I have just been advised to ditch pfSense for an Eminem 'thing'

Mr. Jingles

By Synology support  ;D
(Just as a side note: I have good relationships with Synology, up to the management layers in Taiwan. This is a technical support employee who answered my ticket. I can escalate this to my contacts @ corporate, but a little understanding of who is on the other side of the email goes a long way. So I will 'ping-pong' the ticket and hope he finally asks one of the devs for help. What I mean is: Synology is a good company, but, as for any company, it is difficult to avoid stupid customer service answers).

I was wondering if anybody could help me with this problem I have:
1. I have some Synology machines;
2. They refuse to hibernate, even 'though no services that could avoid hibernation are running;
3. When I disconnect the ethernet cable the systems hibernate and stay hibernated (I tested for 24h, they are supposed to hibernate after 10 minutes).
4. Synology told me it is 'ARP'-messages from the router and recommended 'Eminem' or any other 'respectable' brand like the Cisco-home-crap.
5. After some googling I found that in pfSense DHCP-server I can create a static ARP-entry for these Synologies. I did, but still no hibernation (thee Syno's are static IP, btw).

There is a lot of power to be saved for me (most of the machines only need to work at night, doing backups, and each of them has 4+ harddisks, so a lot of power).

My questions:
A. I have no idea if I need to do more than add these static ARP-entries (as I remain the official holder of the self-proclaimed title 'eternal pfSense noob'  ;D ), as I only barely understand what ARP is good for.
B. I am not even sure if pfSense is the cause, since Synology support didn't even ask for logs. After all this googling, I found it could as well be any other computer in the LAN doing trolling on the LAN (e.g.: 'scanning who else is around'). Is there a way, out of some Linux log (Synology runs busybox) to find out which/what is preventing Synologies from hibernating?

Thank you in advance for any help  ;D

Bye,

GruensFroeschli

Do you have ports forwarded from the internet to this synology box?
I run a similar selfmade setup.
My shutdown/hibernate criteria are: empty arp table, no users logged in, no screen session running.

Since i have/had a webserver on this server running and the ports forwarded it never shut down because of crawler requests / port scans / other requests.
Moving all the ports i used to non-standard ports solved it for me.
Well "solved" is maybe the wrong word, but sufficiently worked around :)

johnpoz

I would do a simple sniff on the pfsense interface connected to the network where the Synology sit – what traffic do you either in broadcast or unicast to these machines IP or even arp?

If your saying they should standby in 10 minutes - a sniff for say 15 minutes should show you want traffic on the lan is keeping the box up and what the source of it is.

Mr. Jingles

@GruensFroeschli:

Do you have ports forwarded from the internet to this synology box?
I run a similar selfmade setup.
My shutdown/hibernate criteria are: empty arp table, no users logged in, no screen session running.

Since i have/had a webserver on this server running and the ports forwarded it never shut down because of crawler requests / port scans / other requests.
Moving all the ports i used to non-standard ports solved it for me.
Well "solved" is maybe the wrong word, but sufficiently worked around

Thank you Sir  ;D

Yes, you are right, I should have added that, sorry.

There are multiple Syno's here, I'll focus on the three that this problem concerns, I'll call them A, B and C:

• A is the main 'production machine'; it is on always.
• B and C are backup machines. As such, they don't have any services/packages/apps installed; no web servers to host websites, no MySQL databases, etc. A simple 'stock' Synology-Linux box, providing no services to LAN or WAN, containing no 'apps'. Users in LAN do not access these machines, there are no SMB-mappings to them. They are not allowed on the internet, there is no port forwarding for services from the internet to my Syno's at all.

Starting at 1.00 AM each night, they run a series of backups:

A -> B -> C
A -> C
C -> B
C -> A

After these jobs they don't have to do anything else at all for the remainder of the day. Go to sleep, and do the same thing the next night at 1.00 AM. But they (B&C) are like little kids: they don't want to go to sleep for long: they hibernate irregularly: sometimes they stay down for a couple of hours (2-4), sometimes only for 10 minutes.

I can not imagine this being good for the hard disks, which is why I don't do the alternative, power on/off the machines slightly before 1.00 AM / after their jobs are done, but instead want them to hibernate. On my UPS I can see the power usage, and it shows there are good gains to be made: the Syno uses 150W in operation, yet only 21W when hibernating. Very much worth the trouble of getting this to work.

Your part in bold: I can not 'tweak' anything like that on a Syno (at least not in the GUI, and on the CLI I would have no idea to seriously hack without completely destroying it). It is simply a matter of flagging 'enable hibernation after X minutes of inactivity'. Which it does, but something is waking it up. Which has to be on the LAN outside the Syno, because with the ethernet cable disconnected it stays down.

