Issue with pfsense taking a nose dive until reboot

Gertjan

@rigidconduit said in Issue with pfsense taking a nose dive until reboot:

Any thoughts?

Yeah.

A simple question first : what do you think what snort 'sees' ?
If your traffic is like the average 'Internet' traffic, then you have no
plain emails
http
etc.
Its all TLS these days.
snort can't do nothing with TLS, as it is just seen as 'pure random bianry'. All it knows, is source address and port, and destination address and port.

edit : maybe some DNS packets with rather harmful info can be 'analysed' by snort ^^

Next : do this test : http://www.dslreports.com/speedtest

Depending on the type of connection used, a big download can block upload 'control' packets.

Just to motivate you : never saw what you described.

Also, go console, option 8 (and pkg install htop)
Use top or htop during the download.
What process is taking the most resources ?

RigidConduit

Snort probably doesn't do a whole lot, I really do not see much activity other than dshield blocks and the occasional sipvicous scan etc (not that I am running a phone server), at the office it could be a bit more useful. Here at the house its enabled because buttons existed :D lol probably not the best answer but I did it for the sake of adding it (which is not always best practice).

My main purpose is to link my house to the office to make things easy for me at home when it comes to working.
Anyhow I dont think overall it has an effect on the current issue tbh??(could be wrong)
But I dont remember if I have ever tried crashing the pfsense router with it off, if so that would of been the first few months I was using it to try and troubleshoot what the cause is.

But that aside
I can tell you that with the system at full chat (200mbps) and snort on I see maybe 10% cpu usage and 13% ram usage (8GB) and the cpu temps never go over 50c.

Here is the report output
http://www.dslreports.com/speedtest/67867354

I will give htop a whirl next post

SteveITS

What network cards are in it?
You can pretty quickly stop Snort and see if that has any effect but I would expect not.

@rigidconduit said in Issue with pfsense taking a nose dive until reboot:

dshield blocks

FYI pfBlockerNG's ISC_Block list is DShield, or the ET_Block list includes DShield, if you want to disable those rules in Snort and put them into a firewall rule.

RigidConduit

Snort Tops the leader board followed shortly by kernel when running htop
With snort disabled its just kernel followed by php-fpm

I am trying to crash it now with snort off to see what happens, I am also going to try and disable a few other services that might not be crucial to see the effect.

RigidConduit

@steveits said in Issue with pfsense taking a nose dive until reboot:

What network cards are in it?
I am not sure if there is a way to identify the cards through pfsense, I have never tried. I am sort of guessing at the integrated..

There are 3 network cards in it, the integrated, and 2 third party cards
The two third party cards are these
Rosewill RNG-407-Dualv2
https://www.newegg.com/rosewill-rng-407-dualv2/p/N82E16833166096
The integrated is:
Realtek RTL8111GN - I believe if i pulled the right spec sheet I will need to confirm this though.

The third party nics are not totally in use, only one is used and with a single port to run the lan and wifi.
I had a much more complicated setup to dedicate a network to my wife's work computer but have since torn this down for the sake of simplicity.

The integrated nic has the wan attached to it.

The computer is either an m90p m92p or e73 thinkcentre, my money is on it being an m92p.

I should add, this has been the issue since day one of using this computer as a pfsense router. It has been like 2 years of this :(

SteveITS

The Interfaces/Assignments page will show the interface names, which is based off the driver being used (re0 etc.). I have seen many people complain in this forum about Realtek drivers in FreeBSD, though in the one non-Netgate hardware device I've managed it's not been a problem. Since the WAN interface is using Realtek then you could try moving WAN to the unused interface and see if the problem continues.

RigidConduit

@steveits

If that is the case, what is em ? o.0

I must be wrong about the spec sheet I pulled then which I guess is a little expected, I use 3 different computers at work and they all look almost completely identical, but hardware is different, I must of got the model wrong. This particular machine is just a spare machine off the floor that I grabbed.

It looks like the 4 nics provided by the third party cards are realtek then.

I am not sure the effects of these having issues but IF its only the card having trouble and nothing else, it will explain why I lose the lan as well then.
In which case if I swap the two cables I (in thoery?) lose the internet but not the lan.

In the case of the picture, the 'WIFI' interface is the LAN just relabeled

SteveITS

@rigidconduit said in Issue with pfsense taking a nose dive until reboot:

what is em

Intel so that's very likely not the problem.

RigidConduit

@steveits
Going to attempt replacing the nic when i have some time, I will update here with results.

I am concluding its most likely an issue with the nic. as far as I have seen it seems to match up with symptoms.

I will leave this post open till I do so and post the results for future reference of anyone that may have this same problem.

Gertjan

@rigidconduit said in Issue with pfsense taking a nose dive until reboot:

http://www.dslreports.com/speedtest/67867354

To get full A's, see this forum biggest thread here Home pfSense Software Traffic Shaping

Stay away from 're' NIC drivers