One interface loses internet access and I could get it back only after reboot the pfsense

ady2

@netblues
In this specific case only my laptop has a firewall rule to go through VPN client on one of the interfaces, everything else and all other interfaces use the WAN gateway.
But now I have stopped all VPN clients and paused the firewall VPN rule for my laptop, now only the VPN server is on to allow me to connect remotely.

Do you mean to run Diagnostics/Traceroute on specific interface for a yahoo.com, right?

netblues

I mean try a traceroute from a pc/laptop etch and not from pf..

ady2

@netblues
Thanks a lot for your help
Will try traceroute next time.

ady2

Today it happened again and affected at least 2 interfaces. I was on one of it but on my work vpn and have internet till disconnected from work vpn.
The trace-route from my mac show that it reach the pfsense and nothing else. Please see the trace-route screenshot: Screen Shot 2019-07-19 at 9.48.24 AM.png
ping was timeout.
Verified OpenVPN and found that my clients are on, so disabled them one by one and suddenly the internet was back.
Based on this I'm thinking that my issue is related with one or all vpn client(s).
Going to keep them off and see if the internet will not disappear for a week or two, to confirm that.

Interesting why internet is blocked even on interfaces that never had VPN gateway assigned or any firewall rules for vpn. I have created a brand new interface for kids devices and today's internet outage affected that too.

One of the reason to switch to pfsense was to keep majority of devices connected to internet through vpn and that is giving me troubles now. It could be that my settings have a wrong setup, but then why everything is working fine till broke the whole home internet (only the WAN interface has internet when it happens).

ady2

Again same issue this evening (no internet on all interfaces.
Same symptoms, no trace-route after pfsense, ping timeout.
At this time no vpn clients on, only openVPN seerver was on.
Restarting the DNSResolver and internet is back. What the ... ?

kiokoman

do you have any package installed? like suricata / snort? do you have anything in dmesg ?

ady2

@kiokoman
I have next services active:
Screen Shot 2019-07-20 at 10.59.42 PM.png

I have run "dmesg" on pfsense console, but don't know what to look for (I could see that lines a repeating 4 times) dmseg_07_21.txt.
Any help Welcome

kiokoman

do the dmesg when the problem present itself

Asamat

Can you

check Status/Gateways menu
run 'ifconfig -a'
run 'netstat -rn'
run Packet Capture on WAN with promiscuous mode enabled (Diagnostics/Packet Capture) to check if there is any in/out traffic
when it happens again?

ady2

After 29 days of working without any issue my problem was back, no internet on a few interfaces that I have checked (same symptoms, no internet, ping timeout from interface as source). It was late night and needed internet to finish something so just restarted the pfsense and everything was back and working. Sorry, didn't have time to troubleshoot. Will hope that next time will have more to report.
Thanks to everybody for their help @Asamat, @kiokoman, @netblues, @mokey_fraggle

p.s. No vpn clients active on any interface, only vpn server was on. Nothing was changed during that time except the BandwithD packet was added to monitor the internet stats on ~ 08/18 and the problem occurred on 08/26.

Raul Ramos

@ady2 I have to renew the interface manually after WAN interface (DHCP mode) lose connection, just power cycle the ONT and interface tourn red and 100% packet loss.

ady2

Happened today again (no internet on all interfaces). ping timeout, traceroute only till pfsense ip address. Verified and I have no vpn clients active, only the vpn server so I restarted it and my internet is back.
How that is possible that vpn server is blocking internet access on all interfaces?

Gertjan

The VPN server is just listening on a port like 1194 on an interface like WAN.
If there are no incoming connections, then it 's doing close to nothing.

Mine is listing on WAN for month now, never had any issues.
You have quit a few interfaces : swap the WAN with some other NIC, and see if the problems moves.

kiokoman

sorry i didn't see the link to your dmesg
there.. apart from UP and DOWN
nothing useful

my bet.. or your network card go overload/overheat for some reason and stop working or driver are not working well anymore, especially if the network card is some chinese clone. they suddenly stop working reliable and this can happen. maybe it's time to change it.

if I were you I would reset / format pfsense after making a configuration backup. restore everything and see if the problem persist.
if it persist i would change the network card

ady2

@kiokoman said in One interface loses internet access and I could get it back only after reboot the pfsense:

sorry i didn't see the link to your dmesg
there.. apart from UP and DOWN
nothing useful

my bet.. or your network card go overload/overheat for some reason and stop working or driver are not working well anymore, especially if the network card is some chinese clone. they suddenly stop working reliable and this can happen. maybe it's time to change it.

if I were you I would reset / format pfsense after making a configuration backup. restore everything and see if the problem persist.
if it persist i would change the network card

@kiokoman
I was thinking that it could be the nic card that is causing those issues, so I have for some time (around 3-4 months) a second NIC card with 2 ports in addition to 4 port Chinese clone (bought as new for ~ $45 on ebay). When Installed the second nic with 2 ports, I switch a few interfaces to that card to check if there was the 4 ports card fault, and found same issue again and again. It will be quite strange that both NIC cards are overloaded at the same time or they both stop working at the same time. Could try to switch the WAN port to one of the nic cards port (my WAN is using my motherboard network port now) to check if this will block the WAN connection completely as it's happening now with my LAN interfaces.

BTW, my pfsense was dead with the "PHP Startup: Unable to load Dynamic Library." problem after 2 days I have upgraded to 2.4.4p3 version. So I have to install everything and restore from backup and even after that the problem still happens time to time, same as before that.

