Dropped packets with no logging
-
I am having an issue with dropped packets. It is happening randomly on every client PC. I have attached a screen shot of my local PC and a remoted PC. In this instance my local PC lost packets but the remoted one did not. The firewall logs have no mention of packet going to or coming back from 216.70.224.97 being blocked.
Using the packet capture feature on the firewall I have captured packets at the time of the packet loss, the capture packet program shows no packets passing through the firewall. The IP address can be any IP on the internet. I have also made sure the client computer can ping other client computers during the packet loss. This was to check internal hardware to make sure packets are passing OK.I have gone through some of the Forum posts and found some hardware/drivers to be problematic so I did Disable Hardware Checksum Offloading. I have 3 interfaces 1 LAN and 2 ISPs (one sdsl and one t1). I redirect a couple of specific IP's out of the SDSL and all other traffic out of the T1 line. I have verified that the SDSL and the T1 both loose packets at the same time from the same client.
Using version: 1.2.2
I have 3 interfaces.
I have Disable Hardware Checksum Offloading: CheckedUPDATE: I have confirmed that with three command windows open, 1 pinging through the T1, one Pinging through the SDSL, and one pinging the network card IP address of the Firewall that the 1 pinging the IP address of the nic card of the firewall still returns the packets and is being logged by the capture packet program but the 2 going out of the internet are being dropped with no trace of those packets in any log.
-
What do the various RRD graphs in pfSense show when this happens? (Status > RRD Graphs)
Also, what kind of network cards do you have? And what kind of hardware is the router in general? (general system specs and such would help)
-
Most of the graphs look fine. But I did see the quality graph was totally incorrect.
HP 4300 workstation 4 Gb memory
Lan on the mother board NIC andT1 and SDSL on older 3com TX nics
-
This problem has persisted. I have disabled the snort service and the problem still happens.
To add to my configuration:
My computer goes out a Netvanta 1224ST, HP Procurve switch 2524, 3com Superstack II, and then PFSENSE FIREWALL. Like I said before I am able to ping the LAN card on the firewall at the same time all traffic disappears through the firewall. The packet capture program on the PFSENSE shows the pings hitting the LAN card but all other traffic from "my PC only" is absent during the time the traffic disappears.
-
OK, so this is really on my nerves. I removed the third LAN card and made it a simple LAN - Wan. I did a fresh install from CD to 1.2.3-RELEASE. I only downloaded squid and Light squid. The 3 addresses I ping are 10.134.1.249(LAN), 172.25.1.2(WAN) and 66.xxx.x.xx(ISP Router). When my connection gets disrupted I always loose connection past the LAN card. It happens randomly throughout the day but I can trigger it to happen by opening multiple web pages at once.
It is definitely the firewall and the logs are not showing any rejects. The packet capture program on PFSENSE shows a complete loss of all data for my workstation except the pings on the LAN card. All other data is still streaming through. The CPU usage never goes high. Memory usage is at 8%. Swap and disk usage at 0%
Please any thoughts. I have attached some RRD graph.
-
It might help to see the output of this command:
ifconfig -aFrom either Diagnostics > Command, or from a shell prompt.
-
Jimp,
here it is.
$ ifconfig -a
bge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:16:35:a9:44:05
inet 10.134.1.249 netmask 0xffffff00 broadcast 10.134.1.255
inet6 fe80::216:35ff:fea9:4405%bge0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9 <rxcsum,vlan_mtu>ether 00:10:4b:17:27:3f
inet6 fe80::210:4bff:fe17:273f%xl0 prefixlen 64 scopeid 0x2
inet 172.25.1.2 netmask 0xffffff00 broadcast 172.25.1.255
media: Ethernet autoselect (100baseTX)
status: active
xl1: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
options=9 <rxcsum,vlan_mtu>ether 00:10:4b:66:60:25
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=100 <promisc>metric 0 mtu 33204</promisc></up,running></up,loopback,running,multicast></rxcsum,vlan_mtu></broadcast,simplex,multicast></rxcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>
-
Did you still have checksums disabled? Because they're enabled in that output. I was expecting to maybe see one or two other options though that have been known to be problematic, but it doesn't appear that your hardware supports them (LRO and/or TSO)
-
When I did the clean install I dit not turn off the checksums. Do you think I should do that?
