(Resolvido) System logs - Server perdendo comunicação de rede

chipbr

quando a comunicação "cai", você nao consegue acessar a GUI do pfsense nem pelo IP ? ele pinga?

cr1stt0f3r

Isto, nao consigo acessar pelo GUI nem pelas portas wan.
Sem resposta de ping em nenhuma porta.
Ironicamente está ocorrendo a pouco tempo, pois estava em producao sem problemas a mais de um mes.

hardware novo..

chipbr

VM ou físico?

Já verificou se não é algum recurso de economia de energia, hibernação, etc?
é mais comum do que parece, principalmente em hardware novo que vem com isso ativo por padrão.

cr1stt0f3r

Sim, já conferi isto antes de coloca-lo em producao..

O engraçado que ele estava funcional por mais de 1 mes, depois passou a perder a comunicação..

cheguei a formatar e comecar do zero, mas continuou a repetir.

Troquei os patchcord de todas as placas e mudei o dns para "dns resolver".
Acompanhar em como ele vai se comportar hoje..
Obrigado!

charadasu

Bom dia!

Será que não seria algum serviço parando? por exemplo o servidor DHCP? habilita o ssh Secure Shell Server no pfsense assim consegue acessar ele via putty na tela preta, "mais sem IP não vai conseguir", continuando.., tenta diminuir as configurações do servidor, deixa o mais padrão possível, pois você disse que estava funcionando bem talvez deve ser algo que você mudou dentro desse período que provocou isso…

boa sorte..

cr1stt0f3r

Agradeço a todos que estão acompanhando essa novela..

Instalei o ntopng e olhei o system logs novamente, e filtrando, apareceu estes logs..
Os ips 172 são de minha rede interna, aparanta ser ataque de syn flood, fazendo com que o server caia por completo..
O bom que os horarios coincidem com as quedas, então já temos um norte!

Pelo que pude entender do log, parece ser um host atacando o outro.. se for isto, porque o server estaria "no meio" dessa briga? rs

Alguma recomendação?
Instalei o snort, mas não sei configurar nada deste aplicativo..

