2.4.5p1 -> 21.02_1 on SG-3100 -- LAN traffic dropped
-
This weekend I decided to try the 21.02_1 upgrade after the fiasco with 21.02. It failed again, and I had to revert to 2.4.5p1 again (painfully, because I didn't initially I had to switch the Update Settings back to the 2.4.5 branch explicitly much less before any packages were reinstalled).
The packages I had installed were: Avahi, aws-wizard, Cron, ipsec-profile-wizard, openvpn-client-export and pfBlockerNG-devel. Same as with 2.4.5p1 but with the latest versions from 21.x branch.
My config also makes heavy use of VLANs and a few floating firewall rules.
At first, my main computer on the LAN interface could not get an IP. I saw no errors on the console or the DHCP logs. After a few reboots with no changes I was able to get an IP and use the webUI.
Through the webUI, I could use the internal tools to lookup and ping hosts on the Internet. However, any attempt to do so from my computer on the LAN failed. Nothing appeared in the firewall rule logs and packet traces revealed nothing.
I even tried the initial 21.02 trick of limiting the CPU usage to 1 in the loader.conf.local.
It simply would not work. So I downgraded.
Is anyone successfully running 21.02_1 on an SG-3100? Is anyone else experiencing similar issues? Suggestions for debugging / troubleshooting?
-
Hi,
One easy suggestion :
Install 21.02_1 upgrade -do so after you reset to default. Change nothing, just upgrade to 21.02_1.
It should work - as Netgate itself is testing using default settings. As far as I know, they have a lot of 3100 devices ^^ And something tells me they tested the "3100" thoroughly.Now, import - or set them up manually - only you interfaces - and if ok, import - or set them up manually - only your VLAN settings.
Do testing after easy step.
Add firewall rules.Avahj - cron - openvpn-client-export packages are harmfull : don't do much on the system.
pfBlockerNG-devel shouldn't change you system neither : just de activate it if any doubt. -
@gertjan I'm in the process of testing. At first the upgrade without any added packages but with all my VLANs and firewall rules ran just fine. But on reboot traffic across the LAN was dead again (despite being given an IP via DHCP).
I have now reset to factory default settings, which survived a reboot, and will be adding things back in one by one to see if I can isolate the problem. But this is really frustrating.
-
@bldnightowl said in 2.4.5p1 -> 21.02_1 on SG-3100 -- LAN traffic dropped:
pfBlockerNG-devel
SG-3100 doesn't pass traffic after upgrade to 21.02 was fixed in p1 but PHP exit with sig 11 on SG-3100 is still an issue on several packages, on SG-3100. Note the latter also links to SG-3100 with pfBlockerNG doesn't pass traffic and Suricata can trigger PHP crash on SG-3100.
TL,DR: PHP is still crashing on that 32 bit ARM CPU. But if it's a PHP bug then PHP needs to fix...
-
@steveits Thanks.
I did see a core dump for php-fpm, but I don’t think I was running pfBlockerNG yet. Are there other things that use it?
And why doesn’t this cause a problem with 2.4.5p1?
Bottom line - I can’t live without pfBlockerNG(-devel). I’ll have to go back to 2.4.5p1 again until this is fixed.
-
I'm not involved in the dev but I am a programmer. Reading the reports it sounded like the preg_match() function could trigger it reliably for example, but only in certain circumstances. The pfSense web GUI is PHP but that fortunately doesn't trigger the crash.
Not an issue on prior versions as that was an older version of PHP.
We have a bunch of SG-3100s at clients. I'm hoping it won't take long to get Zend/PHP's attention for an issue that happens on one CPU family. My non expert expectation...PHP releases updates monthly so we'll have to wait for it to get fixed, then a period of testing before a new pfSense release.
-
