[pfSense] pfSense 2.4 Sporadic Routing Issues

[Andrew Kester]

Hi List-

I'm having some issues with a pfSense 2.4.2 installed on a VM in Proxmox
VE.  I've kinda run into a stumper for me, and I'm not really sure where
to start looking.

Basically, the router will stop routing traffic at times and requires a
restart.  The node is still "up," I think, because VPN clients are able
to connect (although they can't reach anything) and CARP doesn't fail
over to the second router.  The Zabbix agent on the node becomes
unresponsive along with pings on all interfaces though.

I don't think it's an issue with CARP, since CARP fails over correctly
in all other instances and once the node is powered off, failover occurs
immediately.

This has occurred a number of times, all around 12:50 - 1:15 in the
morning local time.  Nodes do not run Snort and backups scheduled for
that time complete well before the node goes offline.  Dates seem
random, no rhyme or reason on which days it actually occurs.

I've also changed which physical node the router runs on and how the
disk is stored, to try and isolate if it's an issue with PVE, but the
issue remains.

I have all the logs from the machine, and have local monitoring that
records various network / service errors on applications running on the
network during the failures, I'm happy to send along whatever would be
helpful, I'm just not sure where to start looking :/

-- 
Thanks,

Andrew Kester
The Storehouse
https://sthse.co
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

[Steve Yates]

In System/Update/Update Settings I think you can choose a 2.3 branch...?

I haven't had any issues with installing the upgrade, but in two cases after 
the GUI updated the repository for 2.4 it wouldn't proceed with the upgrade, 
and I had to connect via SSH and run the update at the console/shell, where it 
installed fine.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Friday, December 1, 2017 2:08 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade
system to latest 2.3.* series without reinstalling? online upgrade wants to
update 2.4.2..

Eero

1.12.2017 16.27 "Alberto Moreno"  kirjoitti:

> The last version