I have just been advised to ditch pfSense for an Eminem 'thing'
-
"I'm an economist"
Well there is the problem there – why would you be dealing with networking.. Would you expect me to do an analysis of the companies financials ?? You would think it simple most of the stuff you do day to day...
I maybe mistakenly assume people working with networking and firewall/router distro's have basic understanding of networking ;)
Why do they expect you to figure out something your clearly not familiar with -- I love it how people think you point and click this computer stuff.. I feel your pain, but you should push back to the powers that be that they don't pay you enough to do two jobs! ;)
Why don't you hire someone that does this for a living - so that yes it is a simple sniff to see what on the network might be keeping these things from going to sleep ;)
Pfsense has sniffing built in - so if you would like.. I would be happy to take a look at it for you - just because I love what I do and find nothing but enjoyment in looking at network traces.. Make sure its a quiet time on the network -- min amount of traffic!!! Then in pfsense, diag packet capture - pick the interface your devices are connected too and start the capture. make sure set count to 0 vs the default 100. Run it for say 15 min so your sure this thing should of gone to sleep. Then stop the capture, download the file and get it to me. Be it dropbox, email, whatever - PM me if your interested in this option. And we can work out a way to get me the file..
And we can go over what is seen in the sniff to your boxes. Please let me know what the IPs are of the boxes in question.
If we find something - then make sure you donate something to the pfsense cause
-
If tcpdump is available, or can be installed, on the Synology machine, that would probably be the easiest way for you to capture the network traffic that is keeping it from sleeping/hibernating.
Then open the capture file with Wireshark or provide it to someone trustworthy to evaluate.
The command would probably be something similar to this:
tcpdump -i interface -p -w file
tcpdump -i any -p -w synology.pcapOnline tcpdump manual: http://www.tcpdump.org/tcpdump_man.html
tip: first try it without the -w file to see if it is working as expected.
Oh by the way. <ctrl>C is typically used to stop the tcpdump capture.</ctrl>
-
@cmb:
Confused - what does anything here have to do with a rapper?
'Eminem' is a top quality firewall/router/security appliance, used by the Fortune500's. At least, that is what the 'sales' dorks tell me. And cheap too: it can be had for 29 EUR here in stores :P
( ;D)
@cmb:
I wouldn't do anything with static ARP, the ARP requests in and of themselves aren't doing anything. What triggers the ARP request, guessing along the lines of what Gruens mentioned, is what would be the issue.
Thank you.
@cmb:
I'm not familiar with Synology hibernating, might find better help on a more Synology-focused forum. It's most definitely not your choice of firewall causing the issue though.
The unfortunate problem is: there aren't many people on the Synology-fora that have this kind of indepth knowledge :-[
-
I just looked it up. He must mean Eminent: http://www.eminent-online.com/nl/group/2/32/routers.html
You couldn't pay me to put any of that gear in place of pfSense.
-
Thank you John :-*
"I'm an economist"
Well there is the problem there – why would you be dealing with networking..
I maybe mistakenly assume people working with networking and firewall/router distro's have basic understanding of networking ;)
Why do they expect you to figure out something your clearly not familiar with -- I feel your pain, but you should push back to the powers that be that they don't pay you enough to do two jobs! ;)
Why don't you hire someone that does this for a living - so that yes it is a simple sniff to see what on the network might be keeping these things from going to sleep ;)
Well, here might lie the source of some confusion: pfSense is not what I do for a living, it is what I do for a home ;D My work is economist, at home I got so tired of all the plastic 'draytek'/'zyxel'/'linksys'/whatever-retail walmart-alike shit that never works, has no customer support at all, and has no functionality, no firmware upgrades, yet premium pricing (for the value, at least) and built in backdoors, that I went to pfSense at home.
To explain why I consider myself the eternal noob in these matters: I have yet to find a good book that really is properly written so a beginner can actually understand it (honestly: I would be extremely happy if I would be at the levels of knowledge you all are - really((!)).
To give you an example about badly written books;suppose I write a tutorial:
"On how to do a revaluation of provisional reserves under hyperinflation in the Brazilian GAAP (Generally Accepted Acccounting Principles), and adjusting this to IFRS (International Financial Reporting Standards) for consolidation into the annual corporate statements"
I am 99% confident, you, as an IT-expert, would be lost after the first paragraph of that document (if you make it so far ;D). As I will use many words and concepts in it that I assume the reader is familiar with, yet the beginner is not.