Mr. Jingles

@johnpoz:

I would do a simple sniff on the pfsense interface connected to the network where the Synology sit – what traffic do you either in broadcast or unicast to these machines IP or even arp?

If your saying they should standby in 10 minutes - a sniff for say 15 minutes should show you want traffic on the lan is keeping the box up and what the source of it is.

That is why I admire people like you: you talk about 'simple sniff on the LAN'  ;D

I would have no idea how to do that. I once installed Wireshark, and got scared of all the parts of the screen, each showing a zillion things I had no clue about what it was. I did see one thing I did understand: the red cross in the upper right side of the screen  ;D ;D ;D

If I google for tutorials it appears I need to take two weeks off to first become a seasoned admin (I'm an economist, and I have self-elected me to be the eternal pfSense noob  :P) in order to understand what all the words mean. After that, I will need another week to read through 1001 articles and Youtube vids to try and find out how to 'sniff the network'. By then I will know what you know - yet I will be on welfare, since without a job as my boss will have fired me for not doing the economics things he pays me for.

So might there perhaps be a 'noob-proof' workaround to do the sniffing without risking WIFE divorcing me since I don't bring in money anymore ( ;D)? A 'sniffing for dummies in 1 hour'?

Thanks again  :P

Mr. Jingles

Just to elaborate, John, that I am not being lazy but that is simply a matter of not knowing what to do ( :-[):

I found this:

http://hubpages.com/hub/How-to-Capture-Packets-Using-pfSense

So I did Diagnostics/Packet Capture/Full, I tried it on my Debian machine (42.167, pfSense being 42.1):

[code]
18:33:11.927705 70:54:d2:45:7d:25 > 00:11:32:1c:80:75, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 64, id 20450, offset 0, flags [DF], proto TCP (6), length 75)
    192.168.42.1.23460 > 192.168.42.167.3493: Flags [P.], cksum 0x38e0 (correct), seq 853501230:853501253, ack 1419675510, win 520, options [nop,nop,TS val 2527962285 ecr 99692100], length 23
18:33:11.927998 00:11:32:1c:80:75 > 70:54:d2:45:7d:25, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 34882, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.42.167.3493 > 192.168.42.1.23460: Flags [P.], cksum 0x3a50 (correct), seq 1:25, ack 23, win 227, options [nop,nop,TS val 99697102 ecr 2527962285], length 24
18:33:11.928033 70:54:d2:45:7d:25 > 00:11:32:1c:80:75, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 27213, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.42.1.23460 > 192.168.42.167.3493: Flags [.], cksum 0x8e99 (correct), seq 23, ack 25, win 520, options [nop,nop,TS val 2527962285 ecr 99697102], length 0
18:33:16.930664 70:54:d2:45:7d:25 > 00:11:32:1c:80:75, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 64, id 43212, offset 0, flags [DF], proto TCP (6), length 75)
    192.168.42.1.23460 > 192.168.42.167.3493: Flags [P.], cksum 0x119c (correct), seq 23:46, ack 25, win 520, options [nop,nop,TS val 2527967288 ecr 99697102], length 23
18:33:16.930945 00:11:32:1c:80:75 > 70:54:d2:45:7d:25, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 34883, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.42.167.3493 > 192.168.42.1.23460: Flags [P.], cksum 0x130b (correct), seq 25:49, ack 46, win 227, options [nop,nop,TS val 99702105 ecr 2527967288], length 24
18:33:16.931020 70:54:d2:45:7d:25 > 00:11:32:1c:80:75, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 46968, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.42.1.23460 > 192.168.42.167.3493: Flags [.], cksum 0x6754 (correct), seq 46, ack 49, win 520, options [nop,nop,TS val 2527967288 ecr 99702105], length 0
18:33:16.932184 00:11:32:1c:80:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 243: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 229)
    192.168.42.167.138 > 192.168.2.255.138: [udp sum ok]

NBT UDP PACKET(138) Res=0x110A ID=0x7826 IP=192 (0xc0).168 (0xa8).2 (0x2).21 (0x15) Port=138 (0x8a) Length=187 (0xbb) Res2=0x0
SourceName=NR1            NameType=0x00 (Workstation)
DestName=WORKGROUP      NameType=0x1D (Master Browser)

