pfSense becomes unresponsive
-
Hey,
Can anyone please tell me what's going on? I built my pfSense router using HP t730 think client and I'm using Intel i350 quad port ethernet card.
igb0 -> WAN
igb1 -> LAN1
igb2 -> LAN2
igb3 -> LAN3
bridge0(MySwitch) -> All LANslogs.txt it happened when igb1 links was having ups and downs and when it "reloading filters"
please find the attached log files, I woke up in the morning and restarted the router so there is a skip of hours of logs, you'll see the time
-
@amaanx5a Are you trying to use pfsense as a switch? Don't.
If not, you might want to start with saying what you are trying to achieve, how you've configured it, and what's plugged into those ports downstream.
-
Sorry, we weren't there neither.
The boot starting from
Jan 28 09:10:39 syslogd kernel boot file is /boot/kernel/kernelis completely clean & normal, as it would show the same thing since the first time you booted pfSense right after the initial install.
As to much info kills the info it would do what the booting (== Intel) askes you to do :Jan 28 09:10:39 kernel ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.Take a copy of a know good boot as a reference, and you'll know when to spot a different line when things go bad.
The part where igb1 goes up and down - and take note : only igb1 says to me that the device on the other side of the line had power issues. Or that cable is bad. Bad plugs ? Whatever. We can't telle what happened - as nobody knows where the installation is and you use to monitor.
pfSense power issues would have had an influence on all interfaces & pfSense itself.IMHO (so I'll be wrong probably) bridging interfaces on a NIC is from a programming point of view a severe jack. As all packets have to go through the entire NIC driver, and a part of the kernel, to go back in the driver again.
Possible to use a 4 port 5$switch -and use use one slot on your NIC ? ( and don't take igb1 now ^^, take igb1 1, 3 or 4). Just to exclude a possible issue with the NIC. -
@griffo Not using the pfSense system as switch to be exact, let me explain:
My ISP provides the internet using PPPoE, that Ethernet is plugged into igb0(WAN).
Remaining 3 interfaces igb1, igb2, and igb3 are bridged.
1- My Wireless router running as AP is connected to igb1 (All PCs, Laptops and Mobiles connect to it).
2- My Synology DS218+ is connected to igb2.
3- Nothing connected on igb3 for now.So technically, I'm not using my pfSense as switch as a whole, I'm using it as a normal Wireless Router (Wireless functionality is being achieved using Tenda AC6 AC1200 plugged into pfSense(igb1) as AP) that has 1 input WAN and remaining as LANs
Nothing complicated to achieve, just a Wireless router with more functionality and control over my home network and fun, that's all
-
@amaanx5a said in pfSense becomes unresponsive:
Remaining 3 interfaces igb1, igb2, and igb3 are bridged.
These 3 behave now as a switch (or worse : a hub ?).
See the manual about bridging. First paragraph.
edit : of course you did not bridge all the interfaces, as it couldn't be a router any more.
You've created a rather expensive switch in that case. -
@gertjan It's a bridge, at least I know what switch is XD, yes bridged three interfaces, the fourth is WAN(igb0). I followed this tutorial to make one:
https://www.youtube.com/watch?v=bz45r_4BREw
There is however a difference in rules of what I have and what the above video has:
My LAN1(igb1) Firewall > Rules:
LAN1(igb1) Firewall > Rules in the video:
Everything is exactly the same, also the MySwitch(bridge0) rules.
-
@griffo said in pfSense becomes unresponsive:
Are you trying to use pfsense as a switch? Don't.
I fail to understand why people try to make a switch with pfsense, when real switches are so cheap.
-
@jknott said in pfSense becomes unresponsive:
I fail to understand ....
Minimal power and or space constraints ?
Like sending up stuff to IIS. -
There may, of course, be special situations, but that's not the impression I get around here. I wonder how much of a need there is for a firewall on the space station.