This, however, exactly is how most IT books are written. Writing is an art, not too many people master it. Yet they write books. And sell them. Either they are 'point and click and don't ask', or they start in the middle, meander from there and hope you understand it.
To give you an example: I know there is something like OSI-model. I've yet to find an understandable explanation of it. Understandable for stupid economists - I'm sure IT-specialists can dream it with two fingers in their nose ;D
I love it how people think you point and click this computer stuff..
I can assure you that I am far from those kind of people :P
Would you expect me to do an analysis of the companies financials ??
I can assure you that is not as difficult as it might seem: if you'd have a good book ;D (insider tip: carry back is 100% doable, carry forward is 100% sucking on your thumb ;D).
Pfsense has sniffing built in - so if you would like.. I would be happy to take a look at it for you - just because I love what I do and find nothing but enjoyment in looking at network traces.. Make sure its a quiet time on the network – min amount of traffic!!! Then in pfsense, diag packet capture - pick the interface your devices are connected too and start the capture. make sure set count to 0 vs the default 100. Run it for say 15 min so your sure this thing should of gone to sleep. Then stop the capture, download the file and get it to me. Be it dropbox, email, whatever - PM me if your interested in this option. And we can work out a way to get me the file..
And we can go over what is seen in the sniff to your boxes. Please let me know what the IPs are of the boxes in question.
If we find something - then make sure you donate something to the pfsense cause
That is extremely kind of you, John: thank you very much :-* I will contact you via PM for delivery of 'the package' 8)
In case you wonder, btw: I have donated to the cause when the paypal button was still here, and I am a Gold-subscriber as a means to support this project. I also donate to the FreeBSD Foundation. This, and trying to give a useful answer on forum posts when I can is my means of supporting this project, as my self-proclaimed 'eternal noob' prevents me from doing really indepth technical things.
-
I just looked it up. He must mean Eminent: http://www.eminent-online.com/nl/group/2/32/routers.html
You couldn't pay me to put any of that gear in place of pfSense.
Yes, you are right, I misspelled, it was EminenT ;D
-
If tcpdump is available, or can be installed, on the Synology machine, that would probably be the easiest way for you to capture the network traffic that is keeping it from sleeping/hibernating.
Then open the capture file with Wireshark or provide it to someone trustworthy to evaluate.
The command would probably be something similar to this:
tcpdump -i interface -p -w file
tcpdump -i any -p -w synology.pcapOnline tcpdump manual: http://www.tcpdump.org/tcpdump_man.html
tip: first try it without the -w file to see if it is working as expected.
Oh by the way. <ctrl>C is typically used to stop the tcpdump capture.</ctrl>
Thank you NoyB ;D
I just checked: it appears tcpdump is installed by default on the Synology.
So now there are two (three) ways of doing this I guess:
A. pfSense: System/Diagnostics (John)
B. Synology (tcpdump)
C. (Wireshark directly - my guess, at least).Will they show the same results, should I run one of them, or both?
-
I would capture on the synology sonce you're trying to find what traffic is being received by it that's preventing it from sleeping.
Second choice would be a wireshark/tcpdump on a switch mirror port of the port the synology is plugged into.
-
Do the NASes use FHCP? If yes, it might be leases running out and renewals triggering the wake-up.
You could also emulate the behaviour Cisco-home-stuff, by writing a hell script which randomly locks up the router. No more ARP messages after that.
-
Do the NASes use FHCP? If yes, it might be leases running out and renewals triggering the wake-up.
I just spent while googling this to determine if 'FHCP' is commonly used to referer to a fixed lease but I think it's more likely a typo? :P Anyway that seems like a good call. The default DHCP lease time is 2 hours but can vary if the client asks for longer (or shorter). If you are using DHCP then try increasing the leasing time or moving to fixed IPs for the NAS devices. A packet capture would tell you if that is the cause though.
You could also emulate the behaviour Cisco-home-stuff, by writing a hell script which randomly locks up the router.
Ha! Sounds like you speak from painful experience.
Steve
-
I would suggest the sniffing on pfsense vs the Synology, just because the gui interface to the packet capture is going to be much easier to download and send on. With tcpdump you would have to write to a file, then pull that file off. And just the fact your running tcpdump on it should keep it from sleeping I would think.
While your sniffing - if you notice the thing try and go to sleep and then wake up and let us know this time - we can look in the sniff and see what was going on at that time.
While a switch would work - that is clearly going to be more complicated than the gui on pfsense ;) Sniffing on your machine with wireshark would show you broadcast traffic and arp - but you wouldn't see any unicast to the synology IP, unless you were on a span port on the switch that set it up to let you see the traffic, etc.
