Utorrent causes internet crash ONLY at one pc, internal lans fine

Guest

instead of limiting the speed, limit the number of connections possible. Over 1,000 connections used to lock up my cheapy linksys router before I went to pfsense. Just something to try, I could be way off base on this though since I would assume it should be using your system's ram to store connections.

Also if you have a pfsense box setup, install pfblocker. Personally I block China / Brazil and a handful of other countries. Nothing but garbage connections.

cmb

If it were the number of connections, or something else that was being done to the firewall, it would affect every machine. Assuming there aren't per-IP state or bandwidth limits configured (there aren't by default), it would have to be something on the PC itself.

Guest

I was assuming the number of connections at the PC level, and hoping to use the firewall and utorrent settings to help reduce the load on the poor little realtek card :-P

I only gave reference to my linksys because that's the only experience I've had, just to reiterate that I could be wrong about the realtek card getting overwhelmed (simply not understanding why or how the number of connections would affect a nic in a PC).

stephenw10

We need to hear back from Tastyratz to confirm this but as I read it the machine is still reachable on the LAN after it has stopped talking to the internet. Other clients are still able to talk to the internet as well. This implies that it is not a hardware or driver problem either in the client or the pfSense box.
I would suggest it could be Snort in the pfSense box blocking things or perhaps some other blocking rule. However I would expect it more likely that the client has some software firewall that might be interfering or is somehow loosing it's routing information.

if I ping random new dns addresses it resolves dns but refuses to ping

How does it fail to ping? 'No route'? no response?

Steve

tastyratz

I do have pfblocker installed already actually, good little app.

I dropped the number in connections 400% and the problem got worse. If it were number of connections then when I dropped the connection number I would see the problem improve, not get worse I would think? I cut them down and throughput improved… but it tanked more often.

I agree on a small scale router it can take a beating... but that's why I have a pfsense thin client setup in my home because it can handle heavy usage.

I had avast firewall but disabled it to no change, no windows firewall. snort is installed but not configured yet.

Stephenw10, you did read correct, so that makes me hesitate. It certainly is an odd one. Pings fail as a timeout but do resolve an IP.

I have a good feeling about that green ethernet garbage, I just don't have anything to really test it out till next week.

stephenw10

If the ethernet interface in the client were going into some power saving mode you would not be able to access anything through it. No pinging local clients, no RDP, nothing. :-
If the pings are failing as a time out then the client still has a route, is a it a valid route? You still have DNS resolution. Presumably you are using the DNS forwarder in pfSense?

What rules are you using in pfBlocker? Are you seeing anything in firewall logs?

Steve

tastyratz

ok I just kicked off my next series of big downloads and its still going on unfortunately

traffic shaper off
only firewall rules are pfblocker and bogon networks.
pfblocker has spamhaus DROP and attack lists setup only, no country filtering or anything.

Firewall log is jam packed, TONS of udp packets blocked. 50 entries isn't lasting 8 seconds under full tilt download, no entries for pfblocker last few times

cpu usage when downloading at 5.5 megs was around 60%. I thought I had snort installed but actually I don't.

Everything was still up but I rebooted the pfsense box and pc for good measure last night when it happened around 7. I was able to get a good 4 hours or so without issue till it hung up again. I was unable to reach pfsense by the web interface at 7 but after the reboot and this morning, fine.

Interface Stats for fxp1 IPv4 IPv6
Bytes In 3019044522 17424
Bytes Out 71203496960 0
Packets In
Passed 36941172 0
Blocked 820 242
Packets Out
Passed 50115758 0
Blocked 0 0

State Table Total Rate
current entries 1386
searches 174168351 4485.4/s
inserts 262768 6.8/s
removals 261382 6.7/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 334924 8.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 9 0.0/s
state-mismatch 294 0.0/s
state-insert 5224 0.1/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
divert 0 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
states hard limit 47000
src-nodes hard limit 47000
frags hard limit 5000
tables hard limit 3000
table-entries hard limit 1000000
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 28200 states
adaptive.end 56400 states
src.track 0s
all
Cleared: Fri Apr 12 05:45:27 2013
References: [ States: 1388 Rules: 1 ]
In4/Pass: [ Packets: 0 Bytes: 0 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 0 Bytes: 0 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
carp
Cleared: Fri Apr 12 05:45:27 2013
References: [ States: 0 Rules: 1 ]
In4/Pass: [ Packets: 0 Bytes: 0 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 0 Bytes: 0 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
enc
Cleared: Fri Apr 12 05:45:27 2013
References: [ States: 0 Rules: 1 ]
In4/Pass: [ Packets: 0 Bytes: 0 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 0 Bytes: 0 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
enc0
Cleared: Thu Apr 11 19:01:13 2013
References: [ States: 0 Rules: 1 ]
In4/Pass: [ Packets: 0 Bytes: 0 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 0 Bytes: 0 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
fxp0
Cleared: Thu Apr 11 19:01:10 2013
References: [ States: 0 Rules: 42 ]
In4/Pass: [ Packets: 50045744 Bytes: 71171714500 ]
In4/Block: [ Packets: 66116 Bytes: 6309492 ]
Out4/Pass: [ Packets: 36902402 Bytes: 3006758836 ]
Out4/Block: [ Packets: 3 Bytes: 180 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 12623 Bytes: 910008 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
fxp1
Cleared: Thu Apr 11 19:01:12 2013
References: [ States: 0 Rules: 15 ]
In4/Pass: [ Packets: 36941624 Bytes: 3019045499 ]
In4/Block: [ Packets: 820 Bytes: 29335 ]
Out4/Pass: [ Packets: 50116257 Bytes: 71204213926 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 242 Bytes: 17424 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
lo
Cleared: Fri Apr 12 05:45:27 2013
References: [ States: 0 Rules: 1 ]
In4/Pass: [ Packets: 0 Bytes: 0 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 0 Bytes: 0 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
lo0
Cleared: Fri Apr 12 05:45:27 2013
References: [ States: 0 Rules: 3 ]
In4/Pass: [ Packets: 1280 Bytes: 113965 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 1280 Bytes: 113965 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]

