PFsense Blocking Some Traffic
-
all the DNS lookups i have tried show similar results, 127.0.0.1 being quicker than the others
-
When you have a device that cannot connect, run a DNS query from that device.
This is an elusive issue.
-
Its going to be VERY elusive if you have such high packet loss.. Sorry but dns is going to be crapshoot over such a connection because its going to be hit or miss..
Most dns is always going to be UDP.. So you throw the ball over the fence and hope the person catches it but you don't know... Unless you get an answer - and which such a high loss connection he might of answered but you never get it.
What is the average packet loss your seeing... Look on your quality graph..
And yeah pulling from a local cache is always going to be way faster then doing an actual query to some remote NS...
With such high packet loss - I would expect horrible everything.. Sure tcp will retrans, but its going to be a horrible experience overall with such high packet loss if it actually is loss and just not your gateway answering pings... Do a sniff on your wan traffic.. Are you seeing lots of retransmits?
-
@johnpoz the packet loss from another post was a red herring, pfsense was not monitoring my modem, it was monitoring virgin media's gateway which is way out of my control.
i setup "think broadband" to monitor my public IP (and so monitoring my own gateway) and packet loss was 0.11% max
i have disabled pfsense gateway monitor, as it was monitoring the wrong thing and giving irrelevant into, and was easier than getting pfsense to monitor the correct gateway -
Well if you believe the problem is dns related.. look at your timing and any loss in unbound... Dump your stats
unbound-control -c /var/unbound/unbound.conf stats_noreset
What is your recursion time average, etc..
What sort of % hit on cache are you getting, etc. etc.
if your not getting a high amount of cache hits, you prob want to turn on prefetch and zero ttl. These can help with problems with long recursion times and or timeouts.total.recursion.time.avg=0.158804
total.recursion.time.median=0.0505461total.num.queries=126887
total.num.cachehits=110479So Im at about 87% cache hit rate...
Look at the stats page in the gui.
Status / DNS ResolverAre you seeing timeouts? You really should have all Zeros
-
@noob said in PFsense Blocking Some Traffic:
@johnpoz the packet loss from another post was a red herring, pfsense was not monitoring my modem, it was monitoring virgin media's gateway which is way out of my control.
i setup "think broadband" to monitor my public IP (and so monitoring my own gateway) and packet loss was 0.11% max
i have disabled pfsense gateway monitor, as it was monitoring the wrong thing and giving irrelevant into, and was easier than getting pfsense to monitor the correct gatewayI actually have pfSense monitoring a point on the Internet, not my modem. When I am experiencing issues, I want to test a point off of my ISP's network. Yes, on occasion it will trigger some false-positives, but generally speaking, I won't "feel" that issue on the network. When I am suspicious that my network is having issues, then I can check the monitor to see if/what the loss is.
If you want to monitor the quality of your connection, try this smokeping tool: https://www.dslreports.com/smokeping
-
heheeh - yeah I think I know how to monitor my connection... But thanks ;)
-
@johnpoz said in PFsense Blocking Some Traffic:
heheeh - yeah I think I know how to monitor my connection... But thanks ;)
Not you, the other guy. Although, I didn't want to assume... ;)
-
@johnpoz total.recursion.time.avg=0.125316
total.recursion.time.median=0.0505173
just booted up pfsense as it took it down again last night
total.num.queries=55
total.num.cachehits=4i have just turned prefetch on to see what difference it makes
DNS Reseolver timeout A, timeout AAAA and timeout other are all zero's
-
Well stats right after it boots not going to point to any sort of problem.
-
@johnpoz how long would you like me to leave it before re-posting stats?
hours, days? i dont know how long ill need to collect data for before it becomes of any use for fault diagnosis -
After you have been seeing a dns related problem.
Total number of queries 55.. There is nothing on your network doing anything at that point.. Notice mine was 126,000
-
im not sure this is even a DNS issue, i have no idea what is causing the issue, that smokeping test tool posted further up is currently reporting 0.00% packet loss accross all 3 servers that are pinging me.
the issue with ebay app landing [page not loading on wifes phone is constant (it never loads unless we switch to 3g/4g data or remove pfsense) all the other pages/search/buy functions work all the time.... ebay app loads on other devices every single time no issues.
the issue with the android tv box and virgin tv go allowing me to login, loading menu's and previews and up to date live tv guide but not playing actual programs is a constant while pfsense is running, but virgin tv go on all other devices works even with pfsense in place.i cant see anything in the logs to suggest traffic is being blocked, makes no sense as to why i would be blocking only certain devices
total.num.queries=1047
total.num.queries_ip_ratelimited=0
total.num.cachehits=158
total.num.cachemiss=889
total.num.prefetch=14
total.num.zero_ttl=0
total.recursion.time.avg=0.138458
total.recursion.time.median=0.0890953i would love to learn more about pfsense (which is why i got it to start with) but these issues dont seem to make any sense.
i did notice you had over 100k queries but i have no idea how long your box has been up and running, could be months
from the first few mins of booting pfsence up to now 2 hours uptime, the hit rate seems to be hovering steady at 14-16%
is there anything i should be looking at on the devices in question??
-
You might want to grab a packet capture onb the LAN filtered by the IP of the offending device.
Try to do as little as possible on the phone just to minimise the traffic. Once the menus have failed to load check the pcap.Steve
-
Current uptime: 22 Days 03 Hours 48 Minutes 58 Seconds
That would of been since updated to p1, current stats show... But that is not always related to when unbound restarted..
1047 queries is not a lot of queries.. Do you have not have your stuff pointing to pfsense? Do you only have like 1 device on your network or something? How long has unbound been up to get your 1047 queries?
-
It was only me on my pc and phone last night.
The system uptime was 2 hours 12 mins when I saw the 1000 queries which is approx 500 per hour.
Your 126k decided by 22 days up time is approx 240 per hour.
I have no idea how long unbound was running, I was just going by system up time.All traffic should be going through pfsense as all traffic to and from the modem is tagged via vlan
I've taken pfsense down again at the moment, will boot it up again tonight and leave it running for a few days (and do the Lan side packet sniffing sujested above)
How can I find inbounds "uptime" if it's different from system uptime? -
@noob said in PFsense Blocking Some Traffic:
How can I find inbounds "uptime" if it's different from system uptime?
Easy : check the DNS log ! Or ask the system : ps ax | grep 'unbound'
unbound is a service that is restarted rather often. -
time up will also be in the stats
time.up=81609.360209Which would be in seconds.
And to be honest most everything on my network points to downstream pihole, so that reduces the number of queries unbound sees because pihole only asks unbound for stuff that has not been blocked, and also it caches.. So if say 3 things asked for xyz.com unbound would only see the 1 from pihole, then piehole would serve the answer up to the clients via its cache.
