pfBlockerNG-devel 2.2.5_29 - Cron job drops internet every 30 minutes.
-
Hi Folks,
Configured pfBlockerNG-devel 2.2.5_29 and it works fine. At least I thought it did. Suddenly my son tells me that he is kicked out of internet every half of an hour.
I found out that when the next scheduled CRON Event runs the internet connections is disconnected for 20 seconds or so.
HELP!!! My son is about to kill me
LOL. Seriously, I do not have a clue why this happens.Any help is appreciated.
Regards,
HermanLimburg | The Netherlands.
It is nice to be important. But it is more important to be nice! | Failure, the best teacher it is! -
@Herman said in pfBlockerNG-devel 2.2.5_29 - Cron job drops internet every 30 minutes.:
ut that when the next scheduled CRON Event runs the internet connections is disconnected for 20 seconds or so.
Inspect System logs, Resolver logs, pfblockerng logs to find out what is happening. We can't tell much without logs.
-
I think I have a similar problem when the sync job runs the remote routers that are synced to disconnect and then reconnect.
Kill states are not enabled on either -
@Herman said in pfBlockerNG-devel 2.2.5_29 - Cron job drops internet every 30 minutes.:
I found out that when the next scheduled CRON Event runs
So you confirm that you you set this :
to 30 minutes ?
Why ?Also, run this 'by hand' :
if it really takes 20 seconds or so (probably more, the web view version of the cron task is slower) then it's time to reduce the number of feeds you are using.
Or use a more powerfull device.
At the end of the feed updating, parsing and other jobs, the Resolver will get restarted (reloaded, whatever).
When the Resolver starts, it will read in the list with IP's to be blocked. This will take a micro second or so when there are a few IP's - how big is your list ? Did you have a look ?
Here it is : Services => DNS Resolver =>
This :
isn't explained very clearly (to me, that is).
Firewall states that exists, using IP's that are (were) blocked ??
I could understand that if one of the newly loaded IP's is used in the present state table, these states are killed.
Thus a connection gets killed.
But if the IP is on the list and was on the list, thus blocked already in the past, then nothing changes.Or your son was using an IP that was not getting blocked before, and suddenly it is blocked - the IP was been put on a list, and it wasn't on the list before ? This means that pfBlocker is doing is job and your son is / was visiting "blacklisted" sites ;)
( or you use feeds that blacklist sites you don't know of - do not want to black list ) -
I run a couple of those (as in 10+) and never had that problem. Maybe you exhaust the resources on your pfSense with the stuff you installed? pfBlockerNG is quite greedy with memory with some lists.
On what kind of toaster did you install yours? ;)
-
i've had this problem before (not related to same thing as you, just speaking in general right now)
for instance, the too many feeds. i have a lot running, and just like snort, you need to tend to that list, whitelist things that don't need to be blocked, etc.
i very much appreciate the 'unlock' feature in this as it allows you to 'double check test' it before whitelisting (or before next CRON).a lot of times, i would have apps on my phone (amazon shopping as an example) that would not work due to certain hosts/IPs being blocked. after whitelisting (or wildcard whitelisting - make sure you know the difference), and then either waiting for cron, doing force update/reload, or even just clearing the pfblockerng counter on the widget [for me] has worked fairly quick to diagnose (usually unlocking then retesting the app takes less than a minute. make sure to clear cache on the affected app or device before retesting)
most of the 'make sure you do this' stuff i just mentioned is actually listed in the GUI at the bottom of pages in the settings you're trying to adjust.
hope this helps
edit additional: running pfsense community release candidate version 2.4.5 and pfblockerng_devel 2.2.5_29
-
Will try to reproduce my theory later today by lobotimizing a test firewall.
Would love to know that feeds you use and on what kind of hardware (as in cpu/ram/hdd) you installed your pfSense.
-
@Perforado from my experience with 'forgetting to read an infoblock icon' just the other day ('this is a large list ~ 480k lines')... WHOOPS lol
for reference on my hardware, i7 3000 series quadcore, virtualization on, 8gb ram (upgrading to 32 on sunday 'just cause' and also cause of the next statements lol)
it filled the 8gb, hit the hard limit (4 million), spilled into the swap another 2gb... heh
edit additional: yes i also have TLD enabled
-
also maybe consider reordering the lists for prioritization of rule loading?
my (whatever kind of-) logic here is that if the RAM is getting filled, with or without swap(?), and hits a hard limit then loads the rest 'as-is' like it does, AND if 'kill states' is enabled, especially with a half hour check - i could potentially see why the internet goes out every CRON update. TLD would just increase the chances of the filling up of RAM and/or network 'crashes' (i feel like pfsense states crash and reload as opposed to the system as a whole crashing and rebooting - this would be apparent in logs as well) from my understanding of the documentation.
i feel like i experienced this once or twice, but was during early testing.
-
Managed to choke pfSense with 4GB ram and pfBlockerNG to not answer to icmp echo anymore.
So my theory stands: Add more memory.
