23.01 install results in no internet

otsego

I've hit a similar issue. Upgraded a Netgate 6100 from 22.05 to 23.01. After the upgrade completes there is absolutely no internet connectivity. Unable to ping 1.1.1.1 or 8.8.8.8. I get an IP on my WAN interface (DHCP from ISP), but the route is stated as "down" by pfSense.

Reverting back to 22.05 through boot environments and it works immediately.

In my case, there is no double NAT, HA or anything like that. Just plain and simple network connection to ISP.

jeff3820

@bmeeks I did try that. I could ping or reach neither...

Read above, I have 2 firewalls...main and backup. with 22.05 I could use my backup in a double NAT to the main firewall...useful when doing testing. With 23.01 using identical configuration double NAT just fails. If I hook my backup firewall to the fiber connection directly it works normally. If I downgrade my backup firewall to 22.05 it will work fine when double NATed. Just weird. SAME CONFIGURATION!

jeff3820

@otsego Different issue because I was able to get a WAN IP.

jeff3820

@stephenw10 said in 23.01 install results in no internet:

Not quite sure what you're doing there but it sounds possible you might have an over matching outbound NAT rule and it's translating all traffic to an IP that's invalid where you are moving it to. That is quite a common mistake in HA setups. Is that possible?

The outbound NAT rules are identical between the firewalls.

FYI, CPU is an i3-7100U

stephenw10

Ah OK so not actually an HA pair?

So the two devices are configured identically?

I'm unsure how you're connecting them in the test configuration. I would expect to see a subnet conflict if it gets a WAN IP in the 192.168.30.0 subnet but also have that on an internal interface.
That can certainly prevent routing correctly.

Steve

jeff3820

@stephenw10 Yes, absolutely identical. Worked with 22.05 though...

Fiber internet---Main firewall---VLAN 30---Backup firewall---PC

stephenw10

But I am correct in thinking that results in two interfaces in the same subnet?

Try disabling the local interface as a test.

jeff3820

@stephenw10 said in 23.01 install results in no internet:

But I am correct in thinking that results in two interfaces in the same subnet?
Try disabling the local interface as a test.

That was it! If I disabled the VLAN 30 interface (the backup firewall had a WAN of 192.168.30.105) on the backup firewall everything started to work properly.

Mystery solved!! Thank you so much.

puneet1984

hello

tried a fresh upgrade..removed old boot env of 23.01, removed ntop package.
upgrade went fine.
but again got the same issue...
-there is net connectivity for 1-2 min after boot and then it goes down.

CPU speed is trottled

Have wireguard and tailscale installed
no HAproxy/openVPN/pfblocker installed

got some logs

PHP ERROR: Type: 1, File: /usr/local/pkg/avahi/avahi.inc, Line: 76, Message: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/pkg/avahi/avahi.inc:76
Stack trace:
#0 /usr/local/pkg/avahi/avahi.inc(129): avahi_write_config(Array)
#1 /etc/inc/pkg-utils.inc(715) : eval()'d code(1): avahi_sync_config()
#2 /etc/inc/pkg-utils.inc(715): eval()
#3 /etc/rc.start_packages(66): sync_package('Avahi')
#4 {main}
thrown @ 2023-02-22 23:18:17



Crash report begins.  Anonymous machine information:

amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS

Crash report details:

No PHP errors found.

No FreeBSD crash data found.
			
Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz
Current: 791 MHz, Max: 800 MHz
2 CPUs : 1 package(s) x 2 core(s)

on V22.05

Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No

stephenw10

It looks like you have 3 separate issues there.

A php bug in Avahi.
https://redmine.pfsense.org/issues/14019

A CPU clock speed issue.
Try running sysctl dev.cpu.0 check the reported clock speeds

Some other problem preventing traffic after some time.
You need to determine exactly what's failing there. No route? No DNS? Everything blokcked? Firewall completely unresponsive?

Steve

puneet1984

@stephenw10 said in 23.01 install results in no internet:

Some other problem preventing traffic after some time.
You need to determine exactly what's failing there. No route? No DNS? Everything blokcked? Firewall completely unresponsive?

Steve

can you elaborate with what i need to check / commands to run?

puneet1984

@stephenw10 said in 23.01 install results in no internet:

It looks like you have 3 separate issues there.

A php bug in Avahi.
https://redmine.pfsense.org/issues/14019

A CPU clock speed issue.
Try running sysctl dev.cpu.0 check the reported clock speeds

Some other problem preventing traffic after some time.
You need to determine exactly what's failing there. No route? No DNS? Everything blokcked? Firewall completely unresponsive?

Steve

i am getting this on my 22.05

dev.cpu.0.freq_levels: 800/51000
dev.cpu.0.freq: 800

why is the CPU throttled??

