Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN goes down after disabling Snort

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Piccirello
      last edited by

      I'm currently running pfSense 2.2.6-RELEASE (amd64) with snort 3.2.8.1 installed. After either stopping the snort service or disabling the snort interface, my WAN immediately goes down. DHCP and other services on the LAN continue to work as expected. Below are relevant log entries:

      From System->Gateways after stopping snort:
      apinger: ALARM: WAN_DHCP(MYIPADDRESS) *** down ***

      System->General:
      Apr 14 05:12:14 SnortStartup[2971]: Snort STOP for WAN(8282_re0)…
      Apr 14 05:12:15 snort[48795]: *** Caught Term-Signal
      Apr 14 05:12:15 kernel: re0: promiscuous mode disabled
      Apr 14 05:12:34 check_reload_status: updating dyndns WAN_DHCP
      Apr 14 05:12:34 check_reload_status: Restarting ipsec tunnels
      Apr 14 05:12:34 check_reload_status: Restarting OpenVPN tunnels/interfaces
      Apr 14 05:12:34 check_reload_status: Reloading filter

      WAN connectivity is restored as soon as the snorts ervice is started/enabled. The following entry is logged in System->Gateways
      apinger: alarm canceled: WAN_DHCP(MYIPADDRESS) *** down ***

      I'm unable to update to pfSense 2.3 or even update the snort package because of this. Doing so causes pfSense to lose WAN connectivity, and the only solution at that point is to restore a full backup (restoring config.xml doesn't restore connectivity). Does anyone have any idea why my system is so dependent on snort?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Something about your Snort package version number is wrong.  There is no 3.2.8.1 package.  There is a 3.2.9.1 package, though.

        I can't imagine any scenario where stopping Snort would kill your WAN.  Why don't you remove the Snort package, reboot your firewall, then do the update to pfSense 2.3.  When 2.3 is running well, then reinstall the Snort package.  It will remember your settings so long as the "save settings on uninstall" checkbox is checked on the GLOBAL SETTINGS tab (it is near the bottom of that tab).

        Bill

        1 Reply Last reply Reply Quote 0
        • P
          Piccirello
          last edited by

          After removing the package the WAN immediately goes down, leaving me unable to update to 2.3. Rebooting pfsense does not resolve the issue; neither does reassigning the WAN and LAN interfaces. I tried resetting to factory defaults, but after doing so my WAN remained down. After restoring a config file with all traces of "snort" removed, the WAN still remained down. It only came back up after restoring a full backup (with rc.restore_full_backup) made prior to any of these changes.

          At this point it really seems like my only option is to install 2.3 on a wiped drive. I won't be able to reinstall until next weekend, so if anyone has any tips/recommendations please let me know.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            Once you remove the Snort package, it can't mess with your WAN.  I think something else is going on instead.  This would be especially so if, even with Snort completely removed, you lose your WAN.

            Bill

            1 Reply Last reply Reply Quote 0
            • P
              Piccirello
              last edited by

              I absolutely see what you're saying, but I can't for the life of me figure out what's going on. After testing a clean install of 2.3 my WAN remains down. The only setup that I can get working is a full restore of 2.2.6 (with rc.restore_full_backup) that includes the 3.2.8.1 snort package; even restoring a config.xml from this same setup onto a clean 2.2.6 install doesn't bring the WAN up. I've tested config.xml files both with and without packages to no avail.

              While I don't have much evidence to back this up, I suspect this might have something to do with my FIOS service. When setting up pfSense to work with FIOS I remember having to jump through multiple hoops, though now of course I can't remember what they were. I might have a look around to see if I can find the original guide I used.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                You just may have NIC driver issue coming from the newer FreeBSD 10.3 kernel in pfSense 2.3.  There were some odd edge cases reported during the BETA testing of 2.3 where hardware that was fine on 2.2.6 would not see the NIC or the NIC/interface would crash in 2.3.  Search the old 2.3 BETA threads posted in the archives section of the forum.  Might be something in there to help.  One thing I remember is having to set some mbuf values for certain NIC drivers on the newer FreeBSD kernel.

                Bill

                1 Reply Last reply Reply Quote 0
                • P
                  Piccirello
                  last edited by

                  Following your suggestion, I replaced my NIC with an Intel PRO/1000 MT. I then used the manual firmware upgrade process to update to the 2.3.1 Update image (downloaded from the pfSense site). I'm not sure if it's the new NIC or the manual update that did it (most likely the new NIC), but pfSense 2.3.1 is now running stable on my hardware. Thanks for all your help Bill.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.