strange errorThere were error(s) loading the rules: pfctl: SIOCGIFGROUP: Device not configured
-
@stephenw10
"It could be coincidental that the monitoring system stops being able to pull responses from the firewall and the firewall is logging another device using it's IP."But it never did for well over a year before the upgrade? And it don't do that for other devices? And an SNMP query can do that? Yeah, I'm not buying that.
"I would guess something is falling back to a default config or perhaps using that IP/MAC when it boots and then switching to something else."
It could be but power is stable and nothing here when running has that MAC address.
"That assumes igc3 is the LAN as I asked above?"
Yes igc3 is the LAN side. So both the LAN side and the WAN side are producing weirdness that they never produced before. How likely is that?
-
still no easy way to resolve this problem?
-
@pfsss
The problem persists.Mar 4 03:09:34 kernel arp: 00:0c:43:e1:76:29 is using my IP address 192.168.1.1 on igc3! Mar 4 03:09:36 kernel arp: 00:0c:43:e1:76:29 is using my IP address 192.168.1.1 on igc3!
This MAC address does NOT exist on the LAN. I have a list of every MAC address on this LAN.
All the while here is the speed test on a 200GB fiber connection:
Speedtest by Ookla [error] Error: [101] Network unreachable Server: Panay Broadband (BCATVi) - Iloilo (id: 9935) ISP: Philippine Long Distance Telephone Idle Latency: 27.69 ms (jitter: 0.11ms, low: 27.62ms, high: 27.82ms) Download: 212.02 Mbps (data used: 296.8 MB) 27.88 ms (jitter: 7.20ms, low: 27.38ms, high: 296.45ms) Upload: 218.33 Mbps (data used: 221.7 MB) 28.66 ms (jitter: 0.79ms, low: 28.17ms, high: 36.35ms) Packet Loss: 0.0% Result URL: https://www.speedtest.net/result/c/47d96817-22ce-4051-87eb-22c8c191eff7
Which makes no sense as I am getting a great through speed while at the same time am told "Network unreachable."
-
@Ellis-Michael-Lieberman said in strange errorThere were error(s) loading the rules: pfctl: SIOCGIFGROUP: Device not configured:
Mar 4 03:09:34 kernel arp: 00:0c:43:e1:76:29 is using my IP address 192.168.1.1 on igc3!
Mar 4 03:09:36 kernel arp: 00:0c:43:e1:76:29 is using my IP address 192.168.1.1 on igc3!Does it always appear like that with 2s between two warnings?
I'd be amazed if that's not a real conflict. I've never seen that alert triggered as a false positive.
I'd still guess it's something using that MAC at bootup, maybe trying to PXE boot. Something with a Ralink SoC probably.
Anything else that sees those broadcasts and updates it's ARP table would lose connectivity until it gets updated again. However you said you checked the ARP table on the monitoring system whilst it showed as down and it was correct. So it could be unrelated.
-
@stephenw10
First, not it is not always twice. It is often once. As is:Mar 3 20:25:00 sshguard 80813 Exiting on signal. Mar 3 20:25:00 sshguard 70235 Now monitoring attacks. Mar 3 20:29:29 kernel arp: 00:0c:43:e1:76:29 is using my IP address 192.168.1.1 on igc3! Mar 3 20:34:00 sshguard 70235 Exiting on signal. Mar 3 20:34:00 sshguard 47918 Now monitoring attacks. Mar 3 20:43:00 sshguard 47918 Exiting on signal.
- Nothing was booting on the LAN. I have a log for that on the network monitoring tool.
- Everything that boots has a known MAC address which isn't that one.
I know each and every item on this LAN. I put these things on the LAN. Every item is accounted for and its MAC address is know. There is no Ralink devices here. - The reporting of a Down interface is on 30 second sweeps. The connection between the arp table and the DOWN map is not at the same time. The event had passed. The event was millisecond or two and then the Router has to regain the PPPoE traffic.
-
Ok likely unrelated then.
You should still find out what is sending from that MAC though. Something on that segment is and clearly it's something you don't know about.
-
@stephenw10 ,
Are you referring to the device that miraculously appeared the very moment I upgraded to the current version and was never there before? The one that miraculously installed itself, as I had not installed anything on the network?OK, so do you know of any exorcists? My Rolodex is not helpful when it comes to the supernatural.
-
I have logged into the managed switch the router is directly connect to via CLI.
