When is a reboot or reconnect required?



  • I've had multiple problems in getting my Netgate SG-1100 with pfSense on it to work properly. I had it working well until...

    This evening I tried to add the certificate and everything else to add a VPN to the system and all of a sudden, after I added the certificate and had done most of the setup, I wasn't able to reach sites on the internet and saw issues with connections in my LAN. Considering I had just gone through a hard reset and got everything set up the previous night, I decided to do it again and reset to factory defaults. I went through the setup wizard, then set up my DCHP (well, I loaded in the old config), and then set up the DNS Resolver. I saved the changes and applied them as needed, but I had problems, still, with my LAN.

    I could get an answer from NSLOOKUP but could not ping the same host name (again, in the LAN). So, after a few hours of reading documentation I've read a googleplex number of times already, I decided to swap in my 10 year old pfSense firewall on an old Soekris Net 5501. Well, it was funky and everything went weird. (No need for details at this point.)

    So I swapped the SG-1100 back in and went back up the stairs to my study and found, suddenly, everything was working perfectly.

    This kind of thing scares me. I want to know what fixes a problem, instead of just pulling out the ethernet cables, sticking them in another firewall, then returning to the one I'm using.

    I've used Linux quite a bit - not much recently, but my business used to run on it back before 2010. One thing I've learned is that with *nix variants, the old, "Reboot or power cycle" thing is bogus. If you can't just restart a service (after fixing whatever is wrong), then something's wrong.

    But here, I disconnected the firewall, put another in, took it out, and put the SG-1100 back.

    What happened? Did that let a cache clear or something like that? Or do I need to reboot the SG-1100 after a number of changes? (It was rebooted after the initial setup, so it could change from 192.168.1.1 to 172.16.7.1.)

    Should I get used to rebooting after making a number of changes? Or are there times pulling cables out and disconnecting things lets caches flush out?

    I just don't see why things were a mess then, without changing settings, it suddenly started behaving.



  • @TangoOversway said in When is a reboot or reconnect required?:

    I've used Linux quite a bit - not much recently, but my business used to run on it back before 2010. One thing I've learned is that with *nix variants, the old, "Reboot or power cycle" thing is bogus. If you can't just restart a service (after fixing whatever is wrong), then something's wrong.

    You probably missed the very most important thing from the NIX** world :
    It's all "explained" in /var/log/....

    You could have checked on your devices : did it get an IP (and DNS, and gateway, and mask) ?
    The same thin can be followed on your pfSense : did that device - you can identify it with the MAC - ask for an IP (etc). You can check if DNS requests come in. You can actually see coming in every Ethernet packet , and what's done with it.

    ** actually, all OS's log these days. But everything tends to work out of the box. Let's face it : Unwrap a new Windows PC, unwrap a new firewall / router, let's say : a SG-1100, hook them up, and voila, you're connected to net etc. ;)
    So, where is the issue ^^ ??

    @TangoOversway said in When is a reboot or reconnect required?:

    eset to factory defaults. I went through the setup wizard, then set up my DCHP (well, I loaded in the old config ....

    You are aware of the fact that your pfSense and mine, and thousands of others are the same if not identical ?
    The only thing that is different, is your settings, and mine.

    @TangoOversway said in When is a reboot or reconnect required?:

    What happened? Did that let a cache clear or something like that?

    If you have placed between you device and the router pfSense a swith, then disconnecting pfSense, and putting in place another router with other settings will not be noticed by your device (PC). Things start to "not work" any more.
    A simple

    ipconfig /renew
    

    (A GUI equivalent exist) if it's a windows device will put things back to work.
    Or, rip out the Ethernet cable for a second, or de activate your Wifi radio a moment.


  • Netgate Administrator

    You should not need to reboot unless you're updating firmware in general.

    The issues you were seeing sound like some kind of stale ARP problem or maybe a rogue DHCP server, that can produce very strange behaviour.
    If you can resolve some local dhcp host but not ping it that traffic would not normally go through the firewall at all. Either it resolved to the wrong address or the target is unable or unwilling to reply.

    Steve



  • @Gertjan

    @Gertjan said in When is a reboot or reconnect required?:

    @TangoOversway said in When is a reboot or reconnect required?:

    I've used Linux quite a bit - not much recently, but my business used to run on it back before 2010. One thing I've learned is that with *nix variants, the old, "Reboot or power cycle" thing is bogus. If you can't just restart a service (after fixing whatever is wrong), then something's wrong.

    You probably missed the very most important thing from the NIX** world :
    It's all "explained" in /var/log/....

    Actually, more like forgot it! And part of that is that most of what I did was programming. I didn't have to deal with many network issues. (I put that on pfSense - I set it up and never had to deal with it again.) Since I didn't deal with it too much, I've forgotten a lot about DNS and DHCP issues. One is that even for a ping, that interaction would be logged.

    (And now that I mention that, I realize that old pfSense firewall may have been not just about 10 years old, but maybe 15 or more years old. I started with m0n0wall and moved up to pfSense. Wow. I had even forgotten that! It was probably more like 10 years since I had updated it.)