One thing I notice is my Wan lan card does not support full duplex and there are collisions on the wan side. On the lan side their are about 15 computers and on the wan side there is a cisco router and sonicwall router. The cisco is a VPN and the sonicwall is the managed firewall.
Status up
MAC address 00:10:4b:17:27:3f
IP address 172.25.1.2
Subnet mask 255.255.255.0
Gateway 172.25.1.1
ISP DNS servers 208.67.222.222
208.67.220.220
Media 100baseTX
In/out packets 6160156/6597801 (2.73 GB/1.33 GB)
In/out errors 0/0
Collisions 3506
LAN interface (bge0)
Status up
MAC address 00:16:35:a9:44:05
IP address 10.134.1.249
Subnet mask 255.255.255.0
Media 100baseTX <full-duplex>In/out packets 6278636/6654585 (1.30 GB/2.71 GB)
In/out errors 0/0
Collisions 0</full-duplex>
-
That bge card most certainly supports full duplex, if there is an issue it's with what you are plugged into.
Can you try swapping LAN and WAN? You're much better off with that high-quality bge card on the LAN where you are likely hooked into a better switch, and the older xl (3com) nic might better facing the Cisco.
-
Kinda baffled as to why this thread is in the "Packages" forum? Unless the OP misread since he is complaining about dropped "Packets"? Maybe a mod could move it?
-
Kinda baffled as to why this thread is in the "Packages" forum? Unless the OP misread since he is complaining about dropped "Packets"? Maybe a mod could move it?
I read via the "all new posts" link and often completely miss what forum a question is posted in :-)
It's moved now.
-
I went and bought 2 INTEL|PWLA8391GTBLK nic cards. I installed them in a different HP PC computer. I did a clean install of PFSENSE 1.2.3. Release. I installed Squid and light squid. Made em0 (LAN) 1 Intel nic and em1 (Wan) the other Intel Nic.
I switched out the other computer with this one and I am getting the same result. At random intervals and when I attempt to load multiple WebPages all traffic gets dropped going through the firewall. I can ping both sides of the firewall and then all of a sudden the wan side becomes unreachable and the LAN side is perfectly fine. During this time if you do a packet capture on the PFSENSE it shows all my traffic that is attempting to go through the firewall is gone but the pings hitting the LAN side are being registered.
This only leaves 2 possibilities I can think of. 1) The motherboard on this HP has problems with the Freebsd distribution 2) There is a problem with squid or lightsquid.
Can anyone think of any other possibilities?
-
Another possibility: Your WAN link goes down for a time and packets are discarded because there is no route to send them.
Are you able to reproduce the problem? Can you reproduce the problem with squid and lightsquid NOT installed?
-
The problem is the other 24 computers do not lose their route at the same time and it is random for them also. So when I do the packet capture other client’s data is still going through the firewall when my data gets dropped. I have confirmed the other clients loose packets randomly. I plan on using a different type of computer next with the original 3 com nic cards. I will test without squid and light squid and then add just squid.
I am able to reproduce it by opening several Firefox windows at the same time (10 or more). When I force reproduce it I am bypassing the squid proxy for my client.
I cannot force it to lose packets if I use the Proxy but the random drops still happen.
-
I tried to install 1.2.3 onto an old Pentium 4 1.6 but when it got to the part where it was attempting to FDISK the drive the bios was sending the correct head count and it kept saying the only valid number is from 5 - 1024 but free bsd wanted the number to be 5003. Changing this number did nothing it still failed with the same error. I skipped this part but without a format the boot-loader did not load.
Using the original HP machine I did a clean install (I even chose the single processor option this time). No packages. I have the exact same result. Unfortunately right now I do not have another machine to install on.
Since both machines have the same motherboard and different NIC cards, it comes down to this specific motherboard. It is the HP XW4300 using Intel 955X chipset dual core Intel Pentium D 840. I think I have checked the different hardware possibilities sufficient with these 2 separate computers to say either the software is not working (not likely) or the drivers are not playing nice with this motherboard.
I do not know enough about Free BSD to install different drivers and try to make it work.