Is there any way to check if the NIC is the root cause ?

kiokoman

does it work if you force the network card of your laptop to use dnsfrom google for example? like 8.8.8.8 ?

ady2

@kiokoman said in One interface loses internet access and I could get it back only after reboot the pfsense:

does it work if you force the network card of your laptop to use dnsfrom google for example? like 8.8.8.8 ?

I have a firewall rule that is blocking all dns requests to other sources except pfsense, will pause that rule and try next time and report back

pollard5

I have a similar kind of issue. Once you find the solution let me know by posting here.

ady2

Today happened again (no internet on all interfaces with Wi-Fi - verified on all), but at the same time my daughter was watching Netflix on a TV and it was working till she turn off the TV (I have connected to the same subnet with my mac and no internet for me (ping was timeout and web was not open any sites). Traceroute was to pfsense ip and nothing else.

ady2

@Asamat
Status on Gateways is online. Also I was trying to use ping from WAN and was always succeed, but not working from any other interface.

I run all the commands from pfsense shell:
Shell Output - ifconfig -a
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=1009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 00:15:17:19:b8:44
hwaddr 00:15:17:19:b8:44
inet6 fe80::215:17ff:fe19:b844%em0 prefixlen 64 scopeid 0x1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=1009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
ether 00:15:17:19:b8:45
hwaddr 00:15:17:19:b8:45
inet6 fe80::215:17ff:fe19:b845%em1 prefixlen 64 scopeid 0x2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether XX:XX:XX:XX:XX:XX
hwaddr XX:XX:XX:XX:XX:XX
inet6 fe80::6600:6aff:fe61:1b16%em2 prefixlen 64 scopeid 0x3
inet XX.XXX.XXX.XX netmask 0xfffffe00 broadcast 255.255.255.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6500bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:04
hwaddr a0:36:9f:85:04:04
inet6 fe80::a236:9fff:fe85:404%igb0 prefixlen 64 scopeid 0x4
inet 10.0.99.1 netmask 0xffffff00 broadcast 10.0.99.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:05
hwaddr a0:36:9f:85:04:05
inet6 fe80::a236:9fff:fe85:405%igb1 prefixlen 64 scopeid 0x5
inet 172.31.255.1 netmask 0xffffff00 broadcast 172.31.255.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6400bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:06
hwaddr a0:36:9f:85:04:06
inet6 fe80::a236:9fff:fe85:406%igb2 prefixlen 64 scopeid 0x6
inet 10.10.50.1 netmask 0xffffff00 broadcast 10.10.50.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6500bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:07
hwaddr a0:36:9f:85:04:07
inet6 fe80::a236:9fff:fe85:407%igb3 prefixlen 64 scopeid 0x7
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 224.0.0.240 maxupd: 128 defer: on
syncok: 1
igb3.53: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:07
inet6 fe80::a236:9fff:fe85:407%igb3.53 prefixlen 64 scopeid 0xc
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 53 vlanpcp: 7 parent interface: igb3
groups: vlan
igb3.55: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:07
inet6 fe80::a236:9fff:fe85:407%igb3.55 prefixlen 64 scopeid 0xd
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 55 vlanpcp: 7 parent interface: igb3
groups: vlan
igb3.56: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:07
inet6 fe80::a236:9fff:fe85:407%igb3.56 prefixlen 64 scopeid 0xe
inet 10.10.56.1 netmask 0xffffff00 broadcast 10.10.56.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 56 vlanpcp: 5 parent interface: igb3
groups: vlan
igb3.57: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:07
inet6 fe80::a236:9fff:fe85:407%igb3.57 prefixlen 64 scopeid 0xf
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 57 vlanpcp: 6 parent interface: igb3
groups: vlan
igb0.11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:04
inet6 fe80::a236:9fff:fe85:404%igb0.11 prefixlen 64 scopeid 0x10
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
vlan: 11 vlanpcp: 0 parent interface: igb0
groups: vlan
igb0.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:04
inet6 fe80::a236:9fff:fe85:404%igb0.10 prefixlen 64 scopeid 0x11
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
vlan: 10 vlanpcp: 1 parent interface: igb0
groups: vlan
em1.10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:15:17:19:b8:45
inet6 fe80::215:17ff:fe19:b845%em1.10 prefixlen 64 scopeid 0x12
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 10 vlanpcp: 2 parent interface: em1
groups: vlan
em1.11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:15:17:19:b8:45
inet6 fe80::215:17ff:fe19:b845%em1.11 prefixlen 64 scopeid 0x13
inet 10.10.11.1 netmask 0xffffff00 broadcast 10.10.11.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 11 vlanpcp: 1 parent interface: em1
groups: vlan
em0.53: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:15:17:19:b8:44
inet6 fe80::215:17ff:fe19:b844%em0.53 prefixlen 64 scopeid 0x14
inet 10.10.53.1 netmask 0xffffff00 broadcast 10.10.53.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 53 vlanpcp: 3 parent interface: em0
groups: vlan
igb3.51: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:85:04:07
inet6 fe80::a236:9fff:fe85:407%igb3.51 prefixlen 64 scopeid 0x15
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 51 vlanpcp: 4 parent interface: igb3
groups: vlan
em0.51: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:15:17:19:b8:44
inet6 fe80::215:17ff:fe19:b844%em0.51 prefixlen 64 scopeid 0x16
inet 10.10.51.1 netmask 0xffffff00 broadcast 10.10.51.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 51 vlanpcp: 4 parent interface: em0
groups: vlan
ovpns5: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::215:17ff:fe19:b844%ovpns5 prefixlen 64 scopeid 0x17
inet 192.168.200.1 --> 192.168.200.2 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: tun openvpn
Opened by PID 34800