Instability issues
-
We are testing a pre-production deployment with a 2-members cluster with 2.2.2-RELEASE (amd64), 10 physical interfaces Gbps (4 of them with virtual interfaces/vlans) and two physical FO interfaces.
We set up the ruleset (+900 rules so far) using aliases and group of aliases, mostly using the Floating Tab.
We are experience some issues, after applying changes in the ruleset or inserting new objects into an existing alias:
Issues:
-
From time to time, traffic that should match an existing rule stops being approved, and gets logged by the cleanup rule. After a few minutes, it gets approved back again and things come back to normal.
-
Sudden duplication of groups of aliases.
-
Elimination of group of aliases.
Here's data about our config:
Version 2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9You are on the latest version.
Platform pfSense
CPU Type Intel(R) Xeon(R) CPU E5645 @ 2.40GHz
12 CPUs: 2 package(s) x 6 core(s)
Uptime 30 Days 00 Hour 58 Minutes 49 Seconds
Current date/time
Mon May 18 16:52:42 ART 2015
DNS server(s) 8.8.8.8
8.8.4.4
Last config change Mon May 18 16:39:07 ART 2015
State table size
0% (4355/3256000)
Show states
MBUF Usage
7% (73656/1000000)
Temperature
24.0°C
Load average
0.20, 0.19, 0.17
CPU usage
0%
Memory usage
7% of 8147 MB
SWAP usage
0% of 16384 MB
Disk usage
/ (ufs): 0% of 249G
/var/run (ufs in RAM): 4% of 3.4MServices:
Service Description
apinger Gateway Monitoring Daemon
bgpd OpenBSD BGP Daemon
dhcrelay DHCP Relay
ntpd NTP clock sync
openvpn OpenVPN server: Remote Access
radiusd FreeRADIUS Server
sshd Secure Shell DaemonInstalled Packages:
freeradius2
OpenBGPD
OpenVPN Client Export Utility
pfBlockerNG (disabled)
ShellcmdDue to the following post:
https://doc.pfsense.org/index.php/Thread_Error_Using_Many_Hostname_in_Aliases
we have modified the following parameters:
Firewall Maximum States 814000 -> 3256000
Firewall Maximum Table Entries 2000000 -> 8000000
We are unable to detect anomalies through log analysis. But this instability issues is precluding us from moving forward.
We'd appreciate any suggestions.
Thanks in advance,
BDAB
-
-
A suggestion.
After making some changes, have you saved the configuration and rebooted the pfsense machines, even though I know its not supposed to be needed?
If you have rebooted the pfsense machines do you see any of the instability issues you speak about or do they only show up when you start making some configuration changes?
From time to time, traffic that should match an existing rule stops being approved, and gets logged by the cleanup rule. After a few minutes, it gets approved back again and things come back to normal.
I have seen similar https://forum.pfsense.org/index.php?topic=88962.msg493221#msg493221
As I'm also using multiple nics instead of vlan, thats how I also know some aliases work on some interfaces and some dont as some computers have virtually identical rules & orders.
Might also be relevant.
https://redmine.pfsense.org/issues/4296If aliases exist that have both FQDN entries and IP address or network entries, and the same FQDN entries are in multiple aliases, the alias is eventually cut down to only the resolved FQDN entries and the static entries are lost.
It is OK immediately after a filter reload, but eventually only the FQDN resolved entries remain.
A fix is slated for v2.2.3.
-
Thanks for your feedback firewalluser!
We have not tried to reboot the machines after changes, mostly due to the fact that we were setting up the ruleset and introduced some 20+ ruleset changes a day, so it was a little impractical :)
Good to know that it's been scheduled for next release though.
I'll try to reboot after new changes and post the result.
Cheers,
BDAB -
Just as an update, we were unable to further reproduce the errors. Most probably due to the fact that we have reached our steady -sort of- set of rules. But we suspect the process filterdns is messing things up somehow when hierarchical aliases are used.
We hope this will be addressed in future releases as PfSense is a great product.
BDAB