Internet routing stability problems
-
Who is your ISP? Is it Carrier Grade NAT? I've seen and experienced the same issues with Carrier Grade NAT ISP providers.
-
@thatguy said in Internet routing stability problems:
Who is your ISP? Is it Carrier Grade NAT? I've seen and experienced the same issues with Carrier Grade NAT ISP providers.
It's a regular Dutch Consumer Grade cable modem provider, if that's what you mean.
It happened again two days ago. Disabling pfBlockerNG before cycling the WAN DHCP lease didn't make a difference, so I think I can rule that out as a cause. After cycling, CPU usage dropped, but quickly climbed again. Cycling it a couple of times more made it stay low, and the WAN connection remained.
-
@zak-mckracken said in Internet routing stability problems:
@thatguy said in Internet routing stability problems:
Who is your ISP? Is it Carrier Grade NAT? I've seen and experienced the same issues with Carrier Grade NAT ISP providers.
It's a regular Dutch Consumer Grade cable modem provider, if that's what you mean.
It happened again two days ago. Disabling pfBlockerNG before cycling the WAN DHCP lease didn't make a difference, so I think I can rule that out as a cause. After cycling, CPU usage dropped, but quickly climbed again. Cycling it a couple of times more made it stay low, and the WAN connection remained.
Hi man, sorry for the late reply I've been busy these weeks, crazy middle east war. Btw love DUtch people they are very social and kind, different with France or Belgian sorry gertJan
Ok let's do some test here, navigate to Diagnostics > Command Promt > type on Execute Shell Command:dmesg
<Execute>
What did you see after the line regents of the university of California??? -
Hi man, sorry for the late reply I've been busy these weeks, crazy middle east war. Btw love DUtch people they are very social and kind, different with France or Belgian sorry gertJan
Thank you for your kind words. We Dutch are usually regarded as rude, because we're speaking our minds, not beating around be bush.
Ok let's do some test here, navigate to Diagnostics > Command Promt > type on Execute Shell Command:
dmesg
<Execute>
What did you see after the line regents of the university of California???I think this is what you have asked, probably for for the Kernel version:
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 12.2-STABLE 1b709158e581(RELENG_2_5_0) pfSense amd64 FreeBSD clang version 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)Last time the problem occurred, I was able to get back online with rebooting, so they may still be evidence of what happened in the log...
-
In the State they love that kind mentality. Usually people who are talking around the bush are insincere people.
About the probs, do you still have pfsense 2.4.5? try to use it for a mount. Keep in mind that your isp could be a part of this prob. Cus one of our pfsense user has been terrorized by his isp's (rotten) partner.
-
@zak-mckracken forgot to ask you, do you know why in France they are welcoming, greeting and accepting you as their neighbor after 12 years mark? is that their tradition or culture?
-
@akegec said in Internet routing stability problems:
In the State they love that kind mentality. Usually people who are talking around the bush are insincere people.
Me too. I'm getting nervous when people are not giving it to me straight, but perhaps that's more of a geek-thing than a Dutch thing.
@zak-mckracken forgot to ask you, do you know why in France they are welcoming, greeting and accepting you as their neighbor after 12 years mark? is that their tradition or culture?
I don't know for sure. Even though driving to France is less than 200 miles for me, I haven't actually lived there to give you an answer on that. But in my perception, the French are more cordial than us. Or perhaps it's us Dutch that are dull/blunt. I know from a colleague working in Belgium that some time ago it was a custom to greet all your colleagues with a handshake when arriving at the office in the morning. Sounds nice, but I prefer not be distracted out of the zone 20 times in the morning.
The more you go south in Europe, the more people seem to enjoy live, taking it easier, enjoying better food, working to live, instead of living to work. Different work ethics, different payment ethics, but no judgement; Perhaps we are doing it wrong, not them.
I was raised with: Tell the truth, do the work, pay your bills. It's hard to understand other life styles.About the probs, do you still have pfsense 2.4.5? try to use it for a mount. Keep in mind that your isp could be a part of this prob. Cus one of our pfsense user has been terrorized by his isp's (rotten) partner.
