PFsense Blocking Some Traffic
-
While it might be false flag - ie pfsense gateway just not answering the PING..
But when that happens pfsense can think internet is down and reset all states - then you loose connection.
Under Advanced, Misc
Or set gateway to always be up and disable monitoring.
-
@johnpoz ill check that tonight and see if its flushing the states.
the spike of packet loss at around 10pm was before i allowed ICMP ping requests as a rule and the 2nd spike at around 11pm was when i rebooted pfsensenever used thinkbroadband monitor before so no idea if those ping spikes/results are normal for my line (speedtest.net is ALWAYS below 20ms ping and 2ms jitter but that test is with an idle connection so best case scenario)
think broadband pings once every second no matter the load on bandwidth -
It doesn't flush/reset all states (box is unticked) and I've disabled gateway monitoring.
But that was more of a side quest.....
Anyone got any ideas about the original issue? It's still happening.
Not being able to watch virgin TV go app on my android TV box is a killer (for the Mrs) and if I can't resolve it I'll have to rip out pfsense and ditch it. -
Anyone got any other ideas?
-
@noob said in PFsense Blocking Some Traffic:
Anyone got any other ideas?
Yeah, a few questions:
You are saying that your configuration is: modem->switch->pfSense? And other devices are connected to the switch? Just want to confirm this.
What or where is the gateway monitor? Is it the modem? Google's DNS servers? Someplace else?
The issues you're experiencing are more than likely DNS-related issues. How do you have DHCP and DNS configured in pfSense? Please post screen shots.
-
Yes virgin superhub3 into switch. Pfsense into switch (vlan'd) so all traffic passes through pfsense.
DHCP is handled exclusively by pfsense.
DNS is also via pfsense.
Pfsense currently has virgin media's own DNS servers set.... 194.168.4.100 and 194.168.8.100
These were filled in automatically (not by me)
I have tried manually changing them to Google's DNS servers 8.8.8.8 and 8.8.4.4
Same issues remained.Trying travertine and pinging the servers that wouldn't load via wife's phone work fine when pinging/tracing via pfsense.
If it's a DNS issue why would the websites load on some devices but not others??
I'll post screen shots later as I've had to take pfsense down for now -
@tim-mcmanus
i hope these screen shots contain the info you requested?
the DNS servers listed have all been automatically assigned (i assume via DHCP from the modem)the gateway listed, belongs to virgin media and again has been automatically filled in, however this is not my modems public IP address.
i had to disable gateway monitoring as it was throwing up false information, claiming my gateway was offline yet i was still online with no issues (i'm guessing because it was monitoring virgin media's gateway and not my public IP?)MTU is automatically set to 1500 on both wan/lan.
my virgin media superhub 3 is in modem only mode so DHCP is not active, neither is NAT or any form of firewalling
-
Thanks for posting those screen shots.
What I didn't see was which DNS servers your DHCP server is giving out.
Also, when you say pfSense is doing DNS, are you running the DNS resolver?
-
@tim-mcmanus
the DNS resolver is running (i have not changed this, so default configuration must be to have this on)did you need a screen shot of the DNS resolver general settings page?
-
No, this is good. Can you go to Diagnostics->DNS Lookup and run some queries for the sites you are having problems with? I am interested to see if Resolver (127.0.0.1) is timing out on any of those lookups.
What can happen is this: Your ISP may be blocking DNS lookups to the root servers, which pfSense would normally do. That delay can cause a client timeout when looking for a site, and that client won't be able to get to that site temporarily. You'd need to do a second lookup, and then the query would be caches for any additional client lookups.
What's happening in your situation, if I understand correctly, only some devices have a problem, and it's sporadic. It could be a symptom of lookups failing or timing out, and then the next device gets a working/cached DNS result from a subsequent and successful lookup.
-
all the DNS lookups i have tried show similar results, 127.0.0.1 being quicker than the others
-
When you have a device that cannot connect, run a DNS query from that device.
This is an elusive issue.
-
Its going to be VERY elusive if you have such high packet loss.. Sorry but dns is going to be crapshoot over such a connection because its going to be hit or miss..
Most dns is always going to be UDP.. So you throw the ball over the fence and hope the person catches it but you don't know... Unless you get an answer - and which such a high loss connection he might of answered but you never get it.
What is the average packet loss your seeing... Look on your quality graph..
And yeah pulling from a local cache is always going to be way faster then doing an actual query to some remote NS...
With such high packet loss - I would expect horrible everything.. Sure tcp will retrans, but its going to be a horrible experience overall with such high packet loss if it actually is loss and just not your gateway answering pings... Do a sniff on your wan traffic.. Are you seeing lots of retransmits?
-
@johnpoz the packet loss from another post was a red herring, pfsense was not monitoring my modem, it was monitoring virgin media's gateway which is way out of my control.
i setup "think broadband" to monitor my public IP (and so monitoring my own gateway) and packet loss was 0.11% max
i have disabled pfsense gateway monitor, as it was monitoring the wrong thing and giving irrelevant into, and was easier than getting pfsense to monitor the correct gateway -
Well if you believe the problem is dns related.. look at your timing and any loss in unbound... Dump your stats
unbound-control -c /var/unbound/unbound.conf stats_noreset
What is your recursion time average, etc..
What sort of % hit on cache are you getting, etc. etc.
if your not getting a high amount of cache hits, you prob want to turn on prefetch and zero ttl. These can help with problems with long recursion times and or timeouts.total.recursion.time.avg=0.158804
total.recursion.time.median=0.0505461total.num.queries=126887
total.num.cachehits=110479So Im at about 87% cache hit rate...
Look at the stats page in the gui.
Status / DNS ResolverAre you seeing timeouts? You really should have all Zeros
-
@noob said in PFsense Blocking Some Traffic:
@johnpoz the packet loss from another post was a red herring, pfsense was not monitoring my modem, it was monitoring virgin media's gateway which is way out of my control.
i setup "think broadband" to monitor my public IP (and so monitoring my own gateway) and packet loss was 0.11% max
i have disabled pfsense gateway monitor, as it was monitoring the wrong thing and giving irrelevant into, and was easier than getting pfsense to monitor the correct gatewayI actually have pfSense monitoring a point on the Internet, not my modem. When I am experiencing issues, I want to test a point off of my ISP's network. Yes, on occasion it will trigger some false-positives, but generally speaking, I won't "feel" that issue on the network. When I am suspicious that my network is having issues, then I can check the monitor to see if/what the loss is.
If you want to monitor the quality of your connection, try this smokeping tool: https://www.dslreports.com/smokeping
-
heheeh - yeah I think I know how to monitor my connection... But thanks ;)
-
@johnpoz said in PFsense Blocking Some Traffic:
heheeh - yeah I think I know how to monitor my connection... But thanks ;)
Not you, the other guy. Although, I didn't want to assume... ;)
-
@johnpoz total.recursion.time.avg=0.125316
total.recursion.time.median=0.0505173
just booted up pfsense as it took it down again last night
total.num.queries=55
total.num.cachehits=4i have just turned prefetch on to see what difference it makes
DNS Reseolver timeout A, timeout AAAA and timeout other are all zero's
-
Well stats right after it boots not going to point to any sort of problem.
