PfSense Blocking WAN all of a sudden
newbie alert!! (be nice to me) :D
I installed pfSense 2.1amd64 in a D2500CCE Dual Lan PC with 4GB RAM and HDD,
Easy setup… WAN -> Cable Modem (no router) -> PfSense -> Netgear Switch -> LAN
Just 1xLAN and 1xWAN
I have Snort, pfBlocker, Squid and Squidguard
Until yesterday night everything was working perfectly, today morning I don't have WAN access (LAN works).. I did not touch anything during night (I was sleeping).. so something happened "automatically"
I don't see anything weird in the Logs, I have deactivated Snort, PfBlocker and Squid.. (just in case) but I still get no WAN access
From the pfSense machine I have internet access.. i was able to update to the last 2.1 snapshot (before I was using the Snapshot from yesterday).. the update was correct.. while pfSense was configuring packages I got temporary access to Internet (yahoooo) but it did not last long.. when everything was loaded, I lost WAN access again..
Isn't it weird that all of a sudden I lose connectivity (I swear that I did not touch anything between yesterday night and today morning..)
Im a total newbie.. so maybe someone can give me some hints what could be blocking it, and how could I troubleshoot it?
Thanks for your patience.. :o)
Try turning off Snort. If you're not familiar with it you probably did what I did when I deployed it for the first time. Snort, without care and feeding, can block everything on your WAN. I learned that lesson the hard way. You need to ease into Snort slowly and keep tabs on its logs. Flush it's cache before you turn it off. Snort rules can persist if the block list is not purged before you turn it off or uninstall it.
pfBlocker is usually pretty good about playing nice, but if your WAN doesn't come back online I'd turn that off next.
I don't have any experience with Squid and Squidguard, but I would probably turn them off too. Basically, turn off all of these additional packages first to see if your WAN comes back online. Flush caches and turn them off. If your WAN comes back online, turn them on one at a time, leave them running for a day, and if your WAN dies again you'll at least know which package is the culprit.
I did the same thing while rolling out pfSense for the first time thinking "hey these things should just work", and boy do they ever. However, they require care and feeding too when you deploy them. If Snort in particular is set too aggressive, it'll start blocking any incoming connection because you essentially told it to.
Thanks for the hints!
What do you mean with "flush cache"?
I did what you suggested but I started with squish and squish guard..I have uninstalled them, and now I have Internet access!!, this morning i tried by just deactivated them but looks like it wasn't enough (does that make sense?)
Strangely enough I had squid working yesterday, but all of a sudden (at night) decided to block my wan (apparently)
What do you mean with "flush cache"?
I uninstalled Snort once when it was misbehaving and didn't clear the blocked list. Although it wasn't installed the block list will still active. I had to reinstall it and remove the list before the firewall started working again. Definitely some wonky configuration on my part that caused it.
I have a feeling you want to create a very secure and managed perimeter, not a bad idea. However, if you're new to pfSense and some of the packages it employs, it's best to start with just pfSense, get that working and then decide which package you want to deploy and do them one at a time. Give it a week in production to see how it behaves and then add another one. It makes troubleshooting and understanding the ramification of different settings a bit easier to manage. And keep in mind it's a managed perimeter, you shouldn't just set it up and then be done with it. In order to work most optimally, you'll want to periodically review the logs.
Yes, I realized the hard way that after doing changes to Snort, I had to save the changes, clear the blocks and restart Snort :) :)
The system is now stabile with Snort and pfBlocker… I had to add some exception in Snort because the thing was doing "too many" http inspects/blocks while browsing normal pages (but that was not the reason of my network block last day)
I will wait one day more and then install Squid.. and then Squidguard.. one of those packages must be the "guilty" one..
Actually you are right.. I don't need this security perimeter at all.. "nobody" in a home network needs that. Yes, I see every day many attacks and scans and etc etc being monitored in Snort.. but.. so what? :) I have been years without even a simple firewall and nothing happened.. and if something happens, there's nothing interesting in my network at all :D. I do it just for fun and for learning purposes :)
Yesterday night I reinstalled Squid.. looks like the old configuration is reused when reinstalling.
After reinstalling it, a very loud buzzing started (meaning: my wife screaming that Internet was down).. I checked the configuration but I did not find what could be going wrong.. I guess it's the most simple squid setup ever.. Transparent proxy in LAN, and "allow users on interface", logs configured, disk and memory cache increased and thats it
I deactivated the service and the alarm was still buzzing (alarm started to be annoying)
I uninstalled Squid and the alarm stopped (and Internet was working again)
Now comes the funny part.. I installed Squid3 instead of Squid.. Squid3 took automatically my old Squid Configuration.. after the install the Alarm was silent.. Internet was working and Squid was caching…
I start to be confused.. :)
I had Squid3 working all night and everything works like a charm.