According the the pfSense Home Screen, I'm running:
2.5.1-RELEASE (amd64)
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLE
I had the same problem with 2.5.0. It may be my ISP, but before the problems started, it has been working fine with this ISP for over 3 years. They have even put my cable modem into bridge-mode, per my request.
Two occurrences ago, I even unplugged to coax cable from the cable modem, leaving the WAN Ethernet link intact not to trigger the DHCP client, to see if it was an outside influence, but that didn't cure the problem. And it is not releasing my WAN DHCP lease that drops de CPU load; It's renewing it afterwards. Even if this produces the same IP address as I had before releasing it. -
That's why I love Dutch people they are open minded. Only one thing that I was really shocked when I visited Amsterdam, I think it was a Santa Claus's celebration but they painted their faces with black paint to imitate black people.
https://www.youtube.com/watch?v=LBLBxb29maw
I know it's a tradition, but we should keep a good tradition and trow away the bad. Like we had a tradition women only belong in the kitchen and stay home. Women can't be a leader. Or there was even worst tradition if a husband is dead, the wife needs to follow him in the after life.
Anyway just use 2.4.5 for now. But you can't use the packages e.g. pfblock, snort, etc
-
@akegec said in Internet routing stability problems:
That's why I love Dutch people they are open minded.
What I really liked when I worked in the US was how easy it was to have a casual conversation with a complete stranger. I couldn't go out shopping without having one, not even initiated by me. We don't do that here. We don't mind if someone does, but it just doesn't occur to us.
Only one thing that I was really shocked when I visited Amsterdam, I think it was a Santa Claus's celebration but they painted their faces with black paint to imitate black people.
https://www.youtube.com/watch?v=LBLBxb29maw
I know it's a tradition, but we should keep a good tradition and trow away the bad. Like we had a tradition women only belong in the kitchen and stay home. Women can't be a leader. Or there was even worst tradition if a husband is dead, the wife needs to follow him in the after life.
Well, that's a sensitive one nowadays, unfortunately. This celebration originated in the Middle Ages, and is the predecessor of your Santa Claus.
I did explain the black fellas here, but removed it to avoid this modern day mine field.Anyway just use 2.4.5 for now. But you can't use the packages e.g. pfblock, snort, etc
Well, I am running pfBlockNG. However, I don't think it's causing the problem, because I did disable it before my usual DHCP cycle fix, and CPU load increased again shortly after.
Any other ideas? -
Well the probs could be anything HW or SW or both. By just disabling pfblocker it doesn't mean anything. You need to uninstall pfblocker and the settings (e.g. update every hour) completely to know if pfblocker is not the culprit.
That's why I suggested you to use older pfsense version 2.4.5 for now without any packages, it could be the SW probs with your HW.
Have you even tried to run pfsense v 2.4.5 on ur device?Btw make some tea or coffee and look at this pfsense lesson on Youtube, @1:38:50 about pfblocker:
https://www.youtube.com/watch?v=wv1qTYR3faQHappy Sunday.
-
@akegec said in Internet routing stability problems:
Well the probs could be anything HW or SW or both.
It's probably not hardware: Everything - except for RAM - has been replaced 6 months ago, and RAM has been thoroughly tested. I replaced the mainboard (with soldered-on CPU) exactly because of this problem, or actually; attempts to fix it. After many power-cycles, it became sluggish and sluggisher, until it stopped booting at all. The SSD was replaced after an attempt to back it up. It probably broke down because of the USB adapter I used, not sure why, but it was an Intel enterprise SSD and it was still under warranty, so I got a replacement. I freshly installed pfSense and uploaded the configuration file I still had.
By just disabling pfblocker it doesn't mean anything. You need to uninstall pfblocker and the settings (e.g. update every hour) completely to know if pfblocker is not the culprit.
Hm, I didn't try to completely uninstall it. Perhaps I'll give that a go.
