next »

[soteriologist]

PLEASE HELP!!!  I'm about to go bald from this crap.   

This is the second time this same exact thing has happened to me and it is outrageously frustrating...

As the story goes:  I'm making a bunch of different configuration changes to my Firewall (NAT/Rules) trying to get the right configuration setup to allow for a sort-of complex rule-set when all of a sudden traffic stops flowing out of pfSense.  I can't see a reason why.

I enable logging for the default "allow LAN to any rule" so I can see what's going in and out of the firewall and if it's blocking anything.
At first it shows states in the state table.  And it shows that the firewall is NOT blocking and allowing me to connect to 4.2.2.3 for dns queries... but nothing else.

Eventually as I go about doing all of the below, states no longer show any longer.  NONE.  Not even me connecting into the firewall itself.  The entire States tab is empty.  Same for the firewall tab.  It won't even show me successfully connecting to 4.2.2.3.

SOOooo I make a back up of my config (just in case I need to do anything drastic).
I plug directly into my WAN devices and get a nice internet connection.
I reboot pfSense... that does nothing.
I reset the states...  that does nothing.
I reload my config... that does nothing.
I power cycle all WAN devices attached to pfSense... that does nothing.
I go about disabling all of my changes... that does nothing.
I disable all installed packages... that does nothing.

Then I start with the drastic...
I remove all installed packages... that does nothing.
I DELETE all of my changes... that does nothing.
I reset pfSense to factory defaults and reset just the basic connections (IP for the LAN and WAN along with the gateway for the WAN to be associated with)... that does nothing.

I'm able to get into the pfSense perfectly find through the web configurator.  I'm able to SSH in.  I'm able to see the shell through VGA and everything seems to respond good.

The ONLY other weirdness is that after ALL of this and I'm setting every back up again when I change the IP addresses for the interfaces through the VGA console it stops for what seems like an eternity on "Please wait while the changes are saved to WAN...  Reloading filter..."   Keyboard input shows up on the screen, BUT the system doesn't do anything other than display what I'm typing.   so I hit the power button on the front of the server and it'll show pfSense go through the shutdown process, and I'll boot it back up and it'll show my changed IP address (which I can browse to).

It's done this EXACTLY the same twice now.

The only thing I can do to get the system working again is to reinstall pfSense from the CD onto the hard drive and completely override all the files.   

NOT. FUN.

Any idea on where to start on this?  Why this might be happening?  How I can prevent it?
I haven't even had the chance to really use pfSense yet.  First time it happened was after I had it up and running and was using it for about 3 days.  And one night after work hours I was finishing up some configuration on it, it did this to me and I had to completely switch back to my old equipment.  This time it happened while still in the testing stage before I even had a chance to put it back as my primary firewall.  I'm getting a bit burned out on this monster of a project.  It's just plain frustrating.   

I am ussing an brand new SSD in the server.  Do you think that could be causing the problem?  It's corrupting States table or some other file and causing it to be unreadable/writable?   And even though I'm telling pfSense to reset to factory default it's not necessarily re-creating said corrupted table or file?

[wallabybob]

I'm making a bunch of different configuration changes to my Firewall (NAT/Rules) trying to get the right configuration setup to allow for a sort-of complex rule-set when all of a sudden traffic stops flowing out of pfSense.  I can't see a reason why.

What traffic stops flowing? (Apparently you still have contact with the web GUI.) What reasons did you look for? Did you check interface status?

I enable logging for the default "allow LAN to any rule" so I can see what's going in and out of the firewall and if it's blocking anything.
At first it shows states in the state table.  And it shows that the firewall is NOT blocking and allowing me to connect to 4.2.2.3 for dns queries... but nothing else.

What other traffic did you try and what was reported?

Eventually as I go about doing all of the below, states no longer show any longer.  NONE.  Not even me connecting into the firewall itself.  The entire States tab is empty.  Same for the firewall tab.  It won't even show me successfully connecting to 4.2.2.3.

