PFBlockerNG and the reboot/no Internet problem
-
I can see. from the forums that with pfsense devices that don't have the ssd drives, it appears that after a reboot and with pfblockerng enabled, internet appears to not work. Anyone find a fix for this problem?
-
Hi John,
How did you reboot? from the GUI menu, console, power-cycling?
Is that really all that you did, or did you make any change prior to rebooting?
What do you mean by "internet appears not to work"; what are the exact symptoms? Have you tried to ping your favorite website? (ping forum.netgate.com :)
Can you still access the Web Configurator?
Have you looked at the system log files? firewall logs, etc? If not, dig into those looking for errors and look up the errors if they don't ring a bell to you. Solving a problem with a specific error will be much easier than guessing at why the internet doesn't work.
Let the forum know that you have drilled down and tried to solve the problem yourself, and provide the results of your investigation. I think you'll find more people willing to jump on and contribute their time this way.
Good luck! -
@billl thanks for responding. I did reboot the unit by unplugging the power to the SG-1100. When it comes back up, site to site vpn traffic appears to be fine, but anything destined to the internet simply doesn't go. No ping, dns, etc.when I disable pfblockerng, internet traffic starts to work. When I reenable pfblockerng, internet traffic continues to work.
As far as looking at any logs or files, the answer would be that I'm not certain what I should be looking at. I don't really have a good grasp of what to look for in this case. I don't know much about the cli as many of you do, so I'm not sure where to start there. Any guidance would be appreciated. -
@John-Joseph I would recommend against rebooting by power-cycling. You could leave the file system in a messed-up state (to use a technical phrase :), and I suppose that might have something to do with what you are seeing. Even if it doesn't, I think it is generally a bad idea. You can reboot the system in a controlled fashion using the console or the GUI (Diagnostics/Reboot).
I'll guess that you are able to access the Web Configurator.
I would be looking in the following:- Status/System Logs/System/General
- Status/System Logs/System/Gateways
probably first go to Status/Gateways and see if it says "Online" - Status/System Logs/System/DNS Resolver
- Status/System Logs/Firewall
especially for any entries that include "warning" or "error"
When you say "no ping, dns" does that mean you are unable to ping using a FQDN? Did you try to ping using an IP? How did you determine that you have no DNS?
Are you using pfBlockerNG to establish block lists or pass lists? I think that would make a big difference. If you need pfBlockerNG for pass lists that support rules letting you reach the internet, maybe that could be your problem. If you are only using pfBlockerNG for deny lists, then I'd think a different mechanism is in play.
These pages, along with your related rules, may help illuminate what you have in play regarding pfBlockerNG:
Firewall/pfBlockerNG/Alerts
Firewall/pfBlockerNG/Logs/Log Files
ip_block.log or ip_permit.log (depending on your configuration), and dnsbl.log
Note that sometimes you have to select the log file name twice before it shows up. Sometimes hitting the recycle icon helps also. You may have better luck with Chrome than Safari with this stuff.Your firewall logs may help you a lot, depending on how you have logging set up. For the purpose of getting to the bottom of this, you may want to set some rules to log, and you may even want to cook up some rules that you otherwise wouldn't use, to have them log. Floating rules that filter on key aspects but are only set to "match" plus log, are an approach that I sometimes take; it can lead to a "doh!" moment, prior to diving into packet captures :)
Good luck,
Bill -
@billl thank you. I appreciate the guidance. I'll look into these things. My biggest issue with this is that all of my SG-1100s and SG-3100s do this. I'm not saying this happens when you shut it down gracefully (which I never do since they are in production an "just run"), but it's just seems of that all of them (around 20 or so) do this. All I use pfblockerng for is the geolocation blocking of foreign countries.
As far as researching this issue, I have seen other people talk about this, but no one gives any kind of real resolution. It's just left me stumped at this point. I'll contribute to dig down, but if anyone has had this happen to them also, I'd like to hear what you did to resolve it. -
@John-Joseph said in PFBlockerNG and the reboot/no Internet problem:
I did reboot the unit by unplugging the power to the SG-1100
That's a last resort action.
Do the same thing with your Windows 10 PC, or Mac, and very soon they will not boot any more.There is a special video that shows what can happen, and what can be done about it.
https://www.youtube.com/watch?v=4DKr1Dvan5IGolden rule : system with complex file systems should never be power cycled.
It's plain bad.Btw : your smart coffee machine can be power cycled as everything runs from ROM = read only memory.
-
Guys, I want you to know that I appreciate you taking the time to respond. However, I have power cycled these netgate units and never had an issue. Honestly, it's not logical that rebooting a unit would make pfblockerng blocking internet traffic. This problem seems to be common, especially since all my units in the field appear to be doing this. You can see other people in the forums experiencing this also, with no apparent resolution. I know that you guys are probably more well versed in the pfsense firewall than I am, which is why I'm here asking for help. However, comments like I should never power cycle a unit isn't really helpful. I'm probably not going to get any help out of this because of this particular post, but I'm not really getting any resolution anyway. I think the whole point of these forums IS to help others and not be a "high and mighty" "I'm not helping you until you become more like me" kind of response. In fact, this kind of forum IS for a people looking to find answers. Again, I know this response is going to turn most, if not all of you, away from helping me. But again, I'm not really losing much here.
I'm not saying this out of anger. I'm just expressing some thoughts here. I'm not really a pfsense expert. And please don't comment back and say "I need to hire a pfsense tech then". I am the technical guy. I just don't know how to resolve this problem.
If there is anyone who has experienced this issue, I'd really like to hear from you, as this is affecting several companies and I'm at the point of just not wanting to use pfsense anymore. -
@John-Joseph Hi John, I don't think anyone meant to be "high and mighty" by recommending against power-cycling a server; I think it is just meant to be generally good (and actually is really helpful) advice for any server that could possibly be writing to disk when the power gets cut (I have personally learned this the hard way).
With consideration to your statement "I'm not saying this happens when you shut it down gracefully", you can probably easily imagine that further response from most volunteer contributors will be crickets :)
I asked you for information that I thought would be helpful in trying to identify your problem, but most of my questions went unanswered. As I also suggested, "let the forum know that you have drilled down and tried to solve the problem yourself, and provide the results of your investigation. I think you'll find more people willing to jump on and contribute their time this way".
I still encourage you to provide answers to all of those questions, research all of the suggested logs and post what you find. Maybe that will nudge someone else with time to get involved.
With luck, you will eventually be able to help those other people that you have seen talking about this but with no resolution.
Good luck!
Bill -
I wanted to update on the resolution to this problem I had. I didn't want to post a problem and leave it the way this thread went. It turned out that pfblockerng-devel was my problem. Even though it was disabled both in the general tab and dnsbl, when I uninstalled the package, performance went to normal internet speeds. I tested and verified performance before anything was touched, and after I uninstalled it. I put the older version on and it did not affect my performance. I enabled what I wanted and was still good. I'm not sure why this was the issue, but all appears to be good now.