GUI shows

Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No

sysctl -a | grep -i cpu

kern.smp.cpus: 2
kern.smp.maxcpus: 256
CPU: Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz (800.00-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0: <ACPI CPU> on acpi0
hwpstate_intel0: <Intel Speed Shift> on cpu0
hwpstate_intel1: <Intel Speed Shift> on cpu1
<118>Launching the init system...Updating CPU Microcode...
CPU: Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz (792.00-MHz K8-class CPU)
coretemp0: <CPU On-Die Thermal Sensors> on cpu0
CPU: Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz (792.04-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0: <ACPI CPU> on acpi0
est0: <Enhanced SpeedStep Frequency Control> on cpu0
<118>Launching the init system...Updating CPU Microcode...
CPU: Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz (792.04-MHz K8-class CPU)
coretemp0: <CPU On-Die Thermal Sensors> on cpu0
kern.ccpu: 0
  <cpu count="2" mask="3,0,0,0">0, 1</cpu>
kern.sched.cpusetsize: 32
kern.pin_pcpu_swi: 0
kern.racct.pcpu_threshold: 1
cpu	HAMMER
device	cpufreq
kern.vt.splash_cpu_duration: 10
kern.vt.splash_cpu_style: 2
kern.vt.splash_ncpu: 0
kern.vt.splash_cpu: 0
vfs.ncpurgeminvnodes: 16
net.inet.tcp.per_cpu_timers: 0
debug.cpufreq.verbose: 0
debug.cpufreq.lowest: 0
debug.acpi.cpu_unordered: 0
kdb.enter.default=textdump set; capture on; show registers ; run lockinfo; show pcpu; bt; ps; alltrace; capture off; textdump dump; reset
hw.model: Intel(R) Core(TM) i3-6100 CPU @ 3.70GHz
hw.ncpu: 2
hw.acpi.cpu.cx_lowest: C1

stephenw10

Ah, Ok. It looks like the BIOS is incorrectly reporting the available CPU P-states to the OS. In 22.05 lower P-states are not used unless powerd is enabled in System > Advanced > Misc.
In 23.01 Speed Shift is enabled by default for CPUs that support it. That should only use clock speeds the CPU actually supports but if it's limited in the BIOS it maybe.

I suspect you're just not seeing it reported in 22.05 because powerd is not enabled.

In 23.01 you can disable SpeedShift by setting hint.hwpstate_intel.0.disabled=1 as loader variable. But if the CPU can only use 800MHz it will still be running at that speed and just not reported.

puneet1984

Hello
So i tried updating to 23.01 today again...
but i am getting the same issue.... gateways works for sometime and then it disconnects.

attaching

upgrade log
PPP log - both v22.05 and v23.01
mpd5 status

Logs

ppp logs v22.05

@stephenw10 Also i am unable to post using my backup ISP ... IP banned...
I am using Jio ISP with IP subnet 49.43.x.x.
Please check at your end

puneet1984

@stephenw10
@stephenw10

regarding the CPU speed stuck @ 800Mhz.

It is a Dell issue...
i changed power supply of dell optiplex 3050 micro and bios is not recognising it so it is activating something called as BD PROTHOT which makes the cpu run at the lowest possible freq.
Thus i want to know is there any way that can be disabled using a script in bsd.

Please check this askubuntu-link and this link

stephenw10

The PPPoE link is going down because the remove side is closing it:

Mar 11 00:24:05	ppp	35096	[wan_link0] LCP: state change Opened --> Stopping
Mar 11 00:24:05	ppp	35096	[wan_link0] LCP: rec'd Terminate Request #243 (Opened)
Mar 11 00:17:03	ppp	35096	[wan] IFACE: Add description "WAN"
Mar 11 00:17:03	ppp	35096	[wan] IFACE: Rename interface ng0 to pppoe0

You might be able to manually change those MSRs using cpuctl.

puneet1984

@stephenw10

yes the remote site is closing it...but why?? on 22.05 this is not happening.

what commands to put in for MSR and cpuctl?
i am a not technical person and not a engineer with coding skills.

stephenw10

@puneet1984 said in 23.01 install results in no internet:

what commands to put in for MSR and cpuctl?

I don't know, it's not something I've ever had to try. Those links you posted above seem to list the registers used by the throttling though.

puneet1984

@stephenw10

thanks for the help...
i am a not technical guy and trying to setup a home lab for my self as a hobby...
hope some one in the forum will know the know-how and might help..

Also regarding the WAN disconnection from the remote side do you have any idea why this is happening or what i can do more to diagnose the problem.
because the WAN is not working, i am unable to upgrade to 23.01 and thus i am not able to install any packages in 22.05...
i am really in a fix...dont know what to do next.
i am afraid that if i do a fresh clean install of 2.6 CE and then upgrade it to 23.01 the issue might persist and i will be wasting a whole lot of hours and gaining nothing.
i think netgate should not discontinue older versions and their package support atleast for like 3-4 months after releasing a new version, so that guys like me can alteast enjoy using the pfsense on older versions when newer versions do have unexplainable bugs.

also my IP still banned from the community...please ask the IT incharge to look into it.. netgate should not ban legitimate ISP ip range.

stephenw10

That IP range is in a subnet that's blocked because it's a source of mostly spam. I'm not sure we can exclude individual IPs within that.

You can continue to use 22.05 for some time. The pkg repos will remain available.

Steve