    You could have checked on your devices : did it get an IP (and DNS, and gateway, and mask) ?
    The same thin can be followed on your pfSense : did that device - you can identify it with the MAC - ask for an IP (etc). You can check if DNS requests come in. You can actually see coming in every Ethernet packet , and what's done with it.

    Not all my devices are easy to get to. Some are down in the guest house and when it's a colder night, and 3 AM, it's a serious pain to walk all the way down there! (We're on a very large wooded lot!) But I did check the devices I could get to. They did get IPs and I saw them listed in the DHCP Leases section under Status. I checked the others that were harder to get to physically through the same manner - including checking MAC addresses.

    ** actually, all OS's log these days. But everything tends to work out of the box. Let's face it : Unwrap a new Windows PC, unwrap a new firewall / router, let's say : a SG-1100, hook them up, and voila, you're connected to net etc. ;)
    So, where is the issue ^^ ??

    That's what I've wondered from the start. I have a few other threads here. On the old pfSense firewall, there was no DNS resolver, just the Forwarder. I tried the Resolver for this setup and had everything done by the manual and it had problems. In the long run, I had to enable forwarding requests and specify a DNS server. (I used 8.8.8.8.) Once I did that, things cleared up.

    I still don't know what was going on with that. No other DNS or DHCP within my LAN. My ISP router is unusual - I have very little control over the settings. (It's an AT&T wireless router that works with cell data.) I've wondered if that could be trying to act as a DNS or something like that.

    I had things working, then was starting to set up a VPN and after I added the certificate, suddenly my setup went bad. So I did a factory reset and fixed everything to where I had it. That's when I saw a lot wasn't working and swapped in the old firewall, for about 10-15 minutes. Then tried the new one again and it was working.

    That's why I was asking if some kind of reboot or temporary disconnection would fix things (and why).

    @TangoOversway said in When is a reboot or reconnect required?:

    eset to factory defaults. I went through the setup wizard, then set up my DCHP (well, I loaded in the old config ....

    You are aware of the fact that your pfSense and mine, and thousands of others are the same if not identical ?
    The only thing that is different, is your settings, and mine.

    Yes, I know they're the same and I was following the docs, which is why this whole situation is so frustrating and confusing to me. I know it's been at least a decade since I worked with DNS and DHCP issues. I know I haven't used the DNS Resolver in pfSense before, but I basically just copied the settings from the old pfSense firewall on everything but the Resolver - and I set that up by the book. (I did try using the Forwarder, but had trouble there, too.)

    And still, there was that major headache. The only thing I can think of is the ISP router, even though it was outside the firewall, doing something odd. I have several Macs, two Linux computers (one is RetroPie, an arcade emulator on a Raspberry Pi, so no DNS or anything like that even installed, the other is a file server and my DVR - stock Debian, with no DNS or DHCP services at all), some Apple TVs, and the rest is either mobile devices or IoT stuff, like Blu-Ray players, Sonos speakers, smart home hubs and so on. I can't imagine what, on the LAN, could be interfering with a local DNS or DHCP device.

    @TangoOversway said in When is a reboot or reconnect required?:

    What happened? Did that let a cache clear or something like that?

    If you have placed between you device and the router pfSense a swith, then disconnecting pfSense, and putting in place another router with other settings will not be noticed by your device (PC). Things start to "not work" any more.

    What's weird is that when I did that, and put the current firewall back in place, things started to work. Went from "not work" to work.

    A simple

    ipconfig /renew
    

    So maybe my workstation had old info cached and needed a reset? Could that have been a big part of the issue? That when I fixed things, old non-working info was cached or still in use?

    (A GUI equivalent exist) if it's a windows device will put things back to work.
    Or, rip out the Ethernet cable for a second, or de activate your Wifi radio a moment.

    That's one I missed - I avoid wifi for stationary devices, so I completely forgot I could try wifi for my workstation.


  • Netgate Administrator

    Unbound, the DNS resolver, is the default setting on any new pfSense install since 2.2 (I think!). It resolves directly against the root servers and 'just works' in the vast majority of cases. However it can be set to forwading mode if required.
    DNSmasq, the DNS forwarder, is also included if you are coming from an older version or importing an older config that still has it configured.
    Any if them can be a valid configuration. If forwarding requests to Google DNS works for you, and you understood the privacy implications, then there's no problem with that. It's odd that the resolver appeared not to work reliably though.

    Steve



  • @stephenw10 said in When is a reboot or reconnect required?:

    Unbound, the DNS resolver, is the default setting on any new pfSense install since 2.2 (I think!). It resolves directly against the root servers and 'just works' in the vast majority of cases. However it can be set to forwading mode if required.

    Just so frustrating there's something in my LAN that messed it up. But since what I had to do was forward directly to a DNS, it makes me wonder if the issue could be something the ISP router is doing that was creating issues.