Does the browser show signs of stalling before completing the States display?

SOOooo I make a back up of my config (just in case I need to do anything drastic).
I plug directly into my WAN devices and get a nice internet connection.
I reboot pfSense... that does nothing.
I reset the states...  that does nothing.
I reload my config... that does nothing.
I power cycle all WAN devices attached to pfSense... that does nothing.
I go about disabling all of my changes... that does nothing.
I disable all installed packages... that does nothing.

You are getting browser response so the box is at least doing that - that is the box is not doing nothing! So I suspect "does nothing" means there is something you are expecting it to do but it is not clear to me what the box is expected to do but isn't doing.

Then I start with the drastic...
I remove all installed packages... that does nothing.
I DELETE all of my changes... that does nothing.
I reset pfSense to factory defaults and reset just the basic connections (IP for the LAN and WAN along with the gateway for the WAN to be associated with)... that does nothing.

I'm able to get into the pfSense perfectly find through the web configurator.  I'm able to SSH in.  I'm able to see the shell through VGA and everything seems to respond good.

Again, please elaborate on "does nothing".

The ONLY other weirdness is that after ALL of this and I'm setting every back up again when I change the IP addresses for the interfaces through the VGA console it stops for what seems like an eternity on "Please wait while the changes are saved to WAN...  Reloading filter..."   Keyboard input shows up on the screen, BUT the system doesn't do anything other than display what I'm typing.   

Please type Ctrl-T (hold down the  Ctrl key, press the "T" key, release the Ctrl key) on the console a few times at (say) 10 seconds apart and report what is displayed.

so I hit the power button on the front of the server and it'll show pfSense go through the shutdown process, and I'll boot it back up and it'll show my changed IP address (which I can browse to).

It's done this EXACTLY the same twice now.

The only thing I can do to get the system working again is to reinstall pfSense from the CD onto the hard drive and completely override all the files.   

That sort of shutdown risks file corruption.

Any idea on where to start on this? 

Provide answers to the above questions.

Why this might be happening?  How I can prevent it?

I don't have enough evidence to answer these.

I am ussing an brand new SSD in the server.  Do you think that could be causing the problem? 

No evidence yet for that.

It's corrupting States table or some other file and causing it to be unreadable/writable?   

As best I know state tables are kept in RAM allocated to the kernel.

And even though I'm telling pfSense to reset to factory default it's not necessarily re-creating said corrupted table or file?

At best, reset to factory default restores the initial configuration parameters (firewall rules, IP address, password etc). It does not recover corrupt system or package files.

[stephenw10]

Perhaps the novel is overheating your cpu? 

But seriously...
The fact that:

I remove all installed packages... that does nothing.
I DELETE all of my changes... that does nothing.
I reset pfSense to factory defaults and reset just the basic connections (IP for the LAN and WAN along with the gateway for the WAN to be associated with)... that does nothing.

By 'nothing' I'm assuming you mean no internet access from LAN side clients but please elaborate on that.

This implies to me that something has altered the underlying FreeBSD config in a way that isn't controlled by pfSense. When you reset to factory defaults you are replacing the config.xml file with the default one but not resetting the entire OS or replacing binaries as you do when you re-install.
This is likely to be caused by a package. What packages do are you using?

Steve

[soteriologist]

Interfaces all show that their connections are up.

I can connect fine from the LAN side to the web gui, and through SSH.  But all traffic on the WAN side won't leave.  There are no states of any sort showing.  There's no active connections.

When I check the states and firewall the browser has fully loaded the page whenever I look at it.

By does nothing, I mean ALL of the following:
There are not states listed AT ALL.
There is no firewall traffic listed AT ALL.
I'm able to get into the box... BUT no traffic is leaving it.

[soteriologist]

As for what traffic was tried through the box,
icmp 8
tcp 53
tcp 80
tcp 443
tcp 25
tcp 143
and a bunch of voip traffic in the 6K block of ports.