Here is the setting:
mac address-table filtering 00:0c:43:e1:76:29 vid 1 MAC Address Table ------------------------------------------------------------ MAC VLAN Port Type Aging --- ---- ---- ---- ----- 00:0c:43:e1:76:29 1 filter no-aging 00:12:31:8f:30:6a 1 Gi1/0/2 dynamic aging 00:12:41:fc:82:a8 1 Gi1/0/15 dynamic aging
Here is the description from the PDF of the manual for the switch;
14.4 mac address-table filtering Description The mac address-table filtering command is used to add the filtering address entry. To delete the corresponding entry, please use no mac address-table filtering command. The filtering address function is to forbid the undesired package to be forwarded. The filtering address can be added or removed manually, independent of the aging time.
-
Ok so it's filtering that MAC on all ports? It will be interesting to see if that stops it logging in pfSense. Or perhaps more interesting if it doesn't!
-
@stephenw10
Yes, it is filtering on all ports.I was frustrated as to why the GUI interface for the managed switch didn't allow for MAC filtering. I downloaded the PDF for the switch and found that the CLI allowed for it.
There are two managed switches on this LAN. The one I configured is the one the router directly connects to on switch port #14. It's a straight CAT6 between the units.
-
Mmm, interesting. If the mystery device (assuming it exists!) is connected to the other switch ARP broadcasts may still reach clients.
-
Are you saying that the packet would show up with the MAC address of the other managed switch and get passed though?
There are five other unmanaged switches on this network. It that's the case, then it would get through regardless. Of the more than 50 (sometimes 60 with all the cellphones using WiFi, only the router and maybe three other device are directly connected. Everything else comes through other switches. (Of the 16 ports on the main managed switch, ten ports are in use. Four direct to devices and six to switches.)
-
@stephenw10 ,
I dumped the "show mac address-table" from the switch. The only PC that was running on the LAN was mine and the printer was off line. (This is a quiet time.)I ran "Angry IP" at my workstation and did a "stare and compare" of sorts, by copying the dump from the switch into a spreadsheet (sorted by MAC address), and then ran down the the results I got from Angry IP.
Often the dump from the switch shows a MAC address twice. Adding to the confusion is that many of the CCTV cameras have both a wired Ethernet MAC address and a WiFi MAC address plus the units report both even though only one is functioning frequently resulting in four listings for one camera on the dump. And what you have below is the actual dump of the MAC addresses.
As an example of the duplicates, the "MagicJack" is directly connected to the main managed switch, yet there are two listings in the dump. The D-link switch does have two listings 28:3b:82:7f:5e:e8, but the WiFi AP connected to it connected has very different MAC address 20:76:93:4e:26:27, as does the CCTV camera connected to it. (Other devices and are connected to it but were not 'on' at the time of the dump.) And the WiFi AP address 20:76:93:4e:23:e3 is connected to unmanaged switch connected to a different mail switch port while the address 20:76:93:50:4a:2b actually directly connected the main switch.
So, all the MAC addresses match the end device, not a switch port. For your edification, here are the results.
00:12:31:8f:30:6a CCTV 00:12:41:fc:82:a8 CCTV 00:12:41:fc:b8:d6 CCTV 00:12:42:10:0d:72 CCTV 00:12:43:6b:5a:1e CCTV 00:12:43:73:ba:c4 CCTV 00:2a:2b:fe:80:d1 CCTV 00:9b:fe:72:d1:2e CCTV 00:b5:d0:ef:17:bf CCTV 00:c8:1e:63:8d:e8 CCTV 06:77:f8:74:ab:52 Mobile Phone 08:00:27:25:77:23 VirtualBox Server 08:00:27:77:12:35 VirtualBox Server 08:00:27:ad:fd:b9 VirtualBox Server 08:00:27:d9:80:58 VirtualBox Server 10:27:f5:5d:21:1d TL-Link AP 20:76:93:4e:23:e3 WiFI-AP 20:76:93:4e:26:27 WiFI-AP 20:76:93:50:4a:2b WiFI-AP 22:09:5c:07:1d:2a BlackBox workstation 28:3b:82:7f:5e:e8 D-Link Managed Switch 28:3b:82:7f:5e:e9 D-Link Managed Switch 28:9c:6e:27:10:ce Mobile Phone 2a:03:3e:20:11:7e VM Host 30:ff:f6:83:0a:75 CCTV 30:ff:f6:83:0a:75 CCTV 30:ff:f6:8f:50:dc CCTV 30:ff:f6:8f:50:dc CCTV 30:ff:f6:90:ba:94 CCTV 30:ff:f6:90:ba:94 CCTV 50:c7:bf:d7:1b:e6 WiFI-AP 50:c7:bf:d7:1b:e6 WiFI-AP 54:f1:5f:fc:b1:b6 CCTV 54:f1:5f:fc:b1:b6 CCTV 60:be:b4:07:00:b5 Router 60:be:b4:07:00:b5 Router 6c:33:a9:1d:27:4b MagicJack 6c:33:a9:1d:27:4b MagicJack 88:28:7d:38:52:ca CCTV 88:28:7d:38:52:ca CCTV 88:28:7d:4e:fb:9f CCTV 88:28:7d:4e:fb:9f CCTV b0:48:7a:e2:5b:86 WiFI-AP b0:48:7a:e2:5b:86 WiFI-AP b4:fb:e3:36:18:74 CCTV b4:fb:e3:36:18:74 CCTV b4:fb:e3:36:30:4d CCTV b4:fb:e3:36:30:4d CCTV b4:fb:e3:36:41:c8 CCTV b4:fb:e3:36:41:c8 CCTV b4:fb:e3:36:44:54 CCTV b4:fb:e3:36:44:54 CCTV b4:fb:e3:36:47:0c CCTV b4:fb:e3:36:47:0c CCTV b4:fb:e3:39:49:1f CCTV b4:fb:e3:39:49:1f CCTV d6:f1:6e:cf:fe:17 Mobile Phone e0:e1:a9:bc:d2:fd CCTV e2:e0:b9:4a:8c:ce CCTV
-
@Ellis-Michael-Lieberman @stephenw10
in my comprehension, my problem is caused by the the large loss at gateway, especially when the download speed is high, and then the system restarts my pppoe gateway, but using a new config called 'ng0' instead of the origin config 'pppoe1'. So no matter how I reconnect, pppoe remains failed unless I reboot my pfsense device to switch to the origin config file.is that right?
