Problems after upgrading to 2.4.4-Release-p3 from 2.3.5



  • I was using Pfsense 2.3.x for last 1.5 years with no serious issue, but after upgrading to the lattest 2.4.4 amd64 version, I am stuck.

    1. Internet Down, High lattency, packet loss shown in Dashboard-- Problem with Unbound -- DNS issue ?? Have to allow port 53 in my firewall rules, but still many times Internet goes down, and recover after some time. Unticked registration of DHCP client in unbound settings
    2. High Memory ussage -- switched to zfs from ufs -- but the memory usage many time rose to 95% -- Stopped Clamav but still memory usage is significantly high. I am using PFBlockerNG-Development.

    Pls any senior tell me, what is the issue and the resolution. There are so many threads but couldn't figure out the problem or the solution. Should I switch back to 2.3.X again till the unbound problem is sorted out.


  • Netgate Administrator

    Go to System > Routing > Gateways. Set the default IPv4 gateway to the WAN Gateway rather than automatic.

    How much ram do you have? What packages are you running besides Squid?

    Steve



  • @stephenw10 Yeah problem sorted out, but high memory usage still there.

    I am using Squid, Squidgaurd, PFblockerNg-Development, Snort, Ntopng, Darkstat and Bandwidth -- System config is Intel Dualcore, 2GB Ram, HDD -500Gb Sata. Squid Cache Size set to default.

    Dual WAN -- A -20Mbps, B -50Mbps, and Single LAN

    Requirement -- 1. Disable external DNS to block certain websites (Facebook, Whatsapp) for some client PCs.-- Was using DNS method. Is there any other method such as pfblocker-ng.

    1. With Now second WAN -- Does the Squid Cache will not work in MultiWAN Loadbalancing -- help me to reduce bandwidth since win10 updates, and AV, mobile updates takes a good chunk of bandwidth.

    2. Squid is set with http proxy in transparent mode only. For https proxy how to install CA in every PC, including visitors (Wifi).

    3. Some Clients complaining of problem during Banking transaction -- Is it due to MultiWAN LoadBalancing and Should I route them to a single WAN Gateway with Faiover.

    Thanks in advance



  • Go to System > Routing > Gateways. Set the default IPv4 gateway to the WAN Gateway rather than automatic.

    @stephenw10 , I've had to do this on multiple boxes. Not sure when little gem became an issue, but it's rather frustrating when you have remote sites that never come back up after a reboot, etc because of it.

    I also had an interesting issue a while back where I had a working config for months but then lost internet after a reboot from an update. It turned out that I was actually on the internet, but PFsense would not process DNS queries as long as the forwarder was configured to listen on "ALL" interfaces. The fix for me was to explicitly define the DNS forwarder to listen on the LAN and localhost interfaces.

    My recommendation:

    1. Bump up your RAM to 4 GB minimum, if not 8 GB.
    2. Reinstall a fresh copy of v2.4.4-p3 and rebuild your config from scratch.
    3. Considering all of the dynamic content on the internet these days and the fact that you have 70 Mbps of aggregate bandwidth, Squid is doing nothing for you. I'd leave it uninstalled going forward. IMO, it's just adding unnecessary complexity and may be slowing things down and/or causing other issues.
    4. I would then go forward with the least amount of packages installed and verify it's stable. Once, verified stable, I would re-examine how many other packages you really "need" and run the least amount possible to preserve resources.
    5. Personally, instead of trying to leverage certain packages for UTM-like features like web filtering, etc, I would just implement a UTM and let your firewall be the firewall. E.g. running Untangle in bridge mode behind PFsense.
    6. Configure the traffic shaper to address bandwidth utilization issues from Win 10 updates, etc.
    7. Is dual WAN load balancing contributing to your client's online banking issues? That's hard to say, it may depend on how the load balancing is configured. It's certainly possible if the load balancing is being done via round-robin. One possible solution there is enabling sticky connections. I would examine bandwidth utilization, you would probably benefit by keeping it simple and utilizing your dual WAN in a failover configuration for redundancy.

  • Netgate Administrator

    Yeah I would expect 2GB to be mostly used with those packages running, especially if you have a lot of lists or signatures loaded.

    Squid will only use one route. You can specify the source address it uses explicitly to make it use something other than the default route. You can set the default gateway to be a failover group and Squid will follow that. You cannot use a load-balance group there.

    If you want full ssl content inspection you need the CA on all clients. You can do FQDN filtering only in https using splice mode: https://youtu.be/xm_wEezrWf4?t=636

    Yes, WAN load-balancing can cause problems for some sites including bank sites. Almost all sites are able to cope with that now but I used to maintain an alias of sites that needed to bypass the balancer because of that.

