Some issues with SG firewall



  • Hi Guys,

    I have been running into some issues with my SG-2440 and i thought someone might be able to help me sort things out.
    I am running version 2.3.2-RELEASE-p1

    Issues:
    1. When i am using pfblockerNG and i am selecting GEOIP blocking for specific countries, it all works well. Then i am trying to add some exceptions for some IPs in the countries i have previously blocked so i am adding this rules above the GEOIP ones. I am saving then order (Save Button, then "Apply Changes", then "reload filter") then i am applying and  this also works well if i don't touch anything else.  However once i am forcing a reload (Update->RUN or Force Reload), the rule that i placed above the GEOIP goes below it for some reason. Because the pfblockerNG is updating the config every day, then every day i have to reorder the rules again. I would normally expect that the order of rules stay the same. Is there a workaround for this?

    2. I have noticed that every time i am touching the WAN interface (unplugging/replugging the cable) the PFSense firewall is getting into some kind of stuck state even minutes after the cable is replugged. Everything becomes very slow when accessing the 2440 device via LAN and i PFSense box is also loosing access to internet. I am not using PPPoE on the WAN. my provider is giving me IP address via DHCP and on the WAN i can see i have IP address after cable is replugged. I did not have too much time to look into this last issue yet. I will post some more info once i debug this a bit more. However i noticed the same problem when i tried to hardcode speed/duplex. The only way i could recover was to reboot the PFsense box. i will try to reproduce and do a packet capture and see what is going on exactly. but if someone recognises the symptoms described above let me know.

    Thanks!
    Modify message


  • Moderator

    Issue 1)

    https://forum.pfsense.org/index.php?topic=119925.msg663534#msg663534

    Issue 2)

    Are you using DNSBL? Check the resolver and system logs for additional clues.



  • @nahadot:

    Hi Guys,

    I have been running into some issues with my SG-2440 and i thought someone might be able to help me sort things out.
    I am running version 2.3.2-RELEASE-p1

    Issues:
    1. When i am using pfblockerNG and i am selecting GEOIP blocking for specific countries, it all works well. Then i am trying to add some exceptions for some IPs in the countries i have previously blocked so i am adding this rules above the GEOIP ones. I am saving then order (Save Button, then "Apply Changes", then "reload filter") then i am applying and  this also works well if i don't touch anything else.  However once i am forcing a reload (Update->RUN or Force Reload), the rule that i placed above the GEOIP goes below it for some reason. Because the pfblockerNG is updating the config every day, then every day i have to reorder the rules again. I would normally expect that the order of rules stay the same. Is there a workaround for this?

    2. I have noticed that every time i am touching the WAN interface (unplugging/replugging the cable) the PFSense firewall is getting into some kind of stuck state even minutes after the cable is replugged. Everything becomes very slow when accessing the 2440 device via LAN and i PFSense box is also loosing access to internet. I am not using PPPoE on the WAN. my provider is giving me IP address via DHCP and on the WAN i can see i have IP address after cable is replugged. I did not have too much time to look into this last issue yet. I will post some more info once i debug this a bit more. However i noticed the same problem when i tried to hardcode speed/duplex. The only way i could recover was to reboot the PFsense box. i will try to reproduce and do a packet capture and see what is going on exactly. but if someone recognizes the symptoms described above let me know.

    Thanks!
    Modify message

    I have seen the same issue when every my ISP does a reset on my cable model and changes the IP.  I was able to debug part of the issue, it came down to how /etc/rc.newwanip interacts with services_unbound_configure which is defined in /inc/services.inc.  A race condition happens when DNSBL is enabled, in my case 1,366,154 lines in /var/unbound/pfb_dnsbl.conf try to load

    As a quick fix, I committed out the reload process in /etc/rc.newwanip. I am sure the devs have a reason to reload unbound when the WAN IP changes but have not had time to investigate.

    /* reload unbound */
            /services_unbound_configure();


Log in to reply