for some reason.
Also check resource in Status > Monitoring Graphs you might be hitting some exhaustion.
If they are connected via vswitches then they are not 'passed through' directly. The NICs appear as virtioX in pfSense?
-
@stephenw10
Hi
Resolver Logs
🔒 Log in to view but nothing for today. This was yesterday.Ports appear as
🔒 Log in to view . Currently using VirtIO but have also tried Intel Gigabit option. When using VirtIO "Speed and Duplex" only available as autoselect under "WAN". If using Intel option then 10, 100 and 1000 speed option available. QNAP recommend VirtIO and to tick disable hardware checksum offloading. Don't know what specific graphs to look at but this PFSENSE is a test box with basically one iPAD connected with me on chess.com. -
Nothing in the system log showing those services failing?
I wouldn't expect the NICs to make any difference there.
-
@stephenw10 How would i go about replicating this in pfSense
🔒 Log in to view -
Well I would start by just enabling the igmp proxy and see if that accomplishes what you need with the default options.
https://docs.netgate.com/pfsense/en/latest/services/igmp-proxy.html
There are some custom options you can use via a custom conf file if required:
https://man.freebsd.org/cgi/man.cgi?query=igmpproxy.confBut igmpproxy is best avoided if at all possible IMO. What are you actually trying to do?