Not sure what happened last night, need help. NTP???
-
@stephenw10 Thanks for replying.
I just checked with our ISP and they are adamant we never lost service and that our Modem had service throughout this time.
I get arp notifications on IP changes and never got one during this time. I checked the System General logs for anything with the WAN MAC address and there are no entries. Is there somewhere else I can check to be sure?
Also, the WAN IP is set to Static IPv4. Wouldn't that mean it wouldn't accept a change?
-
Yeah if it's static then you would not see an IP change. You might see an ARP warning for the gateway.
That certificate is clearly invalid though and sure looks like something that would be on the modem. You could probably check the modem gui cert to be sure.
It could be something further upstream.
Either way pfSense was resolving files.pfsense.org to that. So either the https was redirected or the DNS was hijacked. If pfSense is using Unbound with DNSSec only for it's own DNS that could not happen.
Steve
-
@stephenw10 Update with new info. After seeing your reply I checked the modem's web interface. 192.168.7.254 is the modem's IP address. Does that change your analysis of what happened?
BTW, pfsense is using the DNS Resolver with DNSSec enabled. Only override is a domain override for our Windows devices.
-
@callen said in Not sure what happened last night, need help. NTP???:
192.168.7.254
No that only confirms it. I would say the modem started redirecting everything to itself, including the ntp requests.
If the cert on the modem gui looks like that string that will also confirm it.Modems usually only do that if they lose upstream sync. Maybe it rebooted or crashed but that wouldn't have taken hours to come back.
Steve
-
@stephenw10 Everything on that first line of the certificate verification failure lines up with the certificate of the modem. However I cannot verify lines 2 and 3. I am 99% sure it is the modem cert though.
-
Yeah the 2 other lines are the error caused by it.
Pretty conclusive your modem started redirecting all traffic to itself and that really only happens when it loses connection.
Steve
-
@stephenw10 said in Not sure what happened last night, need help. NTP???:
only happens when it loses connection.
Bring some people with you as a witness.
And rip out the 'WAN' plug of your modem for an hour or so.
Call your ISP again ....@callen said in Not sure what happened last night, need help. NTP???:
I just checked with our ISP and they are adamant we never lost service
Now you're aware of the "quality" of that answer ;)
-
@stephenw10 Ok thanks. We ended up having the modem replaced yesterday afternoon just as a precaution.
@Gertjan yeah I am more confident now that we lost service somehow, even if it was due to an issue with the modem's DNS provider, which is not the same as I have in pfSense.
-
@callen , It could be that ISP reseted your modem. But modem failure happens when you have bad weather like lightning storm.
-
@AKEGEC I asked them that and they said the modem had been up for 20+ days. That matched up with the uptime in the GUI.
As for weather, at that time it was really calm and moderate. No storms in the area. (That said I will never count out squirrels as a culprit. :)