That's why I suggested you to use older pfsense version 2.4.5 for now without any packages, it could be the SW probs with your HW.
Unfortunately, a downgrade to 2.4.5 is not supported from the web interface. I'm afraid that operation would boil down to freshly install 2.4.5_1, uploading the configuration, and hoping for not too much fall-out.
Have you even tried to run pfsense v 2.4.5 on ur device?
Yes, I've been running PfSense on this hardware since 2016. Version 2.4.5 worked flawlessly.
The hardware is beyond suspicion; Besides being brand new, it is also top grade server hardware: It's a Supermicro SYS-5018A-FTN4 barebone, with 16MiB of memory off of the compatibility list and an Intel S4610 SSD.Btw make some tea or coffee and look at this pfsense lesson on Youtube, @1:38:50 about pfblocker:
https://www.youtube.com/watch?v=wv1qTYR3faQIt's queued up, and ready to go.
By the way; Does fpSense+ v21 also suffer from this problem? I have installed a Netgate appliance at my parent's house, and I'm hoping that will run a a little more stable.
And do you know if it is possible to purchase a fpSense+ v21 license for my own hardware?
-
pfBlockerNG removed about six weeks ago, but to no avail. Same problem last weekend, same problem today.
Any ideas on what I can check? -
I'm thinking it has something to do with your ISP. I have almost the exact same problem with a Carrier Grade NAT ISP in my area. Any client I manage that has a pfSense appliance and using the same ISP has the issue as well. There is one solution and one workaround.
Solution: Call your ISP and request a static IP. You will most likely have to pay more for it monthly.
Workaround: Make a script to periodically ping the Gateway. Once it fails the script will automatically disable and then re-enable your pfSense WAN. Here is the post on how to create that script.
However, I run it every minute instead of every five minutes through Cron.
-
@thatguy said in Internet routing stability problems:
I'm thinking it has something to do with your ISP. I have almost the exact same problem with a Carrier Grade NAT ISP in my area. Any client I manage that has a pfSense appliance and using the same ISP has the issue as well.
It has been suggested before, and when it was, the term voodoo-engineering sprang to mind. Only briefly, until I realized people on this forum are experts, not banging rocks together.
So this morning my connection dropped again. I was in an on-line meeting, so I noticed immediately. And I was unable to quickly fix it with the usual release/renew-cycle. So I came up with a second work-around, which seems to work.
There is one solution and one workaround.
Solution: Call your ISP and request a static IP. You will most likely have to pay more for it monthly.
That is a possibility, but my ISP requires me to upgrade my consumer plan to a business plan for that. Not only does that double the costs, it also comes with business terms and conditions that don't need to adhere to all kinds of consumer protections.
Next year our village will have a glass fiber network, and I'll kick the cable modem anyway. So I'm not going to commit to a whole year for a new plan. Hopefully the fiber provider will do better.
Though I do think this is something we need to understand. What is it exactly what they do to throw off the best router in the world? Are they violating the protocol? And how can pfSense be hardened against that? It seems to be hardened against nearly anything else...
Workaround: Make a script to periodically ping the Gateway. Once it fails the script will automatically disable and then re-enable your pfSense WAN. Here is the post on how to create that script.
However, I run it every minute instead of every five minutes through Cron.
Well, I am a Linux software developer, so this is something I could do, but I'm a bit lazy, so I came up with something else. Something we did 20+ yeas ago, when cable modems and ISPs didn't have their stuff in order:
I have taken the DHCP dynamically allocated IP v4 address, mask and gateway, and I have configured it as a static IP configuration in pfSense. That'll teach them!I know they don't like that, and it can cause IP conflicts down the line, but I've had the same IP address for years, so I'm sure I can ride it out until our fiber connection is here. And since they seem to violate the protocol, I'm feeling free to do so too ;-).
Anyway; Static configuration brought back my connection immediately, while many release/renew-cycles a moment before did not. So there must be something DHCP at play. I will report back here if the problem persists, but I have good hope, since it cured the problem so quickly.
