Not sure what happened last night, need help. NTP???
-
@callen said in Not sure what happened last night, need help. NTP???:
Certificate verification failed for /C=US/ST=MA/L=Lowell/O=Arris Group, Inc./OU=Telco CPE/CN=dsldevice.domain_not_set.invalid
It looks like your cable connection went down and your modem started redirecting https requests to it's internal page. Which obviously threw a cert error.
pfSense tried to update the bogons list and hit it.Did you see the WAN IP change to something the modem handed out? In the 192.168.7.0/24 subnet perhaps?
You can set an IP to reject DHCP leases from the in the WAN dhcp setup. Cable modems doing that is quite common. You need to know the DHCP server address it's using though.
https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv4.html#dhcpSteve
-
@stephenw10 Thanks for replying.
I just checked with our ISP and they are adamant we never lost service and that our Modem had service throughout this time.
I get arp notifications on IP changes and never got one during this time. I checked the System General logs for anything with the WAN MAC address and there are no entries. Is there somewhere else I can check to be sure?
Also, the WAN IP is set to Static IPv4. Wouldn't that mean it wouldn't accept a change?
-
Yeah if it's static then you would not see an IP change. You might see an ARP warning for the gateway.
That certificate is clearly invalid though and sure looks like something that would be on the modem. You could probably check the modem gui cert to be sure.
It could be something further upstream.
Either way pfSense was resolving files.pfsense.org to that. So either the https was redirected or the DNS was hijacked. If pfSense is using Unbound with DNSSec only for it's own DNS that could not happen.
Steve
-
@stephenw10 Update with new info. After seeing your reply I checked the modem's web interface. 192.168.7.254 is the modem's IP address. Does that change your analysis of what happened?
BTW, pfsense is using the DNS Resolver with DNSSec enabled. Only override is a domain override for our Windows devices.
-
@callen said in Not sure what happened last night, need help. NTP???:
192.168.7.254
No that only confirms it. I would say the modem started redirecting everything to itself, including the ntp requests.
If the cert on the modem gui looks like that string that will also confirm it.Modems usually only do that if they lose upstream sync. Maybe it rebooted or crashed but that wouldn't have taken hours to come back.
Steve
-
@stephenw10 Everything on that first line of the certificate verification failure lines up with the certificate of the modem. However I cannot verify lines 2 and 3. I am 99% sure it is the modem cert though.
-
Yeah the 2 other lines are the error caused by it.
Pretty conclusive your modem started redirecting all traffic to itself and that really only happens when it loses connection.
Steve
-
@stephenw10 said in Not sure what happened last night, need help. NTP???:
only happens when it loses connection.
Bring some people with you as a witness.
And rip out the 'WAN' plug of your modem for an hour or so.
Call your ISP again ....@callen said in Not sure what happened last night, need help. NTP???:
I just checked with our ISP and they are adamant we never lost service
Now you're aware of the "quality" of that answer ;)
-
@stephenw10 Ok thanks. We ended up having the modem replaced yesterday afternoon just as a precaution.
@Gertjan yeah I am more confident now that we lost service somehow, even if it was due to an issue with the modem's DNS provider, which is not the same as I have in pfSense.
-
@callen , It could be that ISP reseted your modem. But modem failure happens when you have bad weather like lightning storm.
-
@AKEGEC I asked them that and they said the modem had been up for 20+ days. That matched up with the uptime in the GUI.
As for weather, at that time it was really calm and moderate. No storms in the area. (That said I will never count out squirrels as a culprit. :)