SMB PACKET: SMBtrans (REQUEST)
SMB Command  =  0x25
Error class  =  0x0
Error code    =  0 (0x0)
Flags1        =  0x0
Flags2        =  0x0
Tree ID      =  0 (0x0)
Proc ID      =  0 (0x0)
UID          =  0 (0x0)
MID          =  0 (0x0)
Word Count    =  17 (0x11)
TotParamCnt=0 (0x0)
TotDataCnt=33 (0x21)
MaxParmCnt=0 (0x0)
MaxDataCnt=0 (0x0)
MaxSCnt=0 (0x0)
TransFlags=0x0
Res1=0x0
Res2=0x0
Res3=0x0
ParamCnt=0 (0x0)
ParamOff=0 (0x0)
DataCnt=33 (0x21)
DataOff=86 (0x56)
SUCnt=3 (0x3)
Data: (6 bytes)
[000] 01 00 01 00 02 00                                \0x01\0x00\0x01\0x00\0x02\0x00
smb_bcc=50
Name=\MAILSLOT\BROWSE
BROWSE PACKET
BROWSE PACKET:
Type=0x1 (HostAnnouncement)
UpdateCount=0x8047
Res1=0xA9
AnnounceInterval=3 (0x3)
Name=NR1            NameType=0x00 (Workstation)
MajorVersion=0x4
MinorVersion=0x9
ServerType=0x801A03
ElectionVersion=0x10F
BrowserConstant=0xAA55
Data: (1 bytes)
[000] 00                                                \0x00

18:33:21.933563 70:54:d2:45:7d:25 > 00:11:32:1c:80:75, ethertype IPv4 (0x0800), length 89: (tos 0x0, ttl 64, id 26784, offset 0, flags [DF], proto TCP (6), length 75)
    192.168.42.1.23460 > 192.168.42.167.3493: Flags [P.], cksum 0xea57 (correct), seq 46:69, ack 49, win 520, options [nop,nop,TS val 2527972290 ecr 99702105], length 23
18:33:21.933860 00:11:32:1c:80:75 > 70:54:d2:45:7d:25, ethertype IPv4 (0x0800), length 90: (tos 0x0, ttl 64, id 34884, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.42.167.3493 > 192.168.42.1.23460: Flags [P.], cksum 0xebc6 (correct), seq 49:73, ack 69, win 227, options [nop,nop,TS val 99707108 ecr 2527972290], length 24
18:33:21.933890 70:54:d2:45:7d:25 > 00:11:32:1c:80:75, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 12634, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.42.1.23460 > 192.168.42.167.3493: Flags [.], cksum 0x400f (correct), seq 69, ack 73, win 520, options [nop,nop,TS val 2527972291 ecr 99707108], length 0

I find this extremely interesting information: if I would know what it it means I probably could do a reverse intrest swap on it ( ;D ;D ;D).

Meaning: I have no clue what I am looking at, let alone what to look for. If you wouldn't mind telling me what I am looking for, I'd be in your debt  :P

cmb

Confused - what does anything here have to do with a rapper?

I wouldn't do anything with static ARP, the ARP requests in and of themselves aren't doing anything. What triggers the ARP request, guessing along the lines of what Gruens mentioned, is what would be the issue.

I'm not familiar with Synology hibernating, might find better help on a more Synology-focused forum. It's most definitely not your choice of firewall causing the issue though.

johnpoz

"I'm an economist"

Well there is the problem there – why would you be dealing with networking..  Would you expect me to do an analysis of the companies financials ?? You would think it simple most of the stuff you do day to day...

I maybe mistakenly assume people working with networking and firewall/router distro's have basic understanding of networking ;)

Why do they expect you to figure out something your clearly not familiar with -- I love it how people think you point and click this computer stuff..  I feel your pain, but you should push back to the powers that be that they don't pay you enough to do two jobs! ;)

Why don't you hire someone that does this for a living - so that yes it is a simple sniff to see what on the network might be keeping these things from going to sleep ;)

Pfsense has sniffing built in - so if you would like.. I would be happy to take a look at it for you - just because I love what I do and find nothing but enjoyment in looking at network traces..  Make sure its a quiet time on the network -- min amount of traffic!!!  Then in pfsense, diag packet capture - pick the interface your devices are connected too and start the capture.  make sure set count to 0 vs the default 100.  Run it for say 15 min so your sure this thing should of gone to sleep.  Then stop the capture, download the file and get it to me.  Be it dropbox, email, whatever - PM me if your interested in this option.  And we can work out a way to get me the file..

And we can go over what is seen in the sniff to your boxes.  Please let me know what the IPs are of the boxes in question.