stephenw10

@tastyratz:

Firewall log is jam packed, TONS of udp packets blocked. 50 entries isn't lasting 8 seconds under full tilt download

Well this seems odd. What firewall rule is blocking these packets?

@tastyratz:

cpu usage when downloading at 5.5 megs was around 60%.

That seems very high CPU usage. A processor such as yours would usually barely notice 5.5Mbps. Do you have powerd enabled? Some other cpu scaling utility?

Have you ever had Snort installed? Sometimes it can leave things behind that cause problems.

Steve

tastyratz

I must have removed snort, I think I had it before bit it doesn't show under installed packages. How do I fully clean it out if it left remants like that?

I rebooted that pc at 8:45am this morning, it JUST went down again at 10am pulling a steady 5.5megabytes down. it hard cuts when it goes down, not a slow drop of clients and problems creep in or anything like that, it's like I just yanked the wan cord as far as that pc sees it.

I did have speed issues with powerd enabled so I did disable it, I have pfsense installed in a thin client with a p3 733 and 512mb ram, dual intel pro 10/100 card. I have encryption forced on outbound connections, I have noticed cpu usage can get pretty high when any ssl traffic is passed.

How can I see what rule blocked it? I go to status > system logs > firewall and see the list there.
Entries just look like below (with ip's removed):

Apr 12 09:12:42 WAN (Source outside IP):60658 (My IP):7121 UDP

stephenw10

Hmm, I'm not sure about Snort. I've not seen it myself but I've seen other mention it before. Mostly I think it was a problem where Snort would block something then it was uninstalled resulting in no way to unblock it. Left over block rules.

Ah, Bytes not bits and a P3 not a 5800K (must read better!) would explain the CPU usage. You should almost certainly not have powerd enabled for that. Only the mobile P3 had speedstep and I don't think it was supported anyway.

@tastyratz:

How can I see what rule blocked it?

I knew you'd ask that and the answer has temporarily escaped me! ::)
Thinking about it the blocked udp packets during a download are not that important. What would be interesting is looking in the firewall logs after your client has stopped being able to reach the internet. Try to open a few web sites or whatever and then check the logs.

Steve

tastyratz

This time it only lasted 30 minutes before crashing, it just went down again.
I disabled PFblocker to see if that was doing anything and it did not change anything.

I also just disabled the bogon network rule and all other firewall rules just… didn't exist.
So why does my firewall log still show as LOADED with entries? 50 entries view is only spanned over 1 second

EDIT
I found out how to view what triggered it by clicking the red x
the rule that triggered this action is:
@1 scrub on fxp1 all fragment reassemble
@1 block drop in log all label "default deny rule"

I also found this explanation:
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection%2C_why%3F

So looks like that's normal, dead end.

stephenw10

By default pfSense blocks everything everywhere, the 'default deny rule'.

If you have been running a P2P application you will see a large number firewall hits as other clients worldwide attempt to connect to you. This can take days to timeout.

What firewall entry was that for? During download or after it failed?

Steve

Guest

uTorrent uses UDP connections as well. Take note if the UDP port number is the same as uTorrent's defined port number. Though this is unlikely why your connection drops off, just an explanation of why you see massive UDP connections.

If you go to Status > Services, do you see snort listed?

When you say you run pfsense as a thin client, I take this to mean you have a separate white box running vSphere with pfsense as a virtual machine? While your uTorrent box is a separate/dedicated computer?

With the above being true, if restarting the uTorrent box restores connectivity then the issue is solely the uTorrent box at fault.

DNS resolution isn't definitive, as it could pull from cache. With pings timing out I'd go as far to say you have 0 connectivity, not limited. Download the Windows XP Mode from download.microsoft.com which should be about 400-500mb and will max out your speed.

