Netgate SG-1000 microFirewall

Author Topic: apinger running amok?  (Read 2062 times)

0 Members and 1 Guest are viewing this topic.

Offline Klaws

  • Full Member
  • ***
  • Posts: 253
  • Karma: +14/-3
    • View Profile
apinger running amok?
« on: March 24, 2014, 04:40:53 am »
On March 22nd, with then then-current prerelease version, I experienced a significant number of connection losses for HTTP (or maybe HTTPS) downloads.

the system log mentioned:
Code: [Select]
Mar 22 20:00:55 php: rc.filter_configure_sync: Adding TFTP nat rules
Mar 22 20:00:53 php: rc.dyndns.update: phpDynDNS (yyyyyyyy): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Mar 22 20:00:53 php: rc.dyndns.update: phpDynDNS (yyyyyyyy): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Mar 22 20:00:53 php: rc.filter_configure_sync: Adding TFTP nat rules
Mar 22 20:00:52 php: rc.dyndns.update: phpDynDNS (xxxxxxxx): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Mar 22 20:00:52 php: rc.dyndns.update: phpDynDNS (xxxxxxxx): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Mar 22 20:00:48 check_reload_status: Reloading filter
Mar 22 20:00:48 check_reload_status: Restarting OpenVPN tunnels/interfaces
Mar 22 20:00:48 check_reload_status: Restarting ipsec tunnels
Mar 22 20:00:48 check_reload_status: updating dyndns WAN
Mar 22 20:00:48 check_reload_status: Reloading filter
Mar 22 20:00:48 check_reload_status: Restarting OpenVPN tunnels/interfaces
Mar 22 20:00:48 check_reload_status: Restarting ipsec tunnels
Mar 22 20:00:48 check_reload_status: updating dyndns WAN
(DNS names replaced by xes and ys to protect the innocent)

The gateway was log shows:
Code: [Select]
Mar 22 20:00:38 apinger: alarm canceled: WAN(xx.xx.xx.xx) *** WANdown ***
Mar 22 20:00:38 apinger: ALARM: WAN(xx.xx.xx.xx) *** WANdown ***

Both sections repeat many times, correlating with the connection losses of the HTTP/HTTPS downloads. The modem's log showed nothing suspicious.

On the machine doing the HTTP/HTTPS downloads, a BitTorrent client was active. After shutting down this BT client, the log messages did not reappear any more, and the HTTP/HTTPS downloads ran stable again.

On pfSense, I have the traffic shaper (HFSC) configured to give BT traffic low priority (outbound traffic shaping only, the cable speed is 100/5, LAN is GBit). The LAN default rule has qACK/qDefault assigned. TBR size has been set to 65535.



To me it looks like apringer tries to ping the default gateway, the ping does not get through and apinger then kills the firewall states.

What makes the situation is bit "diffuse" is that I have never ever noticed this behavior before. However, I must admit that I don't use BT every often - every few weeks or months or so. So I am not totally sure that this is a new issue which has appeared in the 2.1.1 branch or if it has been present ever since.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +956/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: apinger running amok?
« Reply #1 on: March 24, 2014, 04:45:03 am »
So, you basically killed your line with BT traffic... how's this an apinger issue?
Do NOT PM for help!

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: apinger running amok?
« Reply #2 on: March 24, 2014, 05:28:59 am »
If you really saturate your link, then the ping time from pfSense to the monitor IP eventually goes higher than the default parameters. That will cause apinger to declare the link down.
System->Gateways - edit WAN gateway/s, click Advanced and make the ping and packet loss parameters higher. Then do a few parallel downloads again and have a ping going on a client also - see how the ping time goes up, make sure the gateway status on the dashboard shows similar times, adjust those gateway parameters.
I always make mine a lot higher than any reasonable person would like - my organisation has offices in remote places with internet you would only dream of in a nightmare - because I don't want pfSense to failover until it really is desperation.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline Klaws

  • Full Member
  • ***
  • Posts: 253
  • Karma: +14/-3
    • View Profile
Re: apinger running amok?
« Reply #3 on: March 28, 2014, 10:13:10 am »
Sadly, I can confirm misconfiguration. My fault.

I don't know why or when, I don't remember to have done this, but my apinger configuration was set up way to sensible. Definitely not the default options.

Must definitely be my fault. Sorry for that!