If we find something - then make sure you donate something to the pfsense cause

NOYB

If tcpdump is available, or can be installed, on the Synology machine, that would probably be the easiest way for you to capture the network traffic that is keeping it from sleeping/hibernating.

Then open the capture file with Wireshark or provide it to someone trustworthy to evaluate.

The command would probably be something similar to this:

tcpdump -i interface -p -w file

tcpdump -i any -p -w synology.pcap

Online tcpdump manual: http://www.tcpdump.org/tcpdump_man.html

tip: first try it without the -w file to see if it is working as expected.

Oh by the way.  <ctrl>C is typically used to stop the tcpdump capture.</ctrl>

Mr. Jingles

@cmb:

Confused - what does anything here have to do with a rapper?

'Eminem' is a top quality firewall/router/security appliance, used by the Fortune500's. At least, that is what the 'sales' dorks tell me. And cheap too: it can be had for 29 EUR here in stores  :P

( ;D)

@cmb:

I wouldn't do anything with static ARP, the ARP requests in and of themselves aren't doing anything. What triggers the ARP request, guessing along the lines of what Gruens mentioned, is what would be the issue.

Thank you.

@cmb:

I'm not familiar with Synology hibernating, might find better help on a more Synology-focused forum. It's most definitely not your choice of firewall causing the issue though.

The unfortunate problem is: there aren't many people on the Synology-fora that have this kind of indepth knowledge  :-[

Derelict

I just looked it up.  He must mean Eminent: http://www.eminent-online.com/nl/group/2/32/routers.html

You couldn't pay me to put any of that gear in place of pfSense.

Mr. Jingles

Thank you John  :-*

@johnpoz:

"I'm an economist"

Well there is the problem there – why would you be dealing with networking..

I maybe mistakenly assume people working with networking and firewall/router distro's have basic understanding of networking ;)

Why do they expect you to figure out something your clearly not familiar with -- I feel your pain, but you should push back to the powers that be that they don't pay you enough to do two jobs! ;)

Why don't you hire someone that does this for a living - so that yes it is a simple sniff to see what on the network might be keeping these things from going to sleep ;)

Well, here might lie the source of some confusion: pfSense is not what I do for a living, it is what I do for a home  ;D My work is economist, at home I got so tired of all the plastic 'draytek'/'zyxel'/'linksys'/whatever-retail walmart-alike shit that never works, has no customer support at all, and has no functionality, no firmware upgrades, yet premium pricing (for the value, at least) and built in backdoors, that I went to pfSense at home.

To explain why I consider myself the eternal noob in these matters: I have yet to find a good book that really is properly written so a beginner can actually understand it (honestly: I would be extremely happy if I would be at the levels of knowledge you all are - really((!)).

To give you an example about badly written books;suppose I write a tutorial:

"On how to do a revaluation of provisional reserves under hyperinflation in the Brazilian GAAP (Generally Accepted Acccounting Principles), and adjusting this to IFRS (International Financial Reporting Standards) for consolidation into the annual corporate statements"

I am 99% confident, you, as an IT-expert, would be lost after the first paragraph of that document (if you make it so far ;D). As I will use many words and concepts in it that I assume the reader is familiar with, yet the beginner is not.

This, however, exactly is how most IT books are written. Writing is an art, not too many people master it. Yet they write books. And sell them. Either they are 'point and click and don't ask', or they start in the middle, meander from there and hope you understand it.

To give you an example: I know there is something like OSI-model. I've yet to find an understandable explanation of it. Understandable for stupid economists - I'm sure IT-specialists can dream it with two fingers in their nose  ;D

@johnpoz:

I love it how people think you point and click this computer stuff..

I can assure you that I am far from those kind of people  :P

@johnpoz:

Would you expect me to do an analysis of the companies financials ??

I can assure you that is not as difficult as it might seem: if you'd have a good book  ;D (insider tip: carry back is 100% doable, carry forward is 100% sucking on your thumb  ;D).

@johnpoz:

Pfsense has sniffing built in - so if you would like.. I would be happy to take a look at it for you - just because I love what I do and find nothing but enjoyment in looking at network traces..  Make sure its a quiet time on the network – min amount of traffic!!!  Then in pfsense, diag packet capture - pick the interface your devices are connected too and start the capture.  make sure set count to 0 vs the default 100.  Run it for say 15 min so your sure this thing should of gone to sleep.  Then stop the capture, download the file and get it to me.  Be it dropbox, email, whatever - PM me if your interested in this option.  And we can work out a way to get me the file..

And we can go over what is seen in the sniff to your boxes.  Please let me know what the IPs are of the boxes in question.

