PfSense 2.0 pings more than pfsense 1.2.3 - What is happening?



  • I upgraded my pfsense 1.2.3 to pfsense 2.0.  Ever since, all of my switches, NICS, and Wireless Router, Modem, and any other device connected to the network lights up like a synchornized Christmas Tree.  I have have been trying to analyze the behavior, and all data points to pfSense LAN connection.  I am also a musician, and the network lights up every second like it beating to a drum.  I want to know if this is proper behavior from the pfsense 2.0.

    Packages installed on pfsense 2.0.
    snort
    openvpn
    openNTPD

    Scenarios:
    a. I thought maybe it is openNTPD, but I disabled it. Nothing changed.
    b. I thought maybe snort is searching for a my mysql database since I had barnyard enabled.  Disabled barnyard, nothing has changed. ( barnyard was enabled correctly)
    c.  Disabled my internet router and it is still lighting up.
    d.  disconnect everything but pfsense box.  It is still lit up every second.

    CAN SOMEONE MAYBE EXPLAIN OR SHED SOME LIGHT ON THIS FOR ME???



  • It pings exactly the same as 1.2.3, only to your gateway for the quality graphs. No traffic would be initiated into LAN by the system itself in a default config. Do a packet capture with everything else disconnected and see what the traffic is.



  • Maybe it is apinger checking if your configured gateways are still alive. What does a packet capture on each of your pfSense interfaces show?

    @homemade:

    all data points to pfSense LAN connection.

    What data points to the pfSense LAN connection?



  • MY QUESTION:
    IS THIS NORMAL BEHAVIOR?

    Thanks guys for the inspiration. Sorry it took me 14 hours to respond but I had to sleep.

    I did a packet capture and used WireShark to analyze the data.  WOW, my WAN interface is sending a ICMP packet of size 74 bytes (equivalent to 624bits)  every second to my internet router.  My LAN was doing the same.

    My LAN interface is also pinging the same way which it is forwarding packets toward every single router below the chain inside my LAN network. I don't remember pfSense 1.2 doing this.  If it did, it was not firing up my switch lights every second.  Is there a way to change this or the timing.  It is causing cheap wireless routers to die out because of too much network noise.

    MY QUESTION:
    IS THIS NORMAL BEHAVIOR?

    SIDE THOUGHTS:
    1.  I thought my network servers were compromised by some foreign hacker.  I thought I was getting port scanned or that a foreign threat  had administrative access to some servers.

    2.  At first, I only thought this action was happening over the WAN interface, but it was forwarding packet to every router that pfsense 2.0 knew of; this includes the WAN and LAN interfaces.  The pfsense's Packet Capturing interface only captured the first 100 packets and the the time segment was only capturing packets for .8 seconds; so my human error kicked in and I did'nt recognize ICMP packets.  So you have to change the Packet Capturing interface for an unlimited number of packets.  And like a Doppler Weather system it was pinging icmp packets every second on all interfaces.

    3.  Now that I am trouble shooting; why the heck can I log-into pfsense on the WAN interface(or ip address).  Shouldn't this access only be granted over the LAN interface(s).  How do I change that in pfsense 2.0.1.  Anyway, that is not a priority, because I can figure it out if I diddle with it.

    MY QUESTION:
    IS THIS NORMAL BEHAVIOR?

    Thanks Pfsense,

    You guys do great work.  I am thinking about installing pfsense on private and non-profit networks.  The packages are great time savers for hermits ( i dont have friends or colleagues who can do this stuff; ps I am in the entertainent business).  The djbdns, snort, squid, and freeSwitch are excellent.

    MY QUESTION:
    IS THIS NORMAL BEHAVIOR?



  • Are you having device polling on or something?(System: Advanced: Networking: Enable Device polling)



  • @homemade:

    I did a packet capture and used WireShark to analyze the data.  WOW, my WAN interface is sending a ICMP packet of size 74 bytes (equivalent to 624bits)  every second to my internet router.  My LAN was doing the same.

    My LAN interface is also pinging the same way which it is forwarding packets toward every single router below the chain inside my LAN network. I don't remember pfSense 1.2 doing this.  If it did, it was not firing up my switch lights every second.  Is there a way to change this or the timing.  It is causing cheap wireless routers to die out because of too much network noise.

    3.  Now that I am trouble shooting; why the heck can I log-into pfsense on the WAN interface(or ip address).  Shouldn't this access only be granted over the LAN interface(s).  How do I change that in pfsense 2.0.1.  Anyway, that is not a priority, because I can figure it out if I diddle with it.

    1)  Go to System -> Routing -> Gateways.  Click on the edit button beside each gateway.  You can then set the frequency of the pings in the Advanced box -> Frequency Probe.
    Alternatively, you can disable the monitoring by checking the "Disable Gateway Monitoring" box.

    2)  It is possible that such behaviour is normal because you probably have static routes (you mentioned having multiple routers) rather than a simple NAT setup.
    Hence, the pfSense router must probe the connected 'LAN' side routers to determine is a route is down.
    Similarly, in the System -> Routing -> Gateways -> Advanced settings area, you can set the Weightage of individual gateways in groups (where applicable) if you have multiple gateways on your 'LAN' side which route to the similar subnets.  You can also set the timeout and packet loss ratios accordingly so that routes through the pfSense box can switch between routers when a particular route becomes saturated and deemed 'unresponsive' (this is determined by the packet losses and latency thresholds you set).

    3)  You need to check the WAN tab in Firewall rules OR check the floating rules.  Look out for a rule that allows access to 'WAN address' with destination and port '443' (if you use HTTPS) or port '80' (for HTTP).  This may not become obvious at first if it is a subset of a larger allow rule (such as allow any traffic to WAN address as destination and 'ANY' port).



  • Metu69salemi && dreamslacker, your answers are correct.

    You guys rock!  You guys seem to be very informative of what is under the hood and have excellent familiarity with the GUI interface.  Where can I get this same information, ha ( i know u wanna say here)?  Is there a current book, or RSS feed where I can be force to read some topic on pfsense everyday?  I need to become more intuitive with it.

    Again thanks,

    I am going to have to start getting more involved with PfSense because it is becoming a capable application for large infrastructure networks.



  • I learnt to do so through trial and error, largely the latter.  But then again, you only really learn when you fall flat on your face.

    AFAIK, there is a pfSense book (I believe it's called the Definitive Guide) that you can purchase from Amazon.

    I do not have a copy of the book but I generally just google and search the forums for threads to find guides and answers to problems I have.



  • Wow.  Just want to say thanks again. I am inspired to maybe help someone else.



  • I must go via same path than dreamslacker, trial&error



  • Just a piece of advice on searching the forums.
    Use google.

    What you need to do is to enter (without the quotes):
    "search terms or phrase" site:forum.pfsense.org

    For example, if i needed help with say…  OpenVPN road warrior setup for pfSense, I would enter the following in the google search box:
    openvpn road warrior site:forum.pfsense.org

    Google's linguistics engine and page rank is vastly more powerful than the search engine in most bulletin boards.  Also, the fact that you can click obtain direct translations for the non-english portions help too.


Locked