pfsense dropping LAN clients whenever WAN is saturated or PFSense settings are changed



  • Hello I am having a strange issue with PFSense (both 2.4.4_3 and 2.5 devel) where every time a configuration change is made my LAN connections are all dropped and I am forced to manually reconnect. The easiest way I can trigger this is to add/delete a DHCP or static IP entry. Whenever I change configuration I have to turn the wifi on my desktop (also happens on my MacBook) on then back on, at which point connection is restored.

    Oddly this seems to also happen whenever I saturate the download of my WAN (100/100 symmetric fiber). During load like downloading a game, I will see ~20ms pings to my internal GW and ~50ms pings to google with about 10 percent packet loss. After a long enough sustained download I will lose connectivity on all machines on the LAN and have to reset all of them.

    During both of the above I cannot ping internal or external machines nor reach the WebGUI. I have looked over the logs in the WebGUI and nothing stands out to me. Here is what I have tried to fix this:

    Reset to factory settings then reapply my config
    Reinstall PFSense
    Upgrade to 2.5 devel
    Remove pfblockerng
    Disabling Hardware Checksum Offloading

    What can I try next? Any good hints as to what could be wrong with my config?



  • What are you using for hardware, specifically network cards?


  • Netgate Administrator

    What does the system log show when you make a change that drops everything?

    Steve



  • @holojack said in pfsense dropping LAN clients whenever WAN is saturated or PFSense settings are changed:

    Oddly this seems to also happen whenever I saturate the download of my WAN (100/100 symmetric fiber). During load like downloading a game, I will see ~20ms pings to my internal GW and ~50ms pings to google with about 10 percent packet loss. After a long enough sustained download I will lose connectivity on all machines on the LAN and have to reset all of them.
    During both of the above I cannot ping internal or external machines nor reach the WebGUI. I have looked over the logs in the WebGUI and nothing stands out to me. Here is what I have tried to fix this:

    The issue of your machines getting kicked off line upon simple configuration changes sounds strange. Is it possible you've found a bug, sure, however, I can tell you I've been using PFsense since 2009 and every issue I've ever had with it has been hardware related.

    We have no details about your network, but having increased pings to an external host with a saturated WAN link is normal. However, the only way you should see increased pings to PFsense while saturating a 100 Mbit WAN is if you're using 100 Mbit NICs and a 100 Mbit switch on your LAN.

    As far as the issue of not being able to ping internal hosts when you're downloading at max speed, traffic between internal hosts on the same subnet do not traverse the firewall, so your issue lies somewhere else.

    My suggestion, make no assumptions about anything. Assess both your PFsense hardware and your switch, assess all NICs, assess cabling... those are all in the data path and all points of failure.



  • @KOM
    I have a Qotom Q355G4 which has 4 x Intel I211-AT- 10/100/1000 Controller. Tried both 2.4.4_3 and 2.5 (which is running now) for PFSense. As for other equipment in the network I have a Unifi 8 port PoE switch and a Unifi AP AC Pro running off of the switch,

    @stephenw10 said in pfsense dropping LAN clients whenever WAN is saturated or PFSense settings are changed:

    What does the system log show when you make a change that drops everything?

    Steve

    The only thing of interest I can find is it seems DHCP service is completely restarting everytime I modify settings related to ports, interfaces, client leases, or FW. There's nothing in the System tab being logged when this happens.

    Whenever I saturate my WAN, nothing appears to be logged on the PFSense instance. I should note that if I wait a little bit (have not measured exactly how long) it appears the connection comes back on its own, but this can be accelerated by dropping and rejoining the network. Interal pings to my VLAN gateway take up to 100ms but everything is still reachable under load. Nothing gets logged when connections are dropped due to load.

    @marvosa said in pfsense dropping LAN clients whenever WAN is saturated or PFSense settings are changed:

    @holojack said in pfsense dropping LAN clients whenever WAN is saturated or PFSense settings are changed:

    Oddly this seems to also happen whenever I saturate the download of my WAN (100/100 symmetric fiber). During load like downloading a game, I will see ~20ms pings to my internal GW and ~50ms pings to google with about 10 percent packet loss. After a long enough sustained download I will lose connectivity on all machines on the LAN and have to reset all of them.
    During both of the above I cannot ping internal or external machines nor reach the WebGUI. I have looked over the logs in the WebGUI and nothing stands out to me. Here is what I have tried to fix this:

    The issue of your machines getting kicked off line upon simple configuration changes sounds strange. Is it possible you've found a bug, sure, however, I can tell you I've been using PFsense since 2009 and every issue I've ever had with it has been hardware related.

    We have no details about your network, but having increased pings to an external host with a saturated WAN link is normal. However, the only way you should see increased pings to PFsense while saturating a 100 Mbit WAN is if you're using 100 Mbit NICs and a 100 Mbit switch on your LAN.

    As far as the issue of not being able to ping internal hosts when you're downloading at max speed, traffic between internal hosts on the same subnet do not traverse the firewall, so your issue lies somewhere else.

    My suggestion, make no assumptions about anything. Assess both your PFsense hardware and your switch, assess all NICs, assess cabling... those are all in the data path and all points of failure.

    Unifi controller and PFSense are both reporting 1000/1000 full duplex on all ports. Also I may have misspoke, but I can only noy ping internal hosts when my connections are dropped.


Log in to reply