Local clients don't get Router / gateway address - intermittent

Cabledude

Very weird issue. Once every so many days, local clients stop getting network connectivity.

Symtoms:
A device (e.g. laptop or phone) connects (WiFi or wired), gets IPv4 DHCP:

• IP (according to static mapping if available)
• subnet mask
• NO router info (blank)

Issue occurs on all VLANs and LAN
"always on" devices such as NAS boxes keep going, they keep their lease.

Solutions tried:

• restarting pfSense box: success
• restarting switch: success
• enter IPv4 details manually: success

However after a couple of days: same issue.

Sounds familiar?
Troubleshooting suggestions?

Thanks!!

viragomann

@cabledude
Does this device also offer the DHCP server, where it was get this settings from?

Cabledude

@viragomann
Yes the SG-1100 has DHCP server functions enabled.

viragomann

@cabledude
No, I was meaning the client. Does it give you any information about the DHCP server, where it got this settings?

Cabledude

@viragomann
No, all it shows - normally - is the "Router", i.e. the router IP, or in case of VLAN the VLAN IP.
For example if the router is at 192.168.1.1, for VLAN 10 the client device Router entry would be 192.168.10.1.

Cabledude

Been checking the logs and here are some screen shots:

So it looks like the WAN connection drops and pfSense is trying to use the old lease and then finally renew the lease.

After rebooting the ISP modem there haven't been any more "link state changes to DOWN", but they will return.

Cabledude

should I disable gateway monitoring?

NollipfSense

@cabledude said in Local clients don't get Router / gateway address - intermittent:

For example if the router is at 192.168.1.1, for VLAN 10 the client device Router entry would be 192.168.10.1.

Wondered where that client is getting that IP? All client must show 192.168.1.1. Seems that your switch is doing DHCP!

Cabledude

@nollipfsense
Thanks for your reply! Actually it has always been like that. And my switch or any other UniFi device doesn't feature a DHCP server.

Just so that we're on the same page: the actual client IP address is in the range of the DHCP pool. 192.168.10.1 is not the client IP address, but the gateway. Obviously the gateway is internally routed through to 192.168.1.1.

My guess is pfSense is doing this to provide a gateway for every VLAN even if firewall rules block access to LAN or other VLANs. A netgate representative will probably be able to confirm.

NollipfSense

@cabledude If the below is a Mac, it always shows the router it got the IP from and this has IP not in 192.168.1.2 - 192.168.1.254 range.

Cabledude

@nollipfsense said in Local clients don't get Router / gateway address - intermittent:

@cabledude If the below is a Mac, it always shows the router it got the IP from and this has IP not in 192.168.1.2 - 192.168.1.254 range.

Exactly. But VLANs work differently. This is VLAN 10. The client received 192.168.10.60 and the gateway is 192.168.10.1. Trust me this is as designed.

The question at hand here is why the DHCP server doesn't issue the gateway, be it 192.168.1.1 (for LAN) or 192.168.xx.1 (for VLAN xx), which is more and more likely caused by ISP modem hiccups.

Just FYI after rebooting the ISP modem, the clients get gateway again (192.168.10.1) and work as expected.

And to wrap it up this is the DNS server issued by the pfSense DHCP server:

NollipfSense

@cabledude So, the ISP modem/router is doing both DNS and DHCP...pfSense is not in the loop...using it just as a firewall?

Cabledude

@nollipfsense said in Local clients don't get Router / gateway address - intermittent:

@cabledude So, the ISP modem/router is doing both DNS and DHCP...pfSense is not in the loop...using it just as a firewall?

Not at all. pfSense is the only DHCP server in the entire network.
The ISP modem (cable 100/40) is in bridge mode, so the pfSense box (SG-1100) gets the WAN directly from the ISP server via WAN DHCP. Then it also runs the DHCP server for the LAN side, including all VLANs.

NollipfSense

@cabledude Okay, so, pfSense LAN must be 192.168.10.1 or I am confused on your network. At least, the DNS resolve to 192.168.10.1 for host name sg.home.arpa...

Cabledude

@nollipfsense said in Local clients don't get Router / gateway address - intermittent:

@cabledude Okay, so, pfSense LAN must be 192.168.10.1 or I am confused on your network. At least, the DNS resolve to 192.168.10.1 for host name sg.home.arpa...

Like i said, VLANs work differently. pfSense is at 192.168.1.1, so LAN is at 192.168.1.x, VLAN10 is at 192.168.10.x, VLAN20 is at 192.168.20.x etc.
If you have VLANs set up you would see what I mean.

NollipfSense

@cabledude said in Local clients don't get Router / gateway address - intermittent:

If you have VLANs set up you would see what I mean.

No...never need to do it despite having complex networks.

Cabledude

@stephenw10 said in e6000sw0port3: link state changed to DOWN:

The LAN side DHCP issue could be unrelated. It could be a rogue DHCP server in some other device for example. Check the logs for reported IP conflicts.

Hello Steve,
Hopefully we can continue this topic here. No items of interest in the DHCP log. But I have no other DHCP-capable devices, so this would seem impossible.

By the way there is a gap in the general log
@stephenw10 said in e6000sw0port3: link state changed to DOWN:

The LAN side DHCP issue could be unrelated. It could be a rogue DHCP server in some other device for example. Check the logs for reported IP conflicts.

Hello Steve,
Hopefully we can continue this topic here. No items of interest in the DHCP log. But I have no other DHCP-capable devices, so this would seem impossible.

By the way there is a gap in the general log. Don't know what that means. And yes the unit has been on and fully functional during that time.

Knowing the cable modem will fail again, I consider my network to be unreliable until cause found.

After resetting only the cable modem (three days ago) not a single DHCP issue, which makes me think the "link down" and "DHCP gateway" issues could be related.

The takeaway is that if the cable modem is the cause, pfSense should still keep chugging along, independently. Or am I wrong to assume this?

Some questions:
#1 Is the "clients don't get gateway from pfSense DHCP" an issue that you see more often?

#2 Could it be worthwhile to copy the config to a spare SG-1100 and swap?

#3 support options
I don't have the budget to buy TAC Pro. Does netgate have any other support options such as just for one incident? Where I could send logs etc.? Or would the price for this quickly exceed a year's worth of TAC Pro.

Cabledude

Just to add:

Ever since upgrading the SG-1100 from UFS to ZFS (full wipe and config restore), the UI performance has gone down quite a bit. Invoking the dashboard takes around 9 seconds, as does logging in.
From dashboard load, when going to CPU info, it can sometimes take a full minute easily before the CPU shows, but I’ve also seen 7 seconds.
CPU usage with dashboard open is around 75-80%.

Here is the detailed CPU info:

rcoleman-netgate

@cabledude Dashboard UI will add to your CPU loads, too, so I wouldn't judge it from there.

Cabledude

So I learned that pfsense DHCP doesn't advertise router when the default gateway is down. The same happens when I simply unplug the WAN cable from the netgate. This may be by design, if so it isn't a malfunction.

I also noticed that when an internet outage occurs, the tiny square shaped 100/1000mbit and traffic leds next to the netgate SG-1100 WAN RJ45 socket go out completely, although the cable is still attached firmly.

1. No lights, no connection.
2. No connection, no gateway.
3. No gateway, no router advertisement
   Right?

So this only leaves one issue to tackle: why is the connection from cable modem LAN1 port (bridge mode) to netgate WAN port going down with cable still attached?