    Steve



  • @marvosa said in Problems after upgrading to 2.4.4-Release-p3 from 2.3.5:

    Go to System > Routing > Gateways. Set the default IPv4 gateway to the WAN Gateway rather than automatic.

    @stephenw10 , I've had to do this on multiple boxes. Not sure when little gem became an issue, but it's rather frustrating when you have remote sites that never come back up after a reboot, etc because of it.

    I also had an interesting issue a while back where I had a working config for months but then lost internet after a reboot from an update. It turned out that I was actually on the internet, but PFsense would not process DNS queries as long as the forwarder was configured to listen on "ALL" interfaces. The fix for me was to explicitly define the DNS forwarder to listen on the LAN and localhost interfaces.

    My recommendation:

    1. Bump up your RAM to 4 GB minimum, if not 8 GB.
    2. Reinstall a fresh copy of v2.4.4-p3 and rebuild your config from scratch.
    3. Considering all of the dynamic content on the internet these days and the fact that you have 70 Mbps of aggregate bandwidth, Squid is doing nothing for you. I'd leave it uninstalled going forward. IMO, it's just adding unnecessary complexity and may be slowing things down and/or causing other issues.
    4. I would then go forward with the least amount of packages installed and verify it's stable. Once, verified stable, I would re-examine how many other packages you really "need" and run the least amount possible to preserve resources.
    5. Personally, instead of trying to leverage certain packages for UTM-like features like web filtering, etc, I would just implement a UTM and let your firewall be the firewall. E.g. running Untangle in bridge mode behind PFsense.
    6. Configure the traffic shaper to address bandwidth utilization issues from Win 10 updates, etc.
    7. Is dual WAN load balancing contributing to your client's online banking issues? That's hard to say, it may depend on how the load balancing is configured. It's certainly possible if the load balancing is being done via round-robin. One possible solution there is enabling sticky connections. I would examine bandwidth utilization, you would probably benefit by keeping it simple and utilizing your dual WAN in a failover configuration for redundancy.

    Thanks for the response. Yes I install PFsense 2.4.4 and restore the settings from the backupfile -- Does that means, restoring is not advisable after reinstallation.

    1. For High memory usage does the ZFS plays any role, if yes by what %age.
    2. Not possible right now for reinstallation, but will use another HDD soon. Will uninstall or Disabling of Squid can do the job as per your recomendation. A little correction my Cumulative bandwidth is 40Mbps instead of 70Mbps.
    3. Increased the RAM to 4Gb.
    4. For the time being, I quickly switched to Failsafe Gateway for those group of PC's.

    Some Problems I am facing -- Pls give some recomendation

    1. DNS queries are slow to respond and even with the external dns allowed, many time the website fail to open -- Is it due to unbound not having the cache due to re installation, and for how long does the unbound keeps the cache of the websites address.

    2. Pls guide me for the traffic shaping for the unbalanced multi-WAN with FailSafe GW specific to group of PC's.

    Thanks in Advance


  • Netgate Administrator

    Usually restoring your config into a new install is exactly what we would recommend but in cases like this where you have odd things happening it can be better to re-create, if that's practical. If you have some config error it will otherwise just be carried across.

    ZFS uses far more RAM than UFS but it really depends how large the filesystem is.

    If DNS is perceptibly slow it's probably because you have one or more DNS servers configured that don;t respond at all rather than anything to do with the cache. Test some fqdns in Diag > DNS Lookup, make sure everything listed there responds in reasonable time.

    What sort of traffic shaping are hoping to achieve?

    Steve



  • Thanks for the response. Yes I install PFsense 2.4.4 and restore the settings from the backupfile -- Does that means, restoring is not advisable after reinstallation.

    I wouldn't say it's not advisable, quite the contrary, as @stephenw10 mentioned it's probably recommended, however, if there's even a remote chance that the config may be contributing to the issue, I personally do not like the possibility of importing problems into a fresh install. In other words, if the current setup isn't too involved (dozens or hundreds of NAT's, various static routes, various port forwards, VLANs, multiple tunnels, etc), you may want to consider rebuilding from scratch.

    Not possible right now for reinstallation, but will use another HDD soon. Will uninstall or Disabling of Squid can do the job as per your recomendation. A little correction my Cumulative bandwidth is 40Mbps instead of 70Mbps.

    The 70 Mbps aggregate number came from the following line in your 2nd post:

    "Dual WAN -- A -20Mbps, B -50Mbps, and Single LAN"

    was there a typo in these numbers?