This way it's a single connection pushing 5mbps easily. You can rule out if it's uTorrent's fault, the number of connections, or if it's going too fast.

tastyratz

Heavy1metal:
no I don't see snort listed under services listed
I run pfsense on an old thin client for the hardware, a wyse type box as a glorified mini computer - not virtualized. From there I plug into a gig switch which runs to my desktop pc having the issue and my other computers having no issues at the moment. I
DNS isn't pulling from cache because I am randomly asking people for websites that i have never before visited - they are all fresh pulls.
If I close utorrent on the desktop the issue does not go away. If I reboot the pfsense machine it does not solve the issue either… but how could utorrent break the connection ONLY at that pc and ONLY to wan traffic? what could be done locally to cripple wan but not lan? That is the strangest part...

Stephen:
That was during download after rebooting it.
The entries look similar after it crashes. I just went down again and the entries for firewall are the same type and around the same frequency.
Mostly udp, some TCP:S, some TCP:R, some ICMP6, all WAN. I turned off logging of default rule blocks and then tried checking a web page - nothing new showing up, firewall is empty.

That being said: I have vmware workstation loaded on my desktop. I just fired up one of the virtual machines and attempted to pull up a web page - same end result for what it's worth. I also remotely connect to my desktop during the day with teamviewer and leave the connection open. I know the issue happens when it does because my remote connection drops. When that happens I teamviewer to my laptop to rdp into my desktop and troubleshoot.

stephenw10

@tastyratz:

what could be done locally to cripple wan but not lan?

Change the default route information or gateway. Then you have access only to local subnet services. That would include the DNS forwarder in pfSense. Of course I have no idea why it might be doing that. Rogue DHCP server on your network? That happens surprisingly frequently and can cause all manner of problems.

I suggest you run an 'ipconfig /all' on your Windows box before and after failure and compare the two.

@tastyratz:

That being said: I have vmware workstation loaded on my desktop. I just fired up one of the virtual machines and attempted to pull up a web page - same end result for what it's worth.

Is this the same machine you run utorrent on? You mean a VM running on that machine after it fails to connect also fails to connect?

Steve

tastyratz

ipconfig nets the same IP. if I do a release/renew it does get an IP (same one) from pfsense and gateway is the same. It behaves the same both before and after restarting the pc.

Correct, once my desktop no longer communicates with the internet, the vmware machine running on the same desktop pc also has no internet access.

stephenw10

Is the VM getting a new IP from pfSense or is it NATed from the host machine?

What about the routing information, try 'route print' before and after failure.

Steve

tastyratz

VM actually grabs via pfsense, it shows up in the arp table there.

Here's a fresh route print before failure (192.168.1.1 is the pfsense machine, and 1.11 is my desktop):

===========================================================================
Interface List
10…b8 97 5a 27 36 b8 ......Realtek PCIe GBE Family Controller
14...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
15...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.11 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.217.240 276
169.254.0.0 255.255.0.0 On-link 169.254.238.131 276
169.254.217.240 255.255.255.255 On-link 169.254.217.240 276
169.254.238.131 255.255.255.255 On-link 169.254.238.131 276
169.254.255.255 255.255.255.255 On-link 169.254.217.240 276
169.254.255.255 255.255.255.255 On-link 169.254.238.131 276
192.168.1.0 255.255.255.0 On-link 192.168.1.11 266
192.168.1.11 255.255.255.255 On-link 192.168.1.11 266
192.168.1.255 255.255.255.255 On-link 192.168.1.11 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 169.254.238.131 276
224.0.0.0 240.0.0.0 On-link 169.254.217.240 276
224.0.0.0 240.0.0.0 On-link 192.168.1.11 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 169.254.238.131 276
255.255.255.255 255.255.255.255 On-link 169.254.217.240 276
255.255.255.255 255.255.255.255 On-link 192.168.1.11 266

Persistent Routes:
None

And here is one right after everything hits the fan:

===========================================================================
Interface List
10...b8 97 5a 27 36 b8 ......Realtek PCIe GBE Family Controller
14...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
15...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.11 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.217.240 276
169.254.0.0 255.255.0.0 On-link 169.254.238.131 276
169.254.217.240 255.255.255.255 On-link 169.254.217.240 276
169.254.238.131 255.255.255.255 On-link 169.254.238.131 276
169.254.255.255 255.255.255.255 On-link 169.254.217.240 276
169.254.255.255 255.255.255.255 On-link 169.254.238.131 276
192.168.1.0 255.255.255.0 On-link 192.168.1.11 266
192.168.1.11 255.255.255.255 On-link 192.168.1.11 266
192.168.1.255 255.255.255.255 On-link 192.168.1.11 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 169.254.238.131 276
224.0.0.0 240.0.0.0 On-link 169.254.217.240 276
224.0.0.0 240.0.0.0 On-link 192.168.1.11 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 169.254.238.131 276
255.255.255.255 255.255.255.255 On-link 169.254.217.240 276
255.255.255.255 255.255.255.255 On-link 192.168.1.11 266

Persistent Routes:
None

stephenw10

Hmmmm. :-\

What do you have between the pfSense box and the client? Assuming you have some switch does it have any features that may be contributing to this? Have you tried power cycling the switch? Have you tried removing the ethernet cable from the client?

Otherwise I'm stumped!

Steve

tastyratz

yea this is a real tough one. It's just a standard trendnet gig dumb switch, nothing to it… no features. I haven't bounced it yet or messed with the cable because of that. Nothing else in the middle