pfSense with AT&T fiber-- WAN keeps dropping offline

wgstarks

I just got a new ISP account with AT&T Uverse fiber and a Pace 5268AC modem. Set up the modern per these instructions. My WAN connection keeps dropping off line at random several times per hour and I'm not sure why. I've tried working with AT&T tech support, but they claim there aren't any line issues and won't support my router.

Gateway logs are showing entries for high latency-

May 30 21:36:14	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 108.77.84.186 identifier "WAN_DHCP "
May 30 21:34:16	dpinger		WAN_DHCP 8.8.8.8: Alarm latency 0us stddev 0us loss 100%
May 30 21:34:14	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 192.168.1.64 identifier "WAN_DHCP "
May 30 21:34:14	dpinger		WAN_DHCP 8.8.8.8: Alarm latency 0us stddev 0us loss 100%
May 30 21:34:12	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 192.168.1.64 identifier "WAN_DHCP "
May 30 21:26:48	dpinger		WAN_DHCP 8.8.8.8: Alarm latency 11479us stddev 366us loss 21%
May 30 21:26:17	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 108.77.84.186 identifier "WAN_DHCP "
May 30 21:26:16	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 108.77.84.186 identifier "WAN_DHCP "
May 30 21:20:53	dpinger		WAN_DHCP 8.8.8.8: Alarm latency 11655us stddev 1308us loss 21%
May 30 21:03:38	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 108.77.84.186 identifier "WAN_DHCP "
May 30 21:03:08	dpinger		WAN_DHCP 8.8.8.8: Alarm latency 0us stddev 0us loss 100%
May 30 21:03:05	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 108.77.84.186 identifier "WAN_DHCP "
May 30 21:02:20	dpinger		WAN_DHCP 8.8.8.8: Alarm latency 0us stddev 0us loss 100%
May 30 21:02:18	dpinger		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr 192.168.1.66 identifier "WAN_DHCP "

So far I haven't found anything else in the logs that might be helpful, but honestly I'm not exactly sure where to start looking. Rebooting the router usually corrects the problem until the next occurrence. I did get AT&T to send me a new modem, but that didn't help.

I'm at a complete loss on how to fix this. Could use some help.

lburr

Did AT&T set their modem to bridge mode? I had a coax modem in bridge mode & when I upgraded to fiber they forgot to put it in bridge mode, after a quick phone call it started working properly.

wgstarks

The Pace modem doesn’t really have a “bridge” mode as far as I can tell. My router is set as DMZ with allow all apps. This passes through the external IP to the router.

lburr

I did some research and you're right. AT&T only has DMZplus, not bridge mode like I have with Spectrum.

If you go to System -> Advanced -> Miscellaneous tab in the Gateway Monitoring section, is State Killing on Gateway Failure unchecked? It's designed for multi-WAN and when the primary WAN goes down it clears the states so the secondary WAN works properly.

If you only have one WAN & it's checked it might be the issue. Mine was unchecked by default, but it's worth verifying.

wgstarks

@lburr It’s unchecked but thanks for the reply.

lburr

I'm running out of ideas... not sure how you've set up your pfSense router but see the comments at the bottom of this page (outdated squid/snort rules, a potential hard drive issue, or using OpenDNS):
https://productforums.google.com/forum/#!msg/fiber/rRbqyW2o8ek/pT0t1I_ABwAJ

I have AT&T Uverse fiber at home and I'd been planning to install a pfSense router soon, so I'm interested to see if you can get it running properly.

wgstarks

I'll stop Snort just to see if that makes a difference. It's the only thing I see there that might apply.

wgstarks

@wgstarks said in pfSense with AT&T fiber-- WAN keeps dropping offline:

I'll stop Snort just to see if that makes a difference. It's the only thing I see there that might apply.