    DNS queries are slow to respond and even with the external dns allowed, many time the website fail to open -- Is it due to unbound not having the cache due to re installation, and for how long does the unbound keeps the cache of the websites address.

    There are differing options on DNS. 10 other people may have different priorities and give you 10 different experiences and opinions. I would configure whatever works best for your environment. For my environment, things have always felt more responsive using the forwarder which is pointed at my ISP's DNS.

    Pls guide me for the traffic shaping for the unbalanced multi-WAN with FailSafe GW specific to group of PC's.

    Go to Firewall -> Traffic Shaper -> Wizards, choose the "Multiple Lan/Wan" link, tell it you have 2 WANs, then go through the rest of the wizard.



  • @marvosa said in Problems after upgrading to 2.4.4-Release-p3 from 2.3.5:

    I wouldn't say it's not advisable, quite the contrary, as @stephenw10 mentioned it's probably recommended, however, if there's even a remote chance that the config may be contributing to the issue, I personally do not like the possibility of importing problems into a fresh install. In other words, if the current setup isn't too involved (dozens or hundreds of NAT's, various static routes, various port forwards, VLANs, multiple tunnels, etc), you may want to consider rebuilding from scratch.

    My Setup was not Big, was working perfectly with our requirement, I had to do that quickly, thus restoring from the backup was done.

    @marvosa said in Problems after upgrading to 2.4.4-Release-p3 from 2.3.5:

    The 70 Mbps aggregate number came from the following line in your 2nd post:
    "Dual WAN -- A -20Mbps, B -50Mbps, and Single LAN"

    Earlier we had single 20Mbps connection, but strangely, my speedtest.net test was indicating 50mbps download speed. Everything was running smoothly, then suddenly, our ISP whole network was down exactly when there we number of guest, and our MD visit. It takes around 12-13 days for our ISP to solve his network problem (for us internet speed was normal for couple of minute, then speeds reduces to 2 Mbps for couple of minute and then resume). I quickly contacted our Old ISP, whose wifi Point to Point setup was intact to start the internet with 15Mbps connection, later increased to 20Mbps soon.

    Long story short now we 2 different ISP providing us Internet from ubiquity Airmax Point to Point device going to my Pfsense with Dual WAN -- One in Bridge mode and another setup his device as router and our both ISP are giving us 20Mbps only, making it 40Mbps aggregated.

    @marvosa said in Problems after upgrading to 2.4.4-Release-p3 from 2.3.5:

    Go to Firewall -> Traffic Shaper -> Wizards, choose the "Multiple Lan/Wan" link, tell it you have 2 WANs, then go through the rest of the wizard.

    Wow -- Yeah 2 WAN



  • @stephenw10 said in Problems after upgrading to 2.4.4-Release-p3 from 2.3.5:

    Usually restoring your config into a new install is exactly what we would recommend but in cases like this where you have odd things happening it can be better to re-create, if that's practical. If you have some config error it will otherwise just be carried across.

    ZFS uses far more RAM than UFS but it really depends how large the filesystem is.

    If DNS is perceptibly slow it's probably because you have one or more DNS servers configured that don;t respond at all rather than anything to do with the cache. Test some fqdns in Diag > DNS Lookup, make sure everything listed there responds in reasonable time.

    What sort of traffic shaping are hoping to achieve?

    Steve

    New updates, Problem sorted out by forwarding the DNS queries in Resolver setting, read BBCan post, and he recommended it for his pfblocker2.

    ZFS is memory hungry, but it releases the RAM, when required (I think wrong impression) -- Will be looking forward to this filesystem, in my experimental FreeNAS project.

    My DNS are 8.8.8.8, 8.8.4.4(Google), 208.67.220.220, 208.67.222.222 (OpenVPN), and 9.9.9.9 (Quad9).

    For Accounts Deptt-- Made Firewall Rule fixing their IP's Alias to specific ISP Gateway with Failsafe (member down).

    Rest user -- Changed wt of the ISP2 to 1 and ISP1 to 1, for multiple WAN load balancing

    Whatsapp and Facebook blocking for specific client with rules in Floating.

    Enable Squid, but disable Squidgaurd(Clamav).

    Everything Seems running smoothly.

    Now For traffic shaping I think Codelql -- Mail Priority, Windows updates Low Priority, and average fixed speed for the video media (Youtube automatically switched to HD whenever it find high speed internet connection). Will updated about the result.

    Any recomendation.


  • Netgate Administrator

    ClamAV is part of the main Squid package not Squidguard. It wan be enabled/disabled on the Antivirus tab in the Squid Proxy Sever page.

    Anyway glad you were able to resolve it.

    Steve


Log in to reply