Intermittent loss of internet connectivity
-
@claferriere said in Intermittent loss of internet connectivity:
Could the jumbo frames between the switch and NAS be an issue ?
Unlikely.
Are the VPN site-to-site? Can you access resources across them when it fails?
That implies it's passing traffic fine and has connectivity upstream too. A bad default route would have been a good fit for that issue but you say it's fine.
Steve
-
@stephenw10 Yes, site to site and through the ipsec tunnel other resources on the connected network. I understand the bad route issue, but what would cause everything to suddenly just stop ? It worked fine for a week or two then it stopped. I would reboot the cable modem and or the pfsense box and would get back the connection. Nothing in the logs other than what I indicated in my initial post seemed out of character.
-
If the default route was lost you would only be able to reach subnets you have static routes to, which would include OpenVPN, or over IPSec which is policy based.
The firewall itself is unable to ping by IP or FQDN when this happens?
Can it resolve anything?
The DNS setup you have is the only unusual thing you've posted so far.
Steve
-
@stephenw10 The firewall was unable to ping ip or FQDN after loss of internet access, but as mentioned, ipsec and openvpn were fine. Dns under Diagnostics lookup was also not working.
When you say "Unusual" about the DNS, it was setup to ensure secure DNS lookups to Cloudflare, Quad9. It has been configured like this on the SG4860s as well and it works fine usually. Should I just be using the pre-configured options in Unbound?
What about flushing routes if IP goes down ? -
What error do you see when you try to ping by IP? No route to host or 100% packet loss?
Steve
-
@stephenw10 100% packet loss.
-
@claferriere said in Intermittent loss of internet connectivity:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853Not that I'm using DNS over TLS but I really thought there is no need any more to manually enter these option : it became a simple check box.
What pfSense version are you using ? -
@Gertjan It was recommended when I set it up. I believe the traffic didn't show up on port 853 without this.
-
See https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html (pfSense 2.4.0 from Septembre - last year) : it was included.
The next logical question : what is your pfSense version ?
-
@Gertjan 2.4.4 P3 on all machines
-
Ok, great.
When you drop VPN usage and step back to a normal "WAN' connection, then your packet loss issue is gone ?
-
@Gertjan No, the packet loss was generalized for anything on the network. However, I can still connect via ipsec or Openvpn. Once on the pfsense box, I could not ping or dns lookup from the Diag menu... But since I turned off NAT PNP it seems to have resolved the issue...keeping my fingers crossed !
-
Mmm, that implies something was opening things using upnp that somehow broke opening new states perhaps. Hard to see how it could do that though. Was it open to requests from WAN maybe?
Something local to the device triggering it would explain why the same setup appears fine on other hardware in other location.Steve