WAN DHCP fails on reboot
-
I'm installing 64bit pfSense on a new box and finding that the initial install from a USB stick runs without any problems, I set up the WAN and LAN ports and the system comes up and finds the current update (2.3.1-RELEASE-P5) and installs it. However, after rebooting the WAN DCHP fails to run, it doesn't pull an address - the interface shows as being up but I have to manually click the DHCP button to get it to make a DHCP request, it simply will not do it automatically.
Once I force a DHCP request everything seems to work - until I reboot. after a reboot I have to manually force the WAN to make a DHCP request.
I've tried disabling gateway monitoring - it makes no difference which isn't surprising because the dashboard status shows the WAN interface is up, it's just not pulling an address.
Is there something I'm missing here? I've never seen this problem before, what could be preventing the WAN port from making a DHCP request when the port shows as being up?
-
I think I've found the problem - it’s an auto-negotiate failure.
I installed the current development version (2.3.2-DEVELOPMENT) to see if that would make any difference. It didn't change anything so I started thinking about the problem in a different way - essentially pfSense is seeing the interface as "up" but clearly there's something there that doesn't believe it's "up" enough to make a DHCP request.
I changed the WAN interface Speed and Duplex setting from the recommended "auto" to force it to 100base TX Full-Duplex - it then started working and rebooting without any problems.
The hardware (Solana Tech Mini ITX pfSense firewall router) claims to have Intel 82583v Intel 10/100/1000Mbps NICs (detected as em0-em3) and is talking to a WD 1000Mbs switch that another Netgate SG4860 firewall (also running 2.3 RELEASE) correctly auto detects as 1000baseT full duplex connection.
The network cable that I’ve been using is not marked as being CAT5 or CAT6 although it tests as having 4 pairs, so I’ve just gone out and bought a new CAT6 network cable. After setting the WAN interface back to auto-select and restarting with the new cable, the firewall reboots and autodetects 1000T Full-duplex and works fine.
So, in conclusion, it seems like there's something in the pfSense NIC speed/interface auto detect that's failing in my case where the cable doesn’t quite support 1000Mbs even though it is wired as a CAT6. Auto-detect isn’t falling back to try 100Mbs once it fails at 1000Mbs.
The silver lining to this is that it explains all of the problems that I’ve been having - I wonder if this might explain some of the other problems that I'm seeing in the forums with Bad Gateways?
-
Just a small concept correction re: CAT5 vs CAT6.
The original CAT5 specification was limited to 100Mbps connections but was fairly quickly superseded by CAT5e ("enhanced') cable which is spec'd to 1000Mbps connections and specifies the use of all 4 pairs in wiring. I'd hazard to say that anywhere you go today and buy a "CAT5" patch cable you'll get a CAT5e cable.
CAT6 (as well as CAT6a, CAT7) wiring follows the exact same pinouts as CAT5e but again defines much tighter manufacturing specs for the cable and connectors. The performance improvements allow CAT6 to carry 10GBe (10,000 MBps) connections.
Your situation sounds like a bad cable was definitely part of the issue, but given modern cables, at 1000Mbps either CAT5e or CAT6 would work equally well.
Just my $.02
-
… Your situation sounds like a bad cable was definitely part of the issue, but given modern cables, at 1000Mbps either CAT5e or CAT6 would work equally well.
The cable is "good" at 100Mbs - but definitely feels cheaper and stiffer than the shiny new CAT6 cable.
I feel that the real issue here is that the auto-negotiate was not switching to 100Mbs when it failed to get a connection at 1000Mbs - yet the cable was good enough to allow pfSense to pull and install the current update from the pfSense site. I suspect that a lot of the "Bad Gateway" errors that I'm seeing reported here (and was seeing myself initially) may be traced to auto-negotiate failing. The Interface setup definitely pushes the user to setting the link speed to "auto" - I'd assumed that this was working (and indeed it appeared to be when getting the update downloaded) but, at least on this machine, "auto" fails with a CAT5 grade cable and a 1000Mbs capable NIC.
-
Thank you! I have been seeing this since 2.3.1. I have never had a problem since then.
-
… The original CAT5 specification was limited to 100Mbps connections but was fairly quickly superseded by CAT5e ("enhanced') cable which is spec'd to 1000Mbps connections and specifies the use of all 4 pairs in wiring. I'd hazard to say that anywhere you go today and buy a "CAT5" patch cable you'll get a CAT5e cable.
CAT6 (as well as CAT6a, CAT7) wiring follows the exact same pinouts as CAT5e but again defines much tighter manufacturing specs for the cable and connectors. The performance improvements allow CAT6 to carry 10GBe (10,000 MBps) connections.
I completely agree - that information is very helpful - my observations after looking around the office at the cables here is that none of them are labeled for CAT5 or CAT6. Yet - especially as the cable length increases - the construction of the cable can make a huge difference between working at 1000Mbs or not. The CAT6 cables all feel slightly thicker than the CAT5 as a result of the internal construction to separate the individual cable pairs from each other to reduce cross-talk and capacitive losses.
-
my observations after looking around the office at the cables here is that none of them are labeled for CAT5 or CAT6
My own experience over the last (ahem..) 30+ years of playing with networks, cabling, PC's and a variety of attached devices is you generally get what you pay for.
If you buy patch cables from a reputable source, they'll be properly labelled and perform as expected.Unlabelled and DIY cables (don't ever, ever, ever, ever make/use hand made cables) are simply ticking disasters waiting to bite you (that goes for both CAT5e & CAT6).
Especially these days when I can buy 10' pre-made patch cables for < $2, what's the point in risking anything else?I'd much rather chase logistical problems in network design than potentially flaky hardware and connections any day.
Just my $.02