IPv4 failing every few days
-
Hi,
I'm having a problem where every couple of days on average, most IPv4 just stops transiting the firewall. Sometimes existing connections stay up, sometimes they fail. New IPv4 connections will timeout. IPv4 pings will timeout. IPv6 traffic continues to work normally, both new and existing connections. I've been having this problem since I first started using pfSense 6 months ago, on two different computers. I don't see the packets getting blocked in the log and I don't see anything else unusual in the logs. Rebooting pfsense fixes it for a while. Sometimes it goes for as long as a week with no problem, sometimes it'll do it twice in just a few hours. Flushing the state table doesn't help. I'm running 2.3.2-RELEASE (amd64).I'm using IPsec VPN, DNS forwarder, VLANs and multiple interfaces. I have NAT on two interfaces. Though I was having this problem with a simpler config too.
Any suggestions or places to look?
Thanks
-
So it failed for the second time today, after 11 hours.
Some additional info:From a machine on my LAN interface, I'm able to ping some ipv4 addresses while it is happening, but not others.
I can ping my isp's dns.
I cannot ping another isp's dns (get destination host unreachable)
I can ping my cable default router.
I cannot ping the cable modem (get destination host unreachable).From the PFSense diagnostics/ping page
I can ping my isp's dns from both LAN source address and WAN source address using ipv4.
I can ping another isp's dns from the WAN source address, but I cannot ping it from LAN source address (get 100% packet loss).IPv6 still works fine.
Downing the WAN interface and upping it resolves the problem.
I checked every log again and I don't see anything unusual.
Thanks
-
I've seen similar issues when using certain Realtek network adapters/cards. Happen to have any Realtek adapters?
-
They're Intel gigabit LAN ports <intel(r) 1000="" pro="" network="" connection="" 7.6.1-k="">. The current hardware is a protectli firewall micro appliance with a quad core Celeron J1900 Bay Trail 2.0 GHz and 4 Intel gig ports.
Previously I was using an i7 PC with an Intel DZ77GA-70K motherboard with onboard Intel gig ports (Intel 82574L) and it had the same problem.
Were you seeing a hardware or a driver issue with the Realtek?</intel(r)>
-
Hardware issue
-
It is happening on two different sets of hardware jamesonp.
-
I would start by eliminating the variables from the mix one by one and see which one stops the erratic behaviour. My money is on IPSEC.
-
Disabling the IPSEC VPN didn't fix it.
More clues:
The IPV4 default gateway is changing to my OPT1 interface. I didn't really look closely at this before because some ipv4 traffic to the internet is still working, so I didn't think it would be a default route problem.I don't understand how established connections to the internet are using the correct gateway, and other traffic isn't. netstat -nr and the ipv4 route list under diagnostics both showed the default route pointing out the OPT1 interface. There aren't any other routes for the traffic that keeps working except for my ISP's DNS servers. Everything else should be using the default. Very strange.
I'm assuming the gateway is getting marked as offline for some reason (even though it isn't down.) I'll check that if it happens again.
I've disabled gateway monitoring to see if that helps. -
I've seen dpginger not come back up after transient packetloss. I've had this happen a few times in the past few months where my ISP would fail-over, resulting in a few seconds of pure loss in the middle of the night, only to wake up and see my quality graph showing 100% loss since that event until I restart the service.
It's possible dpinger is just not recovering from loss and continues to mark the interface as offline?