-
@jknott @jknott You are right, I guess people are dumb if they are using a whole pfSense system as just a switch but may be you have failed to understand what people and I need:
A switch doesn't have rich functionalities and control over network and packages to install like pfSense, I'm using this entire system as a router and not just switch. Switch part is just the thing to bridge all the 3 remaining LANs on a quad port ethernet card to get the same subnet IP rather than using a separate switch.
I've a question, I might be wrong because I guess I don't understand if it affects the network speed or not:
Which scenario will outperform:
1- Bridged 3 LANs on a same quad port Intel ethernet card (Separate port for Media Server, AP and a Gaming PC)OR
2- A switch takes an input from LAN1 and all the devices are connected to that switch like AP, Media Server and Gaming PC (A single port to handle all traffic)
-
@amaanx5a said in pfSense becomes unresponsive:
Which scenario will outperform:
1- Bridged 3 LANs on a same quad port Intel ethernet card (Separate port for Media Server, AP and a Gaming PC)
OR
2- A switch takes an input from LAN1 and all the devices are connected to that switch like AP, Media Server and Gaming PC (A single port to handle all traffic)Good question !
I'm saying this because I was asking the same one to myself.
( well, that doesn't make the qestion better but it's funny to see your own thoughts being typed out by another person )I guess even a simple low bud switch is faster using far less power, as it uses a simple ASIC type chip-switch using a bunch of serial ethernet frame shifters, and a direct RAM lookup table for the known MAC to check to with port the packet should be forwarded to. It could even start doing so as soon as the Ethernet header there where the MAC destination parts is resides, has been received.
While the pfSense bridge mode has to :
@gertjan said in pfSense becomes unresponsive:
As all packets have to go through the entire NIC driver, and a part of the kernel, to go back in the driver again.
which means : many, many CPU cycles - and traffic over the PCI lane, etc.
Btw : this is me thinking out loud of course.
-
This post is deleted! -
@gertjan @jknott @griffo Hi, I've an update:
Completely formatted the drive, reinstalled the pfSense, not bridging the LAN, OPT1 and OPT2 this time, no complications at all, using a Switch that takes input from igb1 and all devices are plugged into it. Changed all the plugs (just in case), it was not a power failure neither this time nor previously because when the pfSense system got unresponsive, I checked the power light, it was ON and not off.
Recorded a log file, this time no up down on igb1 but something different, finally it was "reloading filters" and skip of minutes of logs when I forcefully turned of the pfSense system and booted it up again.
Please find the attached file.logs2.txt
-
Is this you :
php-fpm 351 /index.php: Successful login for user 'admin' from: 10.1.1.6 (Local Databas?
Then what is this :
Jan 29 19:09:36 php-fpm 351 /index.php: webConfigurator authentication error for user 'admin' from: 10.1.1.6? What were you doing ? Is your device that you log in to pfense doing on port 22 ?
Who is this :
Jan 29 18:01:51 php-fpm 351 /index.php: User logged out for user 'admin' from: 103.255.7.43 (Local Database)You log in on from WAN ? ( serious ??? )
-
A separate switch will outperform bridged interfaces everytime.
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
There only reasons you should be using bridged intercaces like that are if you need to filter traffic between network segments that are in the same subnet. Or if you have spare interfaces and nothing better to do with them.
But only, of course, if you are aware that doing so uses CPU cycles. I have used ports for occasional management access locally at the firewall for example.But that's not the cause of your issue.
Just how unresponsive is it? How are you testing that?
Do you see any response from
ctl+tat the console?Does the keyboard caps-lock led still work?
With nothing logged at all like that and no crash report it starts to look like a hardware issue.