    DNSmasq, the DNS forwarder, is also included if you are coming from an older version or importing an older config that still has it configured.

    I think I read that the intent was to eventually deprecate DNSmasq. Is that the case? I have thought that maybe what I should do, since I've since found the old configuration is importable to the new firewall, of taking the full configuration (that I did save) and loading that to see what would happen. Of course I'd back up the current config so I can switch back to that if needed.

    Any if them can be a valid configuration. If forwarding requests to Google DNS works for you, and you understood the privacy implications, then there's no problem with that. It's odd that the resolver appeared not to work reliably though.

    I've just subscribed to a good VPN service and found they offer DNS as well, so I may be switching over to that. I'd like to use the VPN full time, but I don't see how I can use a dynamic DNS with that. (And there are several things I want to use that for.)


  • Netgate Administrator

    Yes, DNSmasq is basically included for backward compatibility only. Unbound can also run as a forwarder so it should not be required.

    Most VPN services will not allow you to forward incoming traffic which is what you would usually use dyndns for. But a dyndns client running on pfSense can update to a public IP over a VPN fine.

    Steve



  • @stephenw10 said in When is a reboot or reconnect required?:

    Yes, DNSmasq is basically included for backward compatibility only. Unbound can also run as a forwarder so it should not be required.

    Does that mean that, at some point, it's going to be removed? That was the big reason I didn't want to use it. I wanted to make sure whatever I do on my new firewall is more forward thinking than looking back.

    Most VPN services will not allow you to forward incoming traffic which is what you would usually use dyndns for. But a dyndns client running on pfSense can update to a public IP over a VPN fine.

    Interesting. I did see some indication that, with this VPN (Private Internet Access), that they can provide separate IPs for separate devices on my LAN. I have not yet checked if I can have incoming traffic through them, but I'm not expecting it.

    What's weird is that I followed their directions to add their certificate and right after I added that certificate, and before I set up the VPN, I lost connection with the internet. (The IP Monitor still showed things were good, though.) To me, that's another clue there is just something really weird about my LAN or my situation.


  • Netgate Administrator

    Almost all VPN provider 'guides' will have you send all your traffic (and valuable marketing data) to them and not pass anything to the WAN. It's a bad config in my opinion. Better to default to WAN and specifiy what to route over the VPN.
    I imagine what happened is you loaded the cert and it reloaded a firewall or NAT rule and effectively null routed your traffic.

    There are no plans to remove DNSmasq as far as I know but it will probably be removed eventually. Unbound can do everything DNSmasq can at this point. It might be possible to just switch most configs during the upgrade scripts. There will be a lot of variants there though. It is sometimes useful to run both services for example.

    Steve



  • @stephenw10 said in When is a reboot or reconnect required?:

    Almost all VPN provider 'guides' will have you send all your traffic (and valuable marketing data) to them and not pass anything to the WAN. It's a bad config in my opinion. Better to default to WAN and specifiy what to route over the VPN.
    I imagine what happened is you loaded the cert and it reloaded a firewall or NAT rule and effectively null routed your traffic.

    Thanks for a good and clear explanation!

    There are no plans to remove DNSmasq as far as I know but it will probably be removed eventually. Unbound can do everything DNSmasq can at this point. It might be possible to just switch most configs during the upgrade scripts. There will be a lot of variants there though. It is sometimes useful to run both services for example.

    Considering that my old firewall is at least a decade old, what are your thoughts on me just loading that configuration in to the new one if I have any other problems? That would use DNSmasq as a forwarder instead of using Unbound as a Resolver, but since there are no current plans for deprecating DNSmasq, that should work for a few years.

    Also, since I'm in an unusual situation, where I'm on cellular broadband, and with an internet router that gives me very little ability to configure it, I've wondered if that's part of the reason I'm having issues and have to forward to a specific DNS server. My hope is to switch to Starlink when it goes active. (Estimates for that have been mid to late fall of this year.) If I'm lucky, that means I'll most likely have a good ISP within a year.

    With that in mind, I'm thinking that if I have problems with my current setup, I may need to just focus on the short term (such as using the Forward with my old configuration) and make changes later, when Starlink is online (assuming I can use it!). I won't change things as they are now, but I'm just keeping that in mind for the future, if something goes wrong.


  • Netgate Administrator

    Theoretically you should be able to import a config from any previous pfSense version. The upgrade scripts are cumulative so it should be updated to a current version complete with all the required chnages when you do.
    It's a relatively easy test. You can roll back to your current config from the console if it fails for some reason.
    If it fails yo boot to the console re-installing entirely is quite fast if you have the install media to hand. Particularly if you put the current config onto it so it boots up ready to go first time:
    https://docs.netgate.com/pfsense/en/latest/backup/automatically-restore-during-install.html

    If you WAN is wireless you should make sure you have tuned the monitoring to match that. It will almost certainly have higher layency and packet loss rates than other WAN types. You might just disable the WAN monitoring action for that gateway to be sure it's not triggering unnecessarily.

    Steve


Log in to reply