Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Instability issues

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bdab
      last edited by

      We are testing a pre-production deployment with a 2-members cluster with 2.2.2-RELEASE (amd64), 10 physical interfaces Gbps (4 of them with virtual interfaces/vlans) and two physical FO interfaces.

      We set up the ruleset (+900 rules so far) using aliases and group of aliases, mostly using the Floating Tab.

      We are experience some issues, after applying changes in the ruleset or inserting new objects into an existing alias:

      Issues:

      • From time to time, traffic that should match an existing rule stops being approved, and gets logged by the cleanup rule. After a few minutes, it gets approved back again and things come back to normal.

      • Sudden duplication of groups of aliases.

      • Elimination of group of aliases.

      Here's data about our config:

      Version 2.2.2-RELEASE (amd64)
      built on Mon Apr 13 20:10:22 CDT 2015
      FreeBSD 10.1-RELEASE-p9

      You are on the latest version.
      Platform pfSense
      CPU Type Intel(R) Xeon(R) CPU E5645 @ 2.40GHz
      12 CPUs: 2 package(s) x 6 core(s)
      Uptime 30 Days 00 Hour 58 Minutes 49 Seconds
      Current date/time
      Mon May 18 16:52:42 ART 2015
      DNS server(s) 8.8.8.8
      8.8.4.4
      Last config change Mon May 18 16:39:07 ART 2015
      State table size
      0% (4355/3256000)
      Show states
      MBUF Usage
      7% (73656/1000000)
      Temperature
      24.0°C
      Load average
      0.20, 0.19, 0.17
      CPU usage
      0%
      Memory usage
      7% of 8147 MB
      SWAP usage
      0% of 16384 MB
      Disk usage
      / (ufs): 0% of 249G
      /var/run (ufs in RAM): 4% of 3.4M

      Services:

      Service Description
      apinger Gateway Monitoring Daemon
      bgpd         OpenBSD BGP Daemon
      dhcrelay DHCP Relay
      ntpd         NTP clock sync
      openvpn OpenVPN server: Remote Access
      radiusd FreeRADIUS Server
      sshd         Secure Shell Daemon

      Installed Packages:

      freeradius2
      OpenBGPD
      OpenVPN Client Export Utility
      pfBlockerNG (disabled)
      Shellcmd

      Due to the following post:

      https://doc.pfsense.org/index.php/Thread_Error_Using_Many_Hostname_in_Aliases

      we have modified the following parameters:

      Firewall Maximum States  814000 -> 3256000

      Firewall Maximum Table Entries  2000000 -> 8000000

      We are unable to detect anomalies through log analysis. But this instability issues is precluding us from moving forward.

      We'd appreciate any suggestions.

      Thanks in advance,

      BDAB

      1 Reply Last reply Reply Quote 0
      • F
        firewalluser
        last edited by

        A suggestion.

        After making some changes, have you saved the configuration and rebooted the pfsense machines, even though I know its not supposed to be needed?

        If you have rebooted the pfsense machines do you see any of the instability issues you speak about or do they only show up when you start making some configuration changes?

        From time to time, traffic that should match an existing rule stops being approved, and gets logged by the cleanup rule. After a few minutes, it gets approved back again and things come back to normal.

        I have seen similar https://forum.pfsense.org/index.php?topic=88962.msg493221#msg493221

        As I'm also using multiple nics instead of vlan, thats how I also know some aliases work on some interfaces and some dont as some computers have virtually identical rules & orders.

        Might also be relevant.
        https://redmine.pfsense.org/issues/4296

        If aliases exist that have both FQDN entries and IP address or network entries, and the same FQDN entries are in multiple aliases, the alias is eventually cut down to only the resolved FQDN entries and the static entries are lost.

        It is OK immediately after a filter reload, but eventually only the FQDN resolved entries remain.

        A fix is slated for v2.2.3.

        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

        Asch Conformity, mainly the blind leading the blind.

        1 Reply Last reply Reply Quote 0
        • B
          bdab
          last edited by

          Thanks for your feedback firewalluser!

          We have not tried to reboot the machines after changes, mostly due to the fact that we were setting up the ruleset and introduced some 20+ ruleset changes a day, so it was a little impractical :)

          Good to know that it's been scheduled for next release though.

          I'll try to reboot after new changes and post the result.

          Cheers,
          BDAB

          1 Reply Last reply Reply Quote 0
          • B
            bdab
            last edited by

            Just as an update, we were unable to further reproduce the errors. Most probably due to the fact that we have reached our steady -sort of-  set of rules. But we suspect  the process filterdns is messing things up somehow when hierarchical aliases are used.

            We hope this will be addressed in future releases as PfSense is a great product.

            BDAB

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.