Sniff on pfsense should be the easy route to getting the info we want - which is what is on the network that could keep it from sleeping… Might be NOTHING, but we don't know until we see it.
-
Also..
If Dr Dre can put his name to laptops I can't see why Eminem shouldn't be doing routers. He's clearly found a gap in the market. :PSteve
-
Do the NASes use FHCP? If yes, it might be leases running out and renewals triggering the wake-up.
Thank you for your reply :P
No, they do not: they are passively set to static IP, meaning:
- On the Synology they are set to DHCP (I recall at first I had them set to static there too, but after that I couldn't access them anymore):
- On pfSense they are assigned a static IP.
They get the static IP from pfSense for a year now, so that is working. There is no explicit lease time set on pfSense, btw, it is simply using the defaults.
You could also emulate the behaviour Cisco-home-stuff, by writing a hell script which randomly locks up the router. No more ARP messages after that.
;D ;D ;D
(Been there, done that. The same script works for zyxel and draytek, btw).
-
I would suggest the sniffing on pfsense vs the Synology,
I am currently running the snif, I will upload it next; thank you John for your help :-*
-
Do you have WOL enabled on the Synology machines? If so you might want to check which modes are set for waking up and change them or disable WOL if it is not needed. I had the same issue where a machine would sleep/suspend but wake up within a few minutes even though it was not needed. In Linux with ethtool WOL can be configured with the following:
p Wake on phy activity
u Wake on unicast messages
m Wake on multicast messages
b Wake on broadcast messages
a Wake on ARP
g Wake on MagicPacket
s Enable SecureOn(tm) password for MagicPacket(tm)
d Disable (wake on nothing). This option clears all previous options. -
Do you have WOL enabled on the Synology machines? If so you might want to check which modes are set for waking up and change them or disable WOL if it is not needed. I had the same issue where a machine would sleep/suspend but wake up within a few minutes even though it was not needed. In Linux with ethtool WOL can be configured with the following:
p Wake on phy activity
u Wake on unicast messages
m Wake on multicast messages
b Wake on broadcast messages
a Wake on ARP
g Wake on MagicPacket
s Enable SecureOn(tm) password for MagicPacket(tm)
d Disable (wake on nothing). This option clears all previous options.Thank you, Gibby; as a matter of fact: yes, WOL is enabled. I recall it doesn't work ;D ;D ;D
Unfortunately, there is nothing to be customized (in the GUI): I attached a screenshot.
The configuration options you posted are promising; it might very well be this is a cause of the problem. I've sent the capture to JohnPoz, I'd not be surprised if John would share your thoughts :P
Thank you again,
Bye,
-
@Hollander:
Thank you NoyB ;D
I just checked: it appears tcpdump is installed by default on the Synology.
So now there are two (three) ways of doing this I guess:
A. pfSense: System/Diagnostics (John)
B. Synology (tcpdump)
C. (Wireshark directly - my guess, at least).Will they show the same results, should I run one of them, or both?
A will certainly be different that B and C.
B and C would likely be very close. Mostly dependent on where/how Wireshark sniffer is connected.Personally I'd do B because that is the network interface traffic that is in question. A capture of the pfSense interface as John points out is certainly the easier, but may or may not be exposed to the traffic that is keeping the Synology machine from hibernating. But the Synology interface definitely would be.
Since John is working with you, follow his lead though.
-
I second Gibby on the WOL. And a newbie shall lead them.
If there is not much WOL configuration options, you might try turning it completely off to see if that is the area of the problem.
Even if it turns out not to be the problem. Very good call Gibby.
-
Interesting info. I wasn't aware of anything but wake-on-magic packet. Good to know. :)
Steve
-
So he sent me a sniff.. And the only traffic I see on there that would keep the synology awake would be the synology. Which I see at 192.168.2.22, and gateway would be 2.1 I would assume
He is arping for the gateway every minute or so, he is doing ntp queries to the gateway 2.1 all the the time. I don't see him shut up for any longer than a minute ever in the sniff that runs for 36 minutes.
The only traffic that is not generated by 2.22 which I assume is the synology it from 2.11 and 2.12 arping for 2.22.. I see 2.11 arping for 2.22 every 5 minutes.. 2.12 only the once very early in the sniff.
So I would say that maybe the 2.11 arps are keeping him up – other then all the chatter he is sending out for ntp and his browser announcements and UPNP he sends out.. I would post some shots but still looks like getting 500 internal errors when trying to attach.
