4100 ix Flow Control Help

selfjc

@stephenw10 said in 4100 ix Flow Control Help:

Mmm, I would try disabling gateway monitoring as the next test then. You might be triggering some system at the ISP.
If that does stop it happening then try using a different monitoring IP and/or reducing the monitoring ping frequency.

Steve

Aye aye. I think my ISP must have implemented an "overuse" policy on the no data cap plan that I have. I have toned down my Home Assistant's speedtest checks from hourly to only at 6am and 4pm. I think this will skirt the ISP throttling. So far I haven't gotten slowed back down.

I noticed when the ISP slowed my connection that the Waveform Bufferbloat was giving a score of B. I surmised that my connection/hardware was not bandwidth saturated but my ISP has instituted a silent throttling policy. The Terms of Use for Optimum hint that they can do that in very ambiguous terms (bolded section below).

From the Terms of Use for Residential Customers:

Optimum Internet Network Speeds. Subscriber acknowledges and agrees that actual Internet speeds that are experienced at any time will vary based on a number of factors, including the capabilities of Subscriber’s computer equipment, Internet congestion, the performance of network servers and routers, the technical properties of websites visited, environmental factors, the content and applications accessed, the condition of any lines between these two points, and any network management tools and techniques employed by Optimum.

This looks to be a witch hunt in where I found the ISP was throttling my connection. The 4100 appears to function fine.

stephenw10

Nice!

selfjc

@stephenw10

For educational purposes, what does unplugging the WAN cable from interface ix3 do inside of pfsense?

Does pfsense reset anything (e.g., firewall states, or buffers)?

Could a cron job of

/bin/ifconfig ix3 down
sleep 30
/bin/ifconfig ix3 up

do the same thing?

Gertjan

@selfjc

In a second console, SSH access, excute
tail -f "all interesting logs"
Like

tail -f /var/log/system/log /var/log/resolver.log  /var/log/gateways.log

Now,
do your

/bin/ifconfig ix3 down
sleep 30
/bin/ifconfig ix3 up

or take out the ix3 cable for a moment,
Or restart you upstream ISP router.

See what the logs tell you.

stephenw10

pfSense does quite a few more things when an interface bounces. It restarts a bunch of services, adds/removes routes etc.

selfjc

@gertjan
I did my best collect the tails of the logs but my ssh wouldn't allow access even though I was logged in as an admin account. I didn't have 'sudo' installed and 23.05 won't let me install 'sudo' because I am still at 23.01.

Anyways, here's what I collected from the logs via the GUI:
System -> General

May 23 06:19:29 	php-fpm 	48794 	/rc.newwanip: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - x.x.x.x -> x.x.x.x - Restarting packages.
May 23 06:19:02 	php-fpm 	368 	/rc.linkup: Gateway, NONE AVAILABLE
May 23 06:19:02 	php-fpm 	368 	/rc.linkup: Gateway, NONE AVAILABLE
May 23 06:19:02 	check_reload_status 	405 	rc.newwanip starting ix3
May 23 06:19:01 	php-fpm 	368 	/rc.linkup: HOTPLUG: Configuring interface wan
May 23 06:19:01 	php-fpm 	368 	/rc.linkup: DEVD Ethernet attached event for wan
May 23 06:19:01 	php-fpm 	368 	/rc.linkup: Hotplug event detected for WAN(wan) dynamic IP address (4: dhcp)
May 23 06:19:00 	kernel 		ix3: link state changed to UP
May 23 06:19:00 	check_reload_status 	405 	Linkup starting ix3
May 23 06:19:00 	php-cgi 	8964 	servicewatchdog_cron.php: Service Watchdog detected service dpinger stopped. Restarting dpinger (Gateway Monitoring Daemon)
May 23 06:18:35 	check_reload_status 	405 	Reloading filter
May 23 06:18:22 	php-fpm 	368 	/rc.linkup: DEVD Ethernet detached event for wan
May 23 06:18:22 	php-fpm 	368 	/rc.linkup: Hotplug event detected for WAN(wan) dynamic IP address (4: dhcp)
May 23 06:18:21 	check_reload_status 	405 	Linkup starting ix3
May 23 06:18:21 	kernel 		ix3: link state changed to DOWN

System -> Gateways

May 23 06:19:08 	dpinger 	8948 	send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr x.x..xx bind_addr x.x.x.x identifier "WAN_IPv4 "
May 23 06:18:23 	dpinger 	90025 	exiting on signal 15
May 23 06:18:23 	dpinger 	90025 	WAN_IPv4 x.x.x.x: sendto error: 65
May 23 06:18:22 	dpinger 	90025 	WAN_IPv4 x.x.x.x: sendto error: 50
May 23 06:18:22 	dpinger 	90025 	WAN_IPv4 x.x.x.x: sendto error: 50
May 23 06:18:21 	dpinger 	90025 	WAN_IPv4 x.x.x.x: sendto error: 50
May 23 06:18:21 	dpinger 	90025 	WAN_IPv4 x.x.x.x: sendto error: 50

The System -> Resolver/Unbound logs didn't seem informative so I left those out.