Steve
-
@gertjan All request are from me, both LAN and WAN:
LAN to login into pfSense
WAN to check if the rule for remote management is working or notAny abnormality? Please point out because I don't see any
I've IP range from 10.1.1.2 - 10.1.1.50, I feel
comfortable with it -
@amaanx5a said in pfSense becomes unresponsive:
Any abnormality? Please point out because I don't see any
Yep, one - a big one :
WAN to check if the rule for remote management is working or not
Apply this one :
Never ever open SSH on WAN.There are better ways, like VPN, IPSEC, the upcoming Wiergaurd.
-
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
Even if I use a switch?
or if you have spare interfaces and nothing better to do with them
That was the reason for not installing the switch and bridging the spare ones but people here scared me XD and now I'm using a separate switch
Just how unresponsive it is, how are you testing that?
I've noticed that most of the time, the last log is "reloading filters" and then I can't connect to the internet, can't even access the webconfigurator or NAS on the same network, then I go to see my pfSense and the CPU light is turned on but and if I press the power button, it does not turn off after minutes so I long-press the power button to forcefully shut it down and power up again.
Usually it takes 5-7 seconds to properly turn off if it is not unresponsive.
With nothing logged at all like that and no crash report it starts to look like a hardware issue.
I made some hardware changes but don't know exactly what helped and it didn't happen since last night, I've been checking the whole night from hour to hour and now I just checked again from a remote location, it's still UP and running, usually it get's unresponsive after a couple of hours, changes I made are:
1- I pulled out a 2GB RAM and now only one 2GB stick is installed
2- I was using a 4 wire ethernet cable from LAN1(igb1) to the switch (it came with my Tenda Wireless Router) I changed it to a better when with all wires in it but I just realised I was using all wire cables before installing a switch (pfSense to AP and NAS) and the problem was still there.
Do you see any response from ctl+t at the console?
Does the keyboard caps-lock led still work?I never referred to the console after it gets unresponsive, til now, but I'll if it happens again, hopefully it won't ๐คฒ
-
Just exactly which log says I logged in from
a remote location using port 22?I never did that
I only remember turning the HTTPs on for remote access and not the SSH and I logged in using HTTPs
-
@gertjan said in pfSense becomes unresponsive:
Jan 29 18:01:51 php-fpm 351 /index.php: User logged out for user 'admin' from: 103.255.7.43 (Local Database)
Then this was you from LAN using your WAN IP ?
Ok if you have no SSH NAT rules on WAN .... -
Yes this is me from WAN 443, and there is only one rule in my Firewall>Rules that I added using this post:
https://www.joe0.com/2019/11/11/how-to-implement-remote-management-in-pfsense-2-4-4-by-using-a-duckdns-dynamic-dns-domain/
Other then that, my pfSense system is totally stock and I guess there is no SSH remote enabled on pfSense out of the box
-
@amaanx5a said in pfSense becomes unresponsive:
https://www.joe0.com/2019/11/11/how-to-implement-remote-management-in-pfsense-2-4-4-by-using-a-duckdns-dynamic-dns-domain/
This :
STEP 3 โ Allow remote access to WAN port 443combined with this :
Source: Any (or restrict by IP/subnet)is exactly the reason why you should never do that.
The pfSense WebGUI isn't meant to be "open and visible" to the entire Internet. Its a major security flaw.Use OpenVPN for that.
(edit : same thing for the SSH port)
-
@amaanx5a said in pfSense becomes unresponsive:
The firewall still has to read that traffic, process it and send it back out on all the interfaces. All of that requires CPU cycles.
Even if I use a switch?
No, if you use a bridge as a switch.
There is a common misconception that bridging somehow requires less CPU cycles and won't affect firewall performance for some reason. Not really sure where that comes from but just to be clear it does.If you use a switch the traffic never goes through the firewall and it can happily use all it's CPU cycles for more important things like VPNs.
And, yes, use OpenVPN for remote access if you can. It the very least move your webgui to a different port to reduce the drive-by connection attempts.
https://docs.netgate.com/pfsense/en/latest/recipes/remote-firewall-administration.htmlSteve
-
This post is deleted!
