I have no idea what is going on and I suspect foul play

  • I am utterly lost. I work at a veterinary clinic and I am the only one who does all the IT things. I have no one senior to turn to and need help. I installed a pfsense box a few weeks ago, three I think. Everything has been running great, except for one exception I had to add to the firewall rules for our in house lab, not a single problem has reared it's ugly head.

    Until now, all of a sudden half way through the day around 12:00 something went wrong. I am not sure exactly what.

    Local network activities remain unaffected. The practice management server is still allowing clients to connect to it and serve up medical records and scheduling content. None of the computers that are hardwired will connect out to the internet. Pf sense sees my upstream gateway (a comcast router) and has gotten an IP address from it. The comcast box sees pfsense as well. I have no idea why nothing can communicate except for LAN.

    I checked the log in the comcast router and it says ther were DoS attacks today and over the weekend. This is why I am thinking it was foul play.

    Honestly I am really lost, I have no idea why my perfectly functional pfsense box would stop all outbound traffic. I have no idea how to tell if it really was DoS attacks. I really need some help I am way over my head in terms of experience.

    Please let me know what to screenshot and share in order to get the correct information for you.
    If this thread is in the wrong section please move it.

    Thank you so much for reading and replying.

  • If you have the Cisco DPC3939B Comcast CPE device, it craps out when there is any sort of a SYN/ACK flood.  I was testing on my home business connection with a now banned forum member.  Regardless of the type or volume of the attack, the Cisco modem would completely die.

    If you are around the Atlanta, GA area PM me and I can help.
    Edit: Heck, even if you're not, I can still help.

  • Give us a sketch-up of your network,.
    Are your PCs on static IP addresses or assigned by DHCP? Who does that?

  • I mocked up a short and sweet version in paint. Crazy thing is smart service which connects the lab machines (green) to the company that calibrates them is a constant connection. It seems to be still functioning. There are other things connected to the network, such as cameras. Everything is DHCP except the practice management machine and the digital xray machine. Those machines only have assigned IP's locally. No Statics from comcast.

    ![willard vet net layout simple.png](/public/imported_attachments/1/willard vet net layout simple.png)
    ![willard vet net layout simple.png_thumb](/public/imported_attachments/1/willard vet net layout simple.png_thumb)

  • I have installed Comcast's service in several customer locations, as well as at my home office.  I am 99.9% sure that the issue is not with your pfSense box, but with the craptastic CPE Comcast installs for their coax customers.  Any sort of a SYN flood or capacity attack of any type, and the Comcast router goes down.  You have to power cycle it to get it to come back.

    Did you see anything in the pfSense firewall logging showing massive numbers of dropped packets? 
    I highly doubt any of the attack traffic hit your firewall at all.  The Cisco device took one on the chin and went down for the count.

  • I don't know how you are set up, take a look on the dashboard to be sure that /var is not full.

    There are some configurations where you can wind up not able to write anything new to /var once it fills up, and in that case, DHCP addressing becomes troublesome.

    the symptoms I had once in this situation sound similar to whatyou're describing - local network was fine, especially for statically addressed equipment.  Internet not so fine, in my case I spotted the logs in the DHCP service and cleaned up /var but might well have also had errors accumulating in the DNS service and in system tables.

    If you're out of room on /var, restarting the pfsense box may clear the problem unless you've made some decisions to keep logs around for a bit on the box itself, in which case you might need to clean up logs yourself.

    what I'd done was to get curious about Suricata, log too much, increase storage available to suricata - and then assume the problem was taken care of.  Which it was, for a few weeks.

  • OK thanks all I will try all of these things tomorrow. I will report back with findings.

  • Have you power cycled your Comcast router as per flambes advise?

  • I just wanted to let everyone know I just reset everything back to factory defaults. Seems to be working. I was hoping to find out what the actual problem was. Thanks for the advice.

Log in to reply