Stopping Snort didn't help. Still dropping offline.

wgstarks

It looks like these issues may be due to AT&T network problems. They’ve got a supervisor checking the network equipment in my area to try and figure out what’s going on and have scheduled a tech to come out and replace the fiber to Ethernet converter box inside my house. We’ll see.🤨

wgstarks

Tech came out and replaced ONT box. I'm seeing better network performance but still getting random periods of packet loss up to about 50 - 60% lasting 30 seconds or so. I think this has to be an AT&T network issue. The tech supervisor agrees and is going to have their crews check their splitters (whatever those are???) for my area.

The entire AT&T fiber network in my area is only about a year old. The supervisor I meet with says that currently they still have only a few subscribers in this area and are still finding bugs in the system when new installations are performed. I hope he's right.

mhab12

We switched to Cox gigablast (their residential fiber product) a while back and encountered oddities over the first year or so. Sounds like similar issues...only a handful of subscribers in the area and a new f/o network roll out that wasn't fully tested ahead of time.

Harvy66

I see you're pinging Google DNS. I know pfSense has an option to kill the WAN states in the event that the loss gets too high. It's possible you're conflating the WAN being down and the route to Google DNS being bad.

wgstarks

@harvy66
I’m just going by the display in the status page. Packet loss hits 100% and lots of high latency alarms in the system log. Tried using AT&T’s DNS servers for monitoring WAN but no difference. Looks to me like the AT&T router is still being used somehow even in DMZ+ mode. I’ve seen lots of complaints online about the very small state tables they use in their firmware. I don’t have the background to know if this is true or not, but I do see lots of “excessive connections” errors in the logs for the fiber modem. The tech crews have checked the lines several times without finding any issues.

SteveITS

What is the DHCP lease time from the AT&T modem? I had a home connection that was passing through the connection to give the internal router (in this case not a pfSense) the public IP, and the DHCP lease time was 10 minutes, which apparently triggered a connection reset on the internal router. Just before every-10-minute disconnections started happening the router firmware was updated, so I'm not sure if the apparent NIC-reset-on-DHCP-renewal was a mew problem with that router's firmware or that AT&T coincidentally lowered the lease time to 10 minutes. I am pretty sure the lease time has not been 10 minutes in the past.

At any rate I worked around it by setting the AT&T modem/router to not pass through the public IP, and to put the router in its DMZ (as I recall I had to restart both devices to get the internal router to appear as an option). The lease time to the router is now 1 day and not as noticeable as the few seconds of dropout at each renewal.

I don't know if this helps you but thought I'd try.

kabrutus

@wgstarks did you ever get this resolved? I have an ATT fiber that is also dropping the connection in the early mornings. Almost every hour from 1am to 5am

wgstarks

@kabrutus said in pfSense with AT&T fiber-- WAN keeps dropping offline:

@wgstarks did you ever get this resolved? I have an ATT fiber that is also dropping the connection in the early mornings. Almost every hour from 1am to 5am

No. The AT&T techs seem to be very poorly trained afa troubleshooting goes. After 3 weeks, and about a dozen service calls, I had them disconnect my service and refund the money I had paid them. I’m using Spectrum’s Gigabit plan now. Much more reliable but very expensive compared to AT&T Fiber.

kabrutus

@wgstarks sucks. I guess I will have to deal with it for now. Roughly, what's the price for the spectrum gigabit? I know they have copper 940/35 but I need up/down

wgstarks

@kabrutus said in pfSense with AT&T fiber-- WAN keeps dropping offline:

I know they have copper 940/35 but I need up/down

That’s what Spectrum is calling their gigabit plan. I know it’s not really a true gigabit connection though. For me the price is about $120 US/month and a one time $200 installation fee.

gsmornot

Too bad I didn't see this sooner. I use pfSense with ATT Fiber no issue. It took about a week in the beginning to find the right combo after being on cable but no issues in more than a year now.

raellic

I had this same problem with a Comcast Business connection. It appears that pfSense is very sensitive to packet loss on the WAN interface and will often issue a WAN alarm. I don't know if this is a bug or a feature, but it causes the connection to reset and I'm without internet for a couple minutes at a time. Very annoying. I solved the problem by switching to a Netgear router temporarily, and temporary became semi-permanent.