Outbound traffic stops after a few minutes of use



  • I have installed V 1.2.3 Release on an HP d220 MT machine w/1gig ram.
    I am using the built in 10/100 nic for the WAN and two identical 10/100/1000 for LAN and OPT1
    I have a /29 static IP's for the WAN with the DSL router IP set as the gateway.
    I am using 192.168.0.0/24 for LAN.
    I am using 192.168.1.0/24 for OPT1.
    I am using 2 dns servers provided by the ISP.

    After the initial install at the console, I ran the setup wizard. At that time I did not setup the OPT1 interface.
    For testing, I used a PS3 console and Win7 running in VMWare on kubuntu 9.10.
    If I made any configuration change to the firewall, I could not ping anything including the gateway from the firewall's ping utility until I rebooted pfs.
    I did reset to factory and started over before any further testing. I did try resetting the states each time before rebooting too.
    After a few minutes of browsing the internet from either the PS3 or Win7, I would loose connectivity at the firewall.
    Searching these forums, the only advise I could find was to "Disable Hardware Checksum Offloading". This seemed to give a few more minutes between failures.
    So after the last reboot, I browsed the internet a little bit and then disconnected everything from the firewall and let it sit idle for about 7 hours.
    After my daughter got home, I set up her pc to use the firewall so she could play WOW through it. I've had to reboot the fire wall about every 5 minutes to regain connectivity
    while she played.

    So the firewall looses connectivity if you try to do some light Internet browsing, downloading a large file, or playing an online game.


  • Rebel Alliance Developer Netgate

    That is quite unusual, unless there is some particular hardware bug/fault to blame.

    you may want to connect to the firewall with ssh (or from the console) and monitor using "top -SH" from the shell. You might also try watching "systat -vmstat" and watch to see if any of the numbers go nuts.

    Another possibility is perhaps somehow the state table is filling up prematurely. Watch Diagnostics > States or the output of "pfctl -ss" from a shell prompt.

    Go to System > Advanced and look at "Firewall Maximum States" and put in a higher number such as 200,000 as a test.



  • Thank you for the suggestions.
    I tried them all and systat -vmstat seemed the best choice to monitor.

    I generated traffic for testing by using the PS3 to download a demo game and let my daughter play WOW.
    I monitored systat while displaying the traffic graph. Nothing seemed out of the ordinary when the connection died.
    The wan connection would last anywhere from 5 minutes to 15 minutes after doing a reboot when the connection died.
    I discovered if I swapped the wan and opt1 cards, I would regain an Internet connection with out rebooting.

    Next I tried running pfSense on another machine via live CD.
    This other machine is a Dell Optiplex with a hyperthread 3Ghtz processor and 2gig ram.
    I utilized the built in nic and the other 2 10/100/1000 nics from the original machine.
    I had the exact same results as the original machine with it loosing connectivity after 5 - 15 minutes. :(
    Again I could swap nics in the webgui and regain connectivity with one small exception. After swapping the
    nics the first time, I swapped them back to the original setup and now I have been able to download a 211 meg game
    and so far an additional 326 megs of another game while my daughter has been playing WOW.

    An additional note: On the first machine, I left it running overnight with out doing anything to it after it lost connectivity
    and 6 hours later, it worked again for a few minutes before loosing connectivity.



  • Something else worth noting….
    After a connection failure, if I unplug and replug in the wan cable, the connection works again.


  • Rebel Alliance Developer Netgate

    Sounds more like something upstream then. Sure it isn't something with your modem/ISP? Is there another port on the back of your DSL router that you can try?



  • I doubt its a dsl modem problem.
    I have had a Smoothwall firewall and that modem since 2001.

    @jimp:

    Is there another port on the back of your DSL router that you can try?

    No. There is only a single Lan and single Wan connection.

    I intend to get another dsl connection and wanted a firewall that
    was better suited for dual wan connections. The only problem I have
    had with the smoothwall is after about 6 months, it starts to block outbound
    connections its not supposed to. For instance, I cannot connect the PS3 to the
    playstation network anymore. Another example, is my daughters WOW, it worked
    fine for months, and now it will not connect through the smoothwall. If I were to
    reinstall the smoothwall, then everything would be fine, but I am tired of having
    to reinstall it every 6 months or so and spend the hours reconfiguring all the firewall
    rules.  I have two boxes with smoothwall on it so when one is down, I can use the
    last one until the new one is ready. I need to have a backup one ready to bring online
    because I host several websites and services. That is another reason I am looking for
    a more robust and secure firewall. Those websites are prone to attack by spammers
    because they are used to supply evidence to registrars, LE and ISP's to get sites and IP's
    shut down.


Log in to reply