Jan 18 12:05:21	ntopng		1484748321|2|1|0|Host [172.16.2.54](/lua/host_details.lua?host=172.16.2.54&ifname=re1) is a SYN flooder [87919 SYNs sent in the last 3 sec] TCP 172.16.2.54:52409 > 172.16.2.42:7680 [proto: 0/Unknown][87919/0 pkts][5802654/0 bytes][SYN]
Jan 18 12:05:21	ntopng		1484748321|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [87919 SYNs received in the last 3 sec] TCP 172.16.2.54:52409 > 172.16.2.42:7680 [proto: 0/Unknown][87919/0 pkts][5802654/0 bytes][SYN]
Jan 18 12:07:41	ntopng		1484748461|2|1|0|Host [172.16.2.55](/lua/host_details.lua?host=172.16.2.55&ifname=re1) is a SYN flooder [72691 SYNs sent in the last 3 sec] TCP 172.16.2.55:62399 > 172.16.2.42:7680 [proto: 0/Unknown][72691/0 pkts][4797606/0 bytes][SYN]
Jan 18 12:07:41	ntopng		1484748461|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [72691 SYNs received in the last 3 sec] TCP 172.16.2.55:62399 > 172.16.2.42:7680 [proto: 0/Unknown][72691/0 pkts][4797606/0 bytes][SYN]
Jan 18 12:08:42	ntopng		1484748522|2|1|0|Host [172.16.2.54](/lua/host_details.lua?host=172.16.2.54&ifname=re1) is a SYN flooder [83189 SYNs sent in the last 3 sec] TCP 172.16.2.54:52529 > 172.16.2.42:7680 [proto: 0/Unknown][83189/0 pkts][5490474/0 bytes][SYN]
Jan 18 12:08:42	ntopng		1484748522|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [83189 SYNs received in the last 3 sec] TCP 172.16.2.54:52529 > 172.16.2.42:7680 [proto: 0/Unknown][83189/0 pkts][5490474/0 bytes][SYN]
Jan 18 12:09:43	ntopng		1484748583|2|1|0|Host [172.16.2.54](/lua/host_details.lua?host=172.16.2.54&ifname=re1) is a SYN flooder [1569602 SYNs sent in the last 3 sec] TCP 172.16.2.54:52529 > 172.16.2.42:7680 [proto: 0/Unknown][1569602/0 pkts][103593732/0 bytes][SYN]
Jan 18 12:09:43	ntopng		1484748583|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [1569602 SYNs received in the last 3 sec] TCP 172.16.2.54:52529 > 172.16.2.42:7680 [proto: 0/Unknown][1569602/0 pkts][103593732/0 bytes][SYN]
Jan 18 12:11:01	ntopng		1484748661|2|1|0|Host [172.16.2.55](/lua/host_details.lua?host=172.16.2.55&ifname=re1) is a SYN flooder [71939 SYNs sent in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][71939/0 pkts][4747974/0 bytes][SYN]
Jan 18 12:11:01	ntopng		1484748661|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [71939 SYNs received in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][71939/0 pkts][4747974/0 bytes][SYN]
Jan 18 12:12:02	ntopng		1484748722|2|1|0|Host [172.16.2.55](/lua/host_details.lua?host=172.16.2.55&ifname=re1) is a SYN flooder [1555575 SYNs sent in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][1555575/0 pkts][102667950/0 bytes][SYN]
Jan 18 12:12:02	ntopng		1484748722|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [1555575 SYNs received in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][1555575/0 pkts][102667950/0 bytes][SYN]
Jan 18 12:13:03	ntopng		1484748783|2|1|0|Host [172.16.2.55](/lua/host_details.lua?host=172.16.2.55&ifname=re1) is a SYN flooder [3037430 SYNs sent in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][3037430/0 pkts][200470380/0 bytes][SYN]
Jan 18 12:13:03	ntopng		1484748783|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [3037430 SYNs received in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][3037430/0 pkts][200470380/0 bytes][SYN]
Jan 18 12:14:04	ntopng		1484748844|2|1|0|Host [172.16.2.55](/lua/host_details.lua?host=172.16.2.55&ifname=re1) is a SYN flooder [4518129 SYNs sent in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][4518129/0 pkts][298196514/0 bytes][SYN]
Jan 18 12:14:04	ntopng		1484748844|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [4518129 SYNs received in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][4518129/0 pkts][298196514/0 bytes][SYN]
Jan 18 12:15:05	ntopng		1484748905|2|1|0|Host [172.16.2.55](/lua/host_details.lua?host=172.16.2.55&ifname=re1) is a SYN flooder [5999820 SYNs sent in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][5999820/0 pkts][395988120/0 bytes][SYN]
Jan 18 12:15:05	ntopng		1484748905|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is under SYN flood attack by host 172.16.2.42 [5999820 SYNs received in the last 3 sec] TCP 172.16.2.55:62431 > 172.16.2.42:7680 [proto: 0/Unknown][5999820/0 pkts][395988120/0 bytes][SYN]
Jan 18 12:48:07	ntopng		[Redis.cpp:79] ERROR: ntopng requires redis server to be up and running
Jan 18 12:48:07	ntopng		[Redis.cpp:80] ERROR: Please start it and try again or use -r
Jan 18 12:48:07	ntopng		[Redis.cpp:81] ERROR: to specify a redis server other than the default
Jan 18 12:48:27	ntopng		[HTTPserver.cpp:503] ERROR: Unable to start HTTP server (IPv4) on ports 3000: Address already in use
Jan 18 13:50:36	ntopng		1484754636|2|1|0|Host [172.16.2.45](/lua/host_details.lua?host=172.16.2.45&ifname=re1) is a SYN flooder [79305 SYNs sent in the last 3 sec] TCP 172.16.2.45:59664 > 172.16.2.46:7680 [proto: 0/Unknown][79305/0 pkts][5234130/0 bytes][SYN]
Jan 18 13:50:36	ntopng		1484754636|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [79305 SYNs received in the last 3 sec] TCP 172.16.2.45:59664 > 172.16.2.46:7680 [proto: 0/Unknown][79305/0 pkts][5234130/0 bytes][SYN]
Jan 18 13:51:57	ntopng		1484754717|2|1|0|Host [172.16.2.45](/lua/host_details.lua?host=172.16.2.45&ifname=re1) is a SYN flooder [89416 SYNs sent in the last 3 sec] TCP 172.16.2.45:59669 > 172.16.2.46:7680 [proto: 0/Unknown][89416/0 pkts][5901456/0 bytes][SYN]
Jan 18 13:51:57	ntopng		1484754717|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [89416 SYNs received in the last 3 sec] TCP 172.16.2.45:59669 > 172.16.2.46:7680 [proto: 0/Unknown][89416/0 pkts][5901456/0 bytes][SYN]
Jan 18 13:54:09	ntopng		1484754849|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [70603 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][70603/0 pkts][4659798/0 bytes][SYN]
Jan 18 13:54:09	ntopng		1484754849|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [70603 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][70603/0 pkts][4659798/0 bytes][SYN]
Jan 18 13:55:10	ntopng		1484754910|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [1554599 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][1554599/0 pkts][102603534/0 bytes][SYN]
Jan 18 13:55:10	ntopng		1484754910|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [1554599 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][1554599/0 pkts][102603534/0 bytes][SYN]
Jan 18 13:56:11	ntopng		1484754971|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [3037317 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][3037317/0 pkts][200462922/0 bytes][SYN]
Jan 18 13:56:11	ntopng		1484754971|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [3037317 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][3037317/0 pkts][200462922/0 bytes][SYN]
Jan 18 13:59:22	ntopng		1484755162|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [65429 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][65429/0 pkts][4318314/0 bytes][SYN]
Jan 18 13:59:22	ntopng		1484755162|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [65429 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][65429/0 pkts][4318314/0 bytes][SYN]
Jan 18 13:59:38	ntopng		[HTTPserver.cpp:503] ERROR: Unable to start HTTP server (IPv4) on ports 3000: Address already in use
Jan 18 14:00:23	ntopng		1484755223|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [1548430 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][1548430/0 pkts][102196380/0 bytes][SYN]
Jan 18 14:00:23	ntopng		1484755223|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [1548430 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][1548430/0 pkts][102196380/0 bytes][SYN]
Jan 18 14:01:24	ntopng		1484755284|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [3028865 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][3028865/0 pkts][199905090/0 bytes][SYN]
Jan 18 14:01:24	ntopng		1484755284|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [3028865 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][3028865/0 pkts][199905090/0 bytes][SYN]
Jan 18 14:04:13	ntopng		1484755453|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [61861 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][61861/0 pkts][4082826/0 bytes][SYN]
Jan 18 14:04:13	ntopng		1484755453|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [61861 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][61861/0 pkts][4082826/0 bytes][SYN]
Jan 18 14:04:29	ntopng		[HTTPserver.cpp:503] ERROR: Unable to start HTTP server (IPv4) on ports 3000: Address already in use
Jan 18 14:05:14	ntopng		1484755514|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [1543965 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][1543965/0 pkts][101901690/0 bytes][SYN]
Jan 18 14:05:14	ntopng		1484755514|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [1543965 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][1543965/0 pkts][101901690/0 bytes][SYN]
Jan 18 14:06:33	ntopng		1484755593|2|1|0|Host [172.16.2.42](/lua/host_details.lua?host=172.16.2.42&ifname=re1) is a SYN flooder [80223 SYNs sent in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][3092304/0 pkts][204092064/0 bytes][SYN]
Jan 18 14:06:33	ntopng		1484755593|2|1|0|Host [172.16.2.46](/lua/host_details.lua?host=172.16.2.46&ifname=re1) is under SYN flood attack by host 172.16.2.46 [80223 SYNs received in the last 3 sec] TCP 172.16.2.42:53429 > 172.16.2.46:7680 [proto: 0/Unknown][3092304/0 pkts][204092064/0 bytes][SYN]

