Dynamic Proxy via SSH broken?

val123456 · Aug 13, 2008, 1:35 PM

1. Using 1.2.1 from Tuesday, 12 August.
2. SSH to pfsense WAN interface from a remote network.
3. SSH connection works fine until I try to use a dynamic tunnel (using it as a SOCK proxy for browsing).*

Has anyone else see this?

*Details: I ran PFtop in the shell. PFtop updates until I try loading a web page. Web page partially loads, then everything dies. PFtop stops updating, browser times out. Log shows ssh connection, followed by sshd client timeout a few minutes later. No other log entries. This configuration worked with 1.2. The remote client configuration has not changed.

Thanks,

Colin

val123456 · Aug 13, 2008, 6:04 PM

Update: works from INSIDE the firewall.

Colin

NickC · Aug 13, 2008, 8:14 PM

Today I posted on a OpenVPN issue that may or may not be MTU related. I also see SSH problems via WAN (and I think not by LAN, but would need to re-test to be sure).
My WAN SSH transfers usually fall over after about 1.5k, so I think it may also be a MTU problem or at least that the two issues are related in some way.
Also, I'm testing on a quad-core, are you running multiprocessor? If so this could explain why nobody else is seeing this.

Nick.

val123456 · Aug 13, 2008, 8:26 PM

@NickC:

Also, I'm testing on a quad-core, are you running multiprocessor? If so this could explain why nobody else is seeing this.

Yup, SMP. Core 2 Duo:

CPU: Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz (2394.01-MHz 686-class CPU)

NickC · Aug 14, 2008, 10:12 AM

CPU: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz (1595.93-MHz 686-class CPU)
Other config info:
Multi-wan, CARP interfaces on both WANs
remotely tested SSH to real WAN infterface (broken)
remotely tested OpenVPN to CARP on WAN (broken)
remotely tested OpenVPN to CARP on OPT-WAN (broken)
locally tested SSH on the LAN interface, works fine.

How to test if this is a SMP issue? What's the simplest way to force the uniprocessor kernel. On pf 1.2 there was a uniprocessor/SMP select dropdown in the manual firmware upload GUI. Not here, BSD 7 may now detect on boot. Cannot force single core in the BIOS.

Nick.

wallabybob · Aug 14, 2008, 10:49 AM

The uniprocessor kernel should run on single CPU systems and multi-CPU systems. It will only ever start one CPU.

The uniprocessor kernel has optimisations that are not possible on a multi CPU system.

The SMP kernel should also run on single CPU systems and multi-CPU systems but will start whatever CPUs the BIOS tells it are present.

cmb · Aug 14, 2008, 5:20 PM

Run "rm /boot/kernel/pfsense_kernel.txt" and you'll have the kernel selection box back.

I very seriously doubt if it's SMP vs. uniproc kernel related.