If we find something - then make sure you donate something to the pfsense cause

That is extremely kind of you, John: thank you very much  :-* I will contact you via PM for delivery of 'the package'  8)

In case you wonder, btw: I have donated to the cause when the paypal button was still here, and I am a Gold-subscriber as a means to support this project. I also donate to the FreeBSD Foundation. This, and trying to give a useful answer on forum posts when I can is my means of supporting this project, as my self-proclaimed 'eternal noob' prevents me from doing really indepth technical things.

Mr. Jingles

@Derelict:

I just looked it up.  He must mean Eminent: http://www.eminent-online.com/nl/group/2/32/routers.html

You couldn't pay me to put any of that gear in place of pfSense.

Yes, you are right, I misspelled, it was EminenT  ;D

Mr. Jingles

@NOYB:

If tcpdump is available, or can be installed, on the Synology machine, that would probably be the easiest way for you to capture the network traffic that is keeping it from sleeping/hibernating.

Then open the capture file with Wireshark or provide it to someone trustworthy to evaluate.

The command would probably be something similar to this:

tcpdump -i interface -p -w file

tcpdump -i any -p -w synology.pcap

Online tcpdump manual: http://www.tcpdump.org/tcpdump_man.html

tip: first try it without the -w file to see if it is working as expected.

Oh by the way.  <ctrl>C is typically used to stop the tcpdump capture.</ctrl>

Thank you NoyB  ;D

I just checked: it appears tcpdump is installed by default on the Synology.

So now there are two (three) ways of doing this I guess:
A. pfSense: System/Diagnostics (John)
B. Synology (tcpdump)
C. (Wireshark directly - my guess, at least).

Will they show the same results, should I run one of them, or both?

Derelict

I would capture on the synology sonce you're trying to find what traffic is being received by it that's preventing it from sleeping.

Second choice would be a wireshark/tcpdump on a switch mirror port of the port the synology is plugged into.

Klaws

Do the NASes use FHCP? If yes, it might be leases running out and renewals triggering the wake-up.

You could also emulate the behaviour Cisco-home-stuff, by writing a hell script which randomly locks up the router. No more ARP messages after that.

stephenw10

@Klaws:

Do the NASes use FHCP? If yes, it might be leases running out and renewals triggering the wake-up.

I just spent while googling this to determine if 'FHCP' is commonly used to referer to a fixed lease but I think it's more likely a typo?  :P Anyway that seems like a good call. The default DHCP lease time is 2 hours but can vary if the client asks for longer (or shorter).  If you are using DHCP then try increasing the leasing time or moving to fixed IPs for the NAS devices. A packet capture would tell you if that is the cause though.

@Klaws:

You could also emulate the behaviour Cisco-home-stuff, by writing a hell script which randomly locks up the router.

Ha! Sounds like you speak from painful experience.

Steve

johnpoz

I would suggest the sniffing on pfsense vs the Synology, just because the gui interface to the packet capture is going to be much easier to download and send on.  With tcpdump you would have to write to a file, then pull that file off.  And just the fact your running tcpdump on it should keep it from sleeping I would think.

While your sniffing - if you notice the thing try and go to sleep and then wake up and let us know this time - we can look in the sniff and see what was going on at that time.

While a switch would work - that is clearly going to be more complicated than the gui on pfsense ;)  Sniffing on your machine with wireshark would show you broadcast traffic and arp - but you wouldn't see any unicast to the synology IP, unless you were on a span port on the switch that set it up to let you see the traffic, etc.

Sniff on pfsense should be the easy route to getting the info we want - which is what is on the network that could keep it from sleeping…  Might be NOTHING, but we don't know until we see it.

stephenw10

Also..
If Dr Dre can put his name to laptops I can't see why Eminem shouldn't be doing routers. He's clearly found a gap in the market.  :P

Steve

Mr. Jingles

@Klaws:

Do the NASes use FHCP? If yes, it might be leases running out and renewals triggering the wake-up.

Thank you for your reply  :P

No, they do not: they are passively set to static IP, meaning:

• On the Synology they are set to DHCP (I recall at first I had them set to static there too, but after that I couldn't access them anymore):
• On pfSense they are assigned a static IP.

They get the static IP from pfSense for a year now, so that is working. There is no explicit lease time set on pfSense, btw, it is simply using the defaults.

@Klaws:

You could also emulate the behaviour Cisco-home-stuff, by writing a hell script which randomly locks up the router. No more ARP messages after that.

;D ;D ;D

(Been there, done that. The same script works for zyxel and draytek, btw).