[soteriologist]

The package I'm using is:
pfSense-2.0.1-RELEASE-amd64.iso

that I have burned to a CD and am installing from an internal DVD drive onto my 64GB SSD that's in the machine.

As for resetting, I'm doing so by clicking on the reset to factory defaults options inside the WebGui.  So it's resetting with what options it has in place using that built in function.

[soteriologist]

I can't remember ALL of the packages that I had installed the first time this happened but some of them were:
pfBlocker
file manager
squid
squidguard
and maybe one or two more (all reporting ones)

This last time around I had just the following:
file manager
squid
squidguard
and I tried out the widescreen theme.

[stephenw10]

Well none of those packages look like obvious suspects, never the less I would try without any packages to rule that out. 

Steve

[soteriologist]

I've already uninstalled all the packages.

The current state I'm in is:
No packages installed.
Reset to factory defaults.
Only the most basic settings have been applied in order to get an internet connection up on it.

And yet I still see no traffic.  

It's as I were creating a super-massive star when all of a sudden it imploded into a supernova and warped into a blackhole.  
I want my super-massive pfSense star back.

[soteriologist]

The only thing left for me to do is re-install and start from scratch... AGAIN.

But before I do that, I figured I'd post on here to see if someone had a suggestion to diagnose this shit and hopefully stop others from running into the same problem  AND hopefully prevent me from running through it all over again a third time.

I figured if there truly is a horribad bug somewhere in the code, someone would want to know about it and get it fixed.

[soteriologist]

ok,  so I turned on accessing the web configurator from the wan side.  One of my internet connections is DSL which uses a wired/wireless router/modem combo.  So I've plugged my laptop into one of the other wired ports on the little DSL router and can access my pfSense box through the WAN port there.  So at least SOME traffic is flowing through that connection.    But it's not showing up in the states/firewall logs.

Still no pings, webpages, email, etc are going through it though.   
Can't get a connection to the internet through the pfSense.   

[wallabybob]

The only thing left for me to do is re-install and start from scratch... AGAIN.

There are still a number of alternatives, including plugging your laptop into the DSL router and attempting to access the pfSense WAN port.

One of my internet connections is DSL

What are the others?

So I've plugged my laptop into one of the other wired ports on the little DSL router and can access my pfSense box through the WAN port there. 

Can you also access the management interface on the DSL router? What does it tell you about the WAN interface of the DSL router?

What is the interface type of your pfSense WAN interface? (Static? DHCP? PPP?)

Please post the output of of the pfSense shell command

Code:

# netstat -rn -f inet;  traceroute -n 8.8.8.8

[soteriologist]

Tried pinging with pfSense's web configurator (under Diagnostics >> Ping) to both 4.2.2.2 and google.com (along with a handful of other sites) and get no response.   Tried  pinging the DSL router, and get a response.  Tried pinging my laptop that is also plugged into the same router and get a response form my laptop's ip address.

Still nothing shows in states/firewall logs though?

I'll try that traceroute command.

[soteriologist]

Here are the results:



netstat -rn -f inet ; traceroute -n 8.8.8.8
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
127.0.0.1          link#12            UH          0     3412    lo0
192.168.2.0/24     link#7             U           0    10355    em2
192.168.2.2        link#7             UHS         0        0    lo0
192.168.168.0/24   link#5             U           0      341    em0
192.168.168.1      link#5             UHS         0        0    lo0
traceroute: findsaddr: failed to connect to peer for src addr selection.

[wallabybob]

You don't have a default route hence most of the traffic that would normally go out the WAN interface doesn't go out the WAN interface because there isn't a route saying that is where it should go.

Your pfSense WAN interface type is? (Depending on that I might be able to give you a pfSense shell command to add a default route.) But that won't help if the upstream link from your DSL router is broken. Can you get status of the upstream (to the Internet) link on the DSL router?

What version of pfSense are you running? Please post the version information from the home page of your pfSense box.