pfSense becomes unresponsive
-
@gertjan @jknott @griffo Hi, I've an update:
Completely formatted the drive, reinstalled the pfSense, not bridging the LAN, OPT1 and OPT2 this time, no complications at all, using a Switch that takes input from igb1 and all devices are plugged into it. Changed all the plugs (just in case), it was not a power failure neither this time nor previously because when the pfSense system got unresponsive, I checked the power light, it was ON and not off.
Recorded a log file, this time no up down on igb1 but something different, finally it was "reloading filters" and skip of minutes of logs when I forcefully turned of the pfSense system and booted it up again.
Please find the attached file.logs2.txt
-
Is this you :
php-fpm 351 /index.php: Successful login for user 'admin' from: 10.1.1.6 (Local Databas
?
Then what is this :
Jan 29 19:09:36 php-fpm 351 /index.php: webConfigurator authentication error for user 'admin' from: 10.1.1.6
? What were you doing ? Is your device that you log in to pfense doing on port 22 ?
Who is this :
Jan 29 18:01:51 php-fpm 351 /index.php: User logged out for user 'admin' from: 103.255.7.43 (Local Database)
You log in on from WAN ? ( serious ??? )
-
A separate switch will outperform bridged interfaces everytime.
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
There only reasons you should be using bridged intercaces like that are if you need to filter traffic between network segments that are in the same subnet. Or if you have spare interfaces and nothing better to do with them. But only, of course, if you are aware that doing so uses CPU cycles. I have used ports for occasional management access locally at the firewall for example.
But that's not the cause of your issue.
Just how unresponsive is it? How are you testing that?
Do you see any response from
ctl+t
at the console?Does the keyboard caps-lock led still work?
With nothing logged at all like that and no crash report it starts to look like a hardware issue.
Steve
-
@gertjan All request are from me, both LAN and WAN:
LAN to login into pfSense
WAN to check if the rule for remote management is working or notAny abnormality? Please point out because I don't see any
I've IP range from 10.1.1.2 - 10.1.1.50, I feel
comfortable with it -
@amaanx5a said in pfSense becomes unresponsive:
Any abnormality? Please point out because I don't see any
Yep, one - a big one :
WAN to check if the rule for remote management is working or not
Apply this one :
Never ever open SSH on WAN.
There are better ways, like VPN, IPSEC, the upcoming Wiergaurd.
-
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
Even if I use a switch?
or if you have spare interfaces and nothing better to do with them
That was the reason for not installing the switch and bridging the spare ones but people here scared me XD and now I'm using a separate switch
Just how unresponsive it is, how are you testing that?
I've noticed that most of the time, the last log is "reloading filters" and then I can't connect to the internet, can't even access the webconfigurator or NAS on the same network, then I go to see my pfSense and the CPU light is turned on but and if I press the power button, it does not turn off after minutes so I long-press the power button to forcefully shut it down and power up again.
Usually it takes 5-7 seconds to properly turn off if it is not unresponsive.
With nothing logged at all like that and no crash report it starts to look like a hardware issue.
I made some hardware changes but don't know exactly what helped and it didn't happen since last night, I've been checking the whole night from hour to hour and now I just checked again from a remote location, it's still UP and running, usually it get's unresponsive after a couple of hours, changes I made are:
1- I pulled out a 2GB RAM and now only one 2GB stick is installed
2- I was using a 4 wire ethernet cable from LAN1(igb1) to the switch (it came with my Tenda Wireless Router) I changed it to a better when with all wires in it but I just realised I was using all wire cables before installing a switch (pfSense to AP and NAS) and the problem was still there.Do you see any response from ctl+t at the console?
Does the keyboard caps-lock led still work?I never referred to the console after it gets unresponsive, til now, but I'll if it happens again, hopefully it won't ๐คฒ
-
Just exactly which log says I logged in from
a remote location using port 22?I never did that
I only remember turning the HTTPs on for remote access and not the SSH and I logged in using HTTPs
-
@gertjan said in pfSense becomes unresponsive:
Jan 29 18:01:51 php-fpm 351 /index.php: User logged out for user 'admin' from: 103.255.7.43 (Local Database)
Then this was you from LAN using your WAN IP ?
Ok if you have no SSH NAT rules on WAN .... -
Yes this is me from WAN 443, and there is only one rule in my Firewall>Rules that I added using this post:
https://www.joe0.com/2019/11/11/how-to-implement-remote-management-in-pfsense-2-4-4-by-using-a-duckdns-dynamic-dns-domain/
Other then that, my pfSense system is totally stock and I guess there is no SSH remote enabled on pfSense out of the box
-
@amaanx5a said in pfSense becomes unresponsive:
https://www.joe0.com/2019/11/11/how-to-implement-remote-management-in-pfsense-2-4-4-by-using-a-duckdns-dynamic-dns-domain/
This :
STEP 3 โ Allow remote access to WAN port 443
combined with this :
Source: Any (or restrict by IP/subnet)
is exactly the reason why you should never do that.
The pfSense WebGUI isn't meant to be "open and visible" to the entire Internet. Its a major security flaw.Use OpenVPN for that.
(edit : same thing for the SSH port)
-
@amaanx5a said in pfSense becomes unresponsive:
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
Even if I use a switch?
No, if you use a bridge as a switch.
There is a common misconception that bridging somehow requires less CPU cycles and won't affect firewall performance for some reason. Not really sure where that comes from but just to be clear it does.If you use a switch the traffic never goes through the firewall and it can happily use all it's CPU cycles for more important things like VPNs.
And, yes, use OpenVPN for remote access if you can. It the very least move your webgui to a different port to reduce the drive-by connection attempts.
https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.htmlSteve
-
This post is deleted!