Unknown reason: network became unaccessible

yashiharu

ver: 2.7.2-RELEASE (amd64)

Network is down (both wireless and wired).
pfSense can not be accessed.
Happened few times a year.
Solution: power off/ restart the helium miner, then network is back

How can one device affect the whole network?
too much traffic? How can I prove it on pfSense(not able to reproduce it on purpose) ?
How to solve it? QoS? How to monitor traffic shaper on live?

Thanks.

stephenw10

Some network flood? IP conflict? Rogue DHCP server?

What is shown in the pfSense logs from the time when you get access back?

Is network access regained if you just disconnect the miner device?

Steve

yashiharu

@stephenw10
How can I track these issues?
I used to have a package that track every incoming and outgoing connection and bandwidth per ip, I couldn't find it now.
But if pfSense is flooded, can it still log?

System > General log:
When the network is down, it kept:
sshguard 29206 Now monitoring attacks.
sshguard 90393 Exiting on signal.

After turn miner off:
nginx [error] 50857#100250: *78 open() "/usr/local/www/apple-touch-icon.png" failed (2: No such file or directory), client: Mac, server: , request: "GET /apple-touch-icon.png HTTP/1.1", host: "pfSense"

nginx [error] 50857#100250: *78 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: Mac, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "pfSense"

php-fpm 397 /index.php: Successful login for user 'XXXX' from: xxx.xxx.xxx.xxx (Local Database)

Yes. Right after I turn off the miner, everything back online.
I didn't even restart pfSense or modem.

I just use traffic shaper to limit the bandwidth usage of that miner, still happens after few hours

stephenw10

So you just see sshguard filling the system logs during the time the network is down?

That implies one of the logs is continually filling and rotating. So I would check the other logs to see what that is.

If it's not obvious I'd check at the command line the output of: ls -ls /var/log
The time stamps there should make it clear which logs are rotating.

I'd guess it's the firewall log though.

yashiharu

@stephenw10

Yes, nothing else in General.

System > Gateway: nothing today
System > Routing: nothing today
System > Gateway: nothing today
System > DNS resolver: nothing today
System > Wireless: no log
System > GUI Service: just my browser record

Firewall > Normal View: 99% of incoming blocks are for pfSense:53 from outside
Firewall > Summary: 90% incoming to pfSense

/var/log (mod today)
system.log: just that 2 lines.
nginx.log: just my browser record
filter.log: records over-written ...

dhcpd.log: records over-written ...
home kea-dhcp4[54369]: INFO [kea-dhcp4.leases.0x1c0654e17b00] DHCP4_LEASE_ADVERT [hwtype=1 macAddr], cid=[no info], tid=0x34914480: lease Meross-Smart-Plug-Garage will be advertised

home kea-dhcp4[54369]: INFO [kea-dhcp4.dhcpsrv.0x1c0654e17b00] EVAL_RESULT Expression pool_lan_0 evaluated to 1

home kea-dhcp4[54369]: INFO [kea-dhcp4.leases.0x1c0654e17b00] DHCP4_LEASE_ADVERT [hwtype=1 macAddr], cid=[no info], tid=0x1bf76351: lease Meross-Smart-Plug-Miner will be advertised

home kea-dhcp4[54369]: INFO [kea-dhcp4.dhcpsrv.0x1c0654e17b00] EVAL_RESULT Expression pool_lan_0 evaluated to 1

These two smartPlug records repeat every 15 sec ... seems not normal to me ...

Sadly, didn't set a larger log rotation size.
Now I set it to 51200000.
If it happened again, I think I could get those log.

Thanks.

stephenw10

Really you're just looking for which log was rotating. Looks like it was almost certainly the filter log. So if the miner was causing that it must have been some firewall rule logging it. What rules do you have that filter traffic from the miner?

yashiharu

@stephenw10
I thought the same.
but ... it's all default.

Firewall > Rules > WAN:
RFC 1918 networks
Reserved Not assigned by IANA

Firewall > Rules > LAN:
Anti-Lockout Rule
Default allow LAN to any rule
Default allow LAN IPv6 to any rule

stephenw10

No floating rules? pfBlocker?

yashiharu

@stephenw10

No floating rules are currently defined. Click the button to add a new rule.

I may have installed pfBlocker before, but now there is no package installed.

keyser

@yashiharu Sounds very much like a device that starts answering/duplicating ARP requests for the pfSense IP address. I had a printer once that had a software bug that caused it to do that. Took me a LONG time to diagnose why powering off the printer helped.
In the end I solved it by starting Wireshark on my own client to see what happened on the network when I tried to access the non responding firewall. I got flawed ARPs responses up the wazooo from the printers MAC address

stephenw10

If that happened I'd expect a bunch of 'xxxx is using my IP address' logs in pfSense. It's possible they have simply been rotated out though.