@stephenw10
Seems like pfSense could still be having strangeness if pfSense restarts most everything on a WAN ix3 interface down and up toggle.

Edit: Grammars

Gertjan

@selfjc said in 4100 ix Flow Control Help:

but my ssh wouldn't allow access even though

Check :

First :

Then :

( I took Putty as an example, any ssh client will do )

Btw : sudo ? why ? pfSense is not really a multi user device.
There is only one 'admin' acount. Same login as GUI. That's enough.

If you want to get wild : use :


Console access will do also. SSH is just handy as you can connect from everywhere from LAN. It's normally the first thing you activate when you start working with pfSense, as it is as important as the GUI access.

Also : I've a 4100, using ix3 as a WAN interface.
When I restart my ISP router, this will trigger several LINK down LINK up event.
The thing is, pfSEnse won't stop generating itself (the ISP router is up and stable) LINK down LINK up events.
I'm using IPv4 DHCP, IPv6 DHCP, an OpenVPN server.
I've de activated the gateway action for both interface IPv6 and IPv4.
I saw that ix had flow control activated, I manged to stop that.

The issue isn't important for me, as ISP router and pfSense are UPS powered, and the ISP is quiet rock solid with the connection (fibre).
I I still have to sit down ones, and see why this happens. Maybe the 23.05 will resolve this.

selfjc

@Gertjan
I apologize, I used the wrong terminology of "access" when "permission" is more appropriate. When I login with my user account that is in the admin group via ssh to pfSense and run your:

tail -f /var/log/system/log /var/log/resolver.log  /var/log/gateways.log

I get this result:

tail: /var/log/system/log: No such file or directory
tail: /var/log/resolver.log: Permission denied
tail: /var/log/gateways.log: Permission denied

So then I fall back to my linux command line knowledge and try to "sudo" the command (I know pfSense is BSD, peace):

sudo: Command not found.

Then I try to switch user to root via "su":

su: Sorry

pfSesne won't allow me to install the "sudo" package because 23.05 has released and I'm still on 23.01. So I resorted to the GUI log views for now.

I also have a UPS powering my pfSense router and my ISP modem along with a few other key networking infrastructure parts (e.g., Unifi AP and Unifi Cloudkey).

It's very interesting that pfSense resets the packages and services on a WAN interface down. This seems to cure the ailment I have of the bandwidth dropping out through the pfSense router. So I'll keep the cron job at 1am to drop (down) the ix3 and ix2 interfaces for 30 seconds and bring them back up.

For anyone interested in investigating pfSense 23.01 dropping WAN bandwidth through the 4100, here are the services running on my instance of pfSense 23.01:

And my installed package status:

For me, after several weeks of disabling individual packages and services to no effect - I am considering the cron job of taking down the WAN interfaces and bringing those interfaces back up a "good enough solution."

For completeness, here's the corrected cron script that runs for at 1am to cure the bandwidth drop out every 24-36 hours. Make sure to set the file permissions "0755" (or something with the execute for everyone) if using the Filer package:

#!/bin/sh
/sbin/ifconfig ix3 down
/bin/sleep 30
/sbin/ifconfig ix3 up
/bin/sleep 10
/sbin/ifconfig ix2 down
/bin/sleep 30
/sbin/ifconfig ix2 up

Gertjan

@selfjc said in 4100 ix Flow Control Help:

When I login with my user account

pfSense is not like, for example FreeBSD.
There is only one access, no need to have an 'admin' collection : one guy can handle everything very well.
It's a firewall, not a mail/web/whatever server.

@selfjc said in 4100 ix Flow Control Help:

So I resorted to the GUI log views for now.

So your are not the admin ??
If you are, why making your own live harder ?
SSH access is not some gadget, you need it.

You can of course do the thing that needs to be done : forbid iser/password login : go forts SSH + Public key only. Forbid any access to LAN, use LAN just for admin activities, Everybody else on another LAN where SSH + GUI access is impossible.

stephenw10

Yes some things require the actual admin/root account, not just an account with admin privileges. Packet captures for example.