chipbr

veja este topico

https://forum.pfsense.org/index.php?topic=88659.0

cr1stt0f3r

Pelo que entendi, é: As maquinas internas estao gerando tanto flood que o ntop esta registrando aos milhares, fazendo o server inflar ao ponto de não retornar respostas pelas placas de rede?

Bastando desativar os alertas do ntop? "Disables all alerts generated by ntopng, such as flooding notifications."

cr1stt0f3r

Olá, para aqueles que por acaso cair neste tópico, ainda estou a testar o meu problema..
Diversas vezes achei que poderia ser algum problema físico:
Formatei servidor, troquei servidor, troquei placa de rede, troquei switch, nada mudou.

Troquei o SO do server original, pelo endian.
Não houve falha alguma.. só me deixando imaginar que está havendo algum ataque das minhas estações para o servidor ou em broadcast..

O que encontrei de diferente no SO é que ele já vem padrão com tudo bloqueado, apenas com algumas regras pra liberacao de http, https, dns, pop, imap e etc, o resto não realiza acesso, por falta de cadastro.

Montei uma terceira maquina com o pfsense nas mesmas metricas, com regras basicas apenas para uso.
Irei realizar o teste em rede em breve!

Retornarei com atualizações disto. abraços!

![firewall pfsense2.PNG_thumb](/public/imported_attachments/1/firewall pfsense2.PNG_thumb)
![firewall pfsense2.PNG](/public/imported_attachments/1/firewall pfsense2.PNG)
![firewall pfsense.PNG_thumb](/public/imported_attachments/1/firewall pfsense.PNG_thumb)
![firewall pfsense.PNG](/public/imported_attachments/1/firewall pfsense.PNG)

cr1stt0f3r

Olá, boa tarde.

Confirmando o meu problema, é na minha rede interna!
Após desconectar o backbone de um setor especifico, a comunicação do servidor volta ao normal.
Imagino que os equipamentos sejam incompatíveis ou algum cliente da rede com problemas ou infectado. Estou em fase de analise, mas de todo modo, não é um problema ou característica do PFSense.
Agradeço a atenção daqueles que me ajudaram, seja por aqui ou por Skype!

Abraços!

empbilly

@cr1stt0f3r:

Olá, boa tarde.

Confirmando o meu problema, é na minha rede interna!
Após desconectar o backbone de um setor especifico, a comunicação do servidor volta ao normal.
Imagino que os equipamentos sejam incompatíveis ou algum cliente da rede com problemas ou infectado. Estou em fase de analise, mas de todo modo, não é um problema ou característica do PFSense.
Agradeço a atenção daqueles que me ajudaram, seja por aqui ou por Skype!

Abraços!

Boa sorte na resolução!! :D

Edite teu primeiro post e no titulo coloque como [RESOLVIDO].

cr1stt0f3r

Refinando o problema: No setor, imaginava que poderia ser alguma camera ou computador..
Acabou que a culpa era de um router tp-link.

Removi e tudo voltou ao normal!

Cheguei a tentar fazer update do firmware bem como desativar o maximo de funcoes agregadas, mas continuou a derrubar a rede toda..

Dei baixa no equipamento e o usei para acender uma fogueira.

Abraço amigos! ;D