Reboot of a Alix Pfsense



  • I have a Alix Pfsense 1.2.2 box, with 3 Lan cards.
    It serves a DMZ with 3 servers (IBM 346), the other 2 LANs are the internal LAN & a 4 Mbit HDSL connection.
    In the DMZ are 2 application server (Tomcat & Jboss) and a DBMS machine (Oracle).
    The application works now for a month, so I linked these servers to our central backup server (Bacula).
    I prepared the necessary filter exceptions, and I scheduled a nightly backup.
    But nearly 5 minutes after the beginning of the backup (I think watching the logs), the Alix rebooted. I don't have an external syslog, so I don't know the logs before the reboot.
    Now, I know the Alix cannot use the full connection to the link (100 Mb) to the LAN, but for what I know I can expect a slow backup, but working.
    Have I to use a more powerful HW?
    Are there some configs I can do?

    Thanks in advance


  • Banned

    ALIX is for home users…... ;D

    It does not belong in a production environment. At least I dont think so.... I bet it cannot sustain these kind of transfer speeds, and therefore reboots doue to heat problems.

    If you have hardware mounted in a rack, I would suggest an IBM Xseries 335 or 336, or maybe an 345 as a PFSense box. I have 2 running flawlessly easy capable of sustaining 100mbit both ways. The only problem I have seen, is related to the CF cars I have used, but the problem diminished a lot, when switching to faster CF card from Kingston (8GB/X266)... It uses more power than an ALIX, but I would have the performance over the savings anyday!



  • @Supermule:

    ALIX is for home users…... ;D

    It does not belong in a production environment. At least I dont think so.... I bet it cannot sustain these kind of transfer speeds, and therefore reboots doue to heat problems.

    Bull$hit. I have deployed dozens of Alix boxes in corporate environments and they have been as solid as any Cisco gear in the field. That being said, they have their place and may not be appropriate for some situations. A high-throughput enterprise environment should have high-throughput enterprise hardware.

    To the OP,
    If you can, try to log to a remote computer. Better yet, connect to the console when the backup runs.
    The most common problems I've had have been solved by getting the latest BIOS, a new cf card, or a new/bigger power supply. You may want something more powerful for high DMZ>LAN throughput, but the Alix shouldn't reboot just because you are slamming it. An Alix in a properly ventilated area should not have heat problems, but if you stick it in the back of a poorly cooled rack, you might have problems.



  • I have to agree with dotdash. I have deployed several Alix systems across medium to large corporations and they are rock solid.



  • Tried to setup an external logfile. The connection graph shower 10 sec. of traffic (12 MB), then a lock. Nothing on the external logserver.
    Tried a IBM 335 (I had one sitting in a corner). Same version, same config.
    A complete backup, 120MB. I will try again, with another Alix & serial console, but maybe the brute force…


  • Rebel Alliance Developer Netgate

    If you are running 1.2.2 or before (or even some early 1.2.3-RC2 or earlier snapshots) you are probably hitting the watchdog timeout.

    There is a hardware watchdog timer and when the ALIX gets really busy, it can't distinguish between a hardware lockup and an extraordinarily high CPU load.

    Current nanobsd snapshots have disabled the watchdog so it should not reboot, but in times of high usage you will not be able to access some services such as the WebGUI.

    ALIX boxes work fine in all kinds of production environments, as long as you know their limits and ensure that you do not exceed them.


  • Banned

    But sometimes you are not in control of the load on the firewall…DoS attacks and other things can bring the Alix down a lot quicker than and IBM 335/345....



  • IMO for this to be an issue, you have to be on an internet-connection with quite a bit of bandwith.
    as dotdash said:

    A high-throughput enterprise environment should have high-throughput enterprise hardware.

    Here are some performance measurements:
    http://forum.pfsense.org/index.php/topic,12766.0.html

    The test seem to be setup up in a pretty basic way.
    Not a lot of rules.
    I wouldn't use the ALIX in enviroments where you have to push more than 50Mbit in both directions together.
    Certainly not to route between two 100Mbit networks.



  • As I told, what I need is a FW that serves a slow internet connection (2MB), and for this the Alix was perfect. What surprised me was the reboot, not the speed of the backup. (i can wait the whole night for it).
    What Jimp told looks interesting for me, I will try.
    I trust on Alix (I have lots of these serving as FW and OpenVPN endpoint and are working well).
    I will tell.


Log in to reply