-
@pfsss
In my case, PPPoE never actually seems to drop. There is no reset. The IP "conflict" is reported, I see, both via the network tool and in real time, a loss of connectivity, but without any rest, all eventually within about 60 seconds comes back stable again. The only thing the log notes is the IP conflict from an unknown MAC address.The error 65 I was experiencing was, today, resolved via a multi-day series of contacts with my ISP that finally got them to resolve something on their side. My only mystery is now the phantom MAC address and the IP address the phantom is creating. There are literally no more log entries in the gateway log. But even after the error 65 errors ended the phantom MAC address issue remained.
I have put a block on that MAC address in the managed switch the router is directly connected to as @stephenw10 is convinced it's something on my LAN. The errors can take as much as 36 hours between incidents, so I am just waiting.
(In the meantime, there is apparently damage to transpacific fiber cable connecting the Philippines to the USA and Europe. So, if the problem is an outside attack, as a fellow on Reddit is claiming, the cable cut may be dampening the effort. My bandwidth within the Philippines is currently fantastic. I suspect it's because international traffic is hobbled :-) )
-
@pfsss If you have a WAN with a lot of buffer bloat or just very lossy you may need to tune the gateway monitoring so it doesn't trigger at latency or packet loss levels that are expected.
If you only have one gateway you can also just disable the monitoring action for it so it never gets marked down.PPPoE uses NetGraph to create the connections. It is first created as ng0 and then renamed as ppppoe0. That's expected.
-
@Ellis-Michael-Lieberman Yeah I would expect to see the mystery MAC in the switch table if it passed the switch. But those entries will expire so it would only be there for some time after it appears.
No I wouldn't expect to see any traffic from a switch MAC masking the original source unless any of those switches are layer 3 and actually routing.
The only time I've seen MAC addresses being 'NAT'd' is when using WIFI extenders which are almost always a terrible idea!
-
@Ellis-Michael-Lieberman said in strange errorThere were error(s) loading the rules: pfctl: SIOCGIFGROUP: Device not configured:
00:0c:43:e1:76:29
Googling that MAC address shows it's the default used in a bunch of OpenWRT based firmwares. I'd bet this is an access point somehow dropping to it's default values temporarily. I could imagine it doing that at boot when the boot loader checks for PXE boot options. However that would definitely interrupt any wifi devices using it. Unless perhaps you have enough coverage that devices switch APs seamlessly?
If the APs you have show uptime that would rule it out. -
@stephenw10,
There are three APs on the LAN that do use OpenWRT but their uptimes are:30d 19h 5m 25s 30d 19h 5m 28s 30d 19h 5m 34s
The last reboot was following a power outage here. So they were not rebooting recently.
There are two Archer APs here, one TP-Link AP and two Comfast APs. They do not appear to use OpenWRT but none have rebooted since the power outage. [We have solar power during the day, with commercial at night with Lithium battery backup for the loss of commercial. There was one night that the commercial was out for so long that the batteries failed. :-) Life in the third world.]
The ISP provided as a Bridge (can be set as a router but not in my case) does use OpenWRT but it also didn't reboot and it is on the WAN side. (It's reboot takes about three minutes and the PPPoE session would have needed to be reset.)
-
Hmm, hard to imagine that MAC would exposed at any time other than at reboot. Unless some process was doing it deliberately, which seems very unlikely.
Any of those devices using a Ralink SoC?