Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - mwp821

Pages: [1]
1
General Questions / System crash on gateway alarm?
« on: January 19, 2018, 12:28:25 am »
Hi folks,

My pfSense system (RCC-VE 2440) has gone offline three times in as many days. It's unpingable on the LAN interface, no services are reachable, and the serial console is blank and unresponsive. I have to power-cycle it to get it back online and everything is fine after that (until the next crash). Here are the last few lines in the system log before the reboot:

Jan 18 23:58:43 cerberus rc.gateway_alarm[71831]: >>> Gateway alarm: WAN_DHCP6 (
Addr:REDACTED Alarm:1 RTT:12894ms RTTsd:3415ms Loss:21%)
Jan 18 23:58:43 cerberus check_reload_status: updating dyndns WAN_DHCP6
Jan 18 23:58:43 cerberus check_reload_status: Restarting ipsec tunnels
Jan 18 23:58:43 cerberus check_reload_status: Restarting OpenVPN tunnels/interfa
ces
Jan 18 23:58:43 cerberus check_reload_status: Reloading filter
Jan 18 23:58:44 cerberus rc.gateway_alarm[72628]: >>> Gateway alarm: WAN_DHCP (A
ddr:REDACTED Alarm:1 RTT:10710ms RTTsd:3043ms Loss:22%)
Jan 18 23:58:44 cerberus check_reload_status: updating dyndns WAN_DHCP
Jan 18 23:58:44 cerberus check_reload_status: Restarting ipsec tunnels
Jan 18 23:58:44 cerberus check_reload_status: Restarting OpenVPN tunnels/interfa
ces
Jan 18 23:58:44 cerberus check_reload_status: Reloading filter


I expect the WAN interface to go offline if there's a connectivity issue, but certainly not the whole system. And the internet connection seems to be fine after a power-cycle, so I'm not convinced there isn't something else going on here.

igb0 is connected to a SB6120 (Comcast). igb1 and igb2 are LAGGed (LACP) to a UniFi managed switch. 2.4.2-RELEASE-p1. Any suggestions?

EDIT: I may need to undo what I did here, or perhaps I need to set the net.inet.tcp.tso tunable to 0. I'll try those one at a time to see if one or the other prevents a fourth or fifth crash.

2
Official pfSense Hardware / 2440: Update Intel NIC firmware?
« on: January 16, 2018, 05:11:56 pm »
I recently updated the Intel NIC firmware in another FreeBSD machine so I thought I'd do my 2440 as well. So here I am a few hours later, still trying to figure out how to do it. As far as I can tell, there's no way to boot into an EFI shell to run the BootUtil program, which seems to be the only way to apply the firmware update. Thoughts?

3
General Questions / VLAN_HWTSO?
« on: January 15, 2018, 02:59:04 am »
I've disabled TSO per the network tuning recommendations, but I still see the VLAN_HWTSO option on my physical interfaces in the output of ifconfig. I guess that the "Disable hardware TCP segmentation offload" causes pfSense to do ifconfig -tso on each physical interface, but not ifconfig -vlanhwtso. I suppose I'm wondering why this part of TSO is left enabled and if it makes to disable it as well?

4
General Questions / Packet loss on RCC-VE 2440 after move and reflash?
« on: December 25, 2017, 02:43:43 pm »
Hi folks,

I have a RCC-VE 2440 that's been quietly humming along running pfSense for a couple years now. We recently moved and I decided to reflash pfSense and start our new home network fresh. I also applied the CoreBoot upgrade (through packages).

Unfortunately, I started experiencing some packet loss around the same time that essentially renders the internet unusable. Even when I ping the unit from the switch it's attached to (see the attached picture). I'm not sure if something got jostled during the move, or if the CoreBoot upgrade changed something, or what. I've tried two different switches and two different network cables.

Any suggestions? I might try seeing if the problem persists after a factory reset.

Mike

EDIT: I had been running pfSense 2.3 and I flashed 2.4, so that might have something to do with it as well.

5
IPsec / Trouble routing traffic for OS X 10.11 IKEv2 client
« on: November 13, 2015, 10:13:07 am »
Hi everyone,

I followed this guide to a "T" (including setting the local network to 0.0.0.0/0) and configured an OS X 10.11 client. I can connect and everything seems hunky dory but something is amiss with either my routing table or the firewall rules. I can't reach the internet, and connections to intranet hosts seem limited to ports 22 and 80, which leads me to believe that the anti-lockout rule is applying but not the pass-all IPSec rule.

Any suggestions? Thanks in advance. :)

6
The 2.2.5 firmware available at https://firmware.netgate.com/auto-update/ADI/amd64/ is the i386 version. Unfortunately, I found out the hard way:

[2.2.5-RELEASE][mwp@XXXXX]/home/mwp: uname -a
FreeBSD XXXXX 10.1-RELEASE-p24 FreeBSD 10.1-RELEASE-p24 #0 f27a67c(releng/10.1)-dirty: Thu Nov  5 10:59:55 CST 2015     root@factory22-i386-builder.pfmechanics.com:/usr/obj.RELENG_2_2.i386/usr/pfSensesrc/src.RELENG_2_2/sys/pfSense_SMP.10  i386


Taking a look at the sha256 sum:

mwp@YYYYY:~$ curl https://firmware.netgate.com/auto-update/ADI/amd64/latest.tgz | shasum -a 256
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 94.2M  100 94.2M    0     0   9.7M      0  0:00:09  0:00:09 --:--:-- 10.6M
0a3bf70851de81aa8fae3c91e5ec65884505d503847fe952784bace945902c4d  -
mwp@YYYYY:~$ curl https://firmware.netgate.com/auto-update/ADI/amd64/latest.tgz.sha256
SHA256 (netgate-2.2.5-RELEASE-Full-Update-i386.tgz) = 0a3bf70851de81aa8fae3c91e5ec65884505d503847fe952784bace945902c4d


I manually applied a full install from https://firmware.netgate.com/auto-update/full_install/amd64/ and it didn't seem to work, because it didn't auto-reboot and I couldn't run any commands on the command-line. I waited about 30 minutes before forcefully rebooting it, rationalizing that if the firmware upgrade got far enough, there would be a new kernel and userspace binaries and the system would hopefully come back up. Miracle of miracles, it did. I'm reapplying the full install again just to be sure everything is clean and then I'll see what state my config is in. I was able to recover config.xml and all the backups so worst case scenario I can restore to an earlier point in time. Whew!

7
IDS/IPS / L2TP/IPsec and Snort CPU utilization
« on: April 13, 2015, 02:09:15 am »
Snort goes off the charts (e.g. 90% CPU utilization) when I've got a throughput-heavy connection going (e.g. watching a YouTube movie at 720p) through a L2TP/IPsec VPN. I'm assuming it's slamming its head against the heavily-encrypted traffic going through the WAN connection on its way out to the client. Is there a safe/sane way to exclude this traffic from Snort monitoring?

UPDATE: I thought maybe Snort's default home net wasn't "smart enough" to include the L2TP IP address range. I created a pass list with that subnet and all the other defaults and set it as my home net. Unfortunately, this doesn't seem to have changed the situation.

8
DHCP and DNS / Static mapping with IP address from pool
« on: August 12, 2014, 11:20:30 am »
Hi everyone,

I'm a recent convert from a custom Debian+dnsmasq solution and absolutely loving pfSense so far. I have one nagging issue that I'd like to resolve more as a learning opportunity than because it's a serious problem. It looks like this forum is quite active with a lot of knowledgeable people so hopefully you can help me understand what's going on!

I have a client "foo" on my network that reports in with a junky, non-user-modifiable DHCP client ID, e.g. foo-oem-123456. I'd like to configure pfSense such that this client takes foo.mynetwork in the local DNS instead of foo-oem-123456.mynetwork. In the past, I would have modified my dnsmasq configuration to either take a --dhcp-host=<mac>,foo option, or I would have added "<mac> foo" to /etc/ethers.

It looks like pfSense has a way to address this as well. I added a static mapping for foo's MAC address with a hostname of "foo" and left the rest of the fields blank (to take the defaults), including the IP address. According to the inline documentation, "If no IPv4 address is given, one will be dynamically allocated from the pool."

Unfortunately, the client is still taking foo-oem-123456.mynetwork in the DNS, and it appears to be ignoring the static mapping. foo.mynetwork is not in the DNS. Here's what I see in my DHCP leases table:

IP addressMAC addressHostnameOnlineLease Type
192.168.0.102<mac>foo-oem-123456onlineactive
<mac>fooonlinestatic

This is what I expect to see:

IP addressMAC addressHostnameOnlineLease Type
192.168.0.102<mac>fooonlinestatic

I've gone through the rigmarole of restarting services, releasing and renewing the DHCP lease, etc. with no change in the results. I feel like I have a good handle on the DHCP Server and DNS Forwarder options but I can't seem to find the magic combination that makes this work how I'd like. In the meantime, I've given this host a static IP address outside the pool.

Thank you in advance for any suggestions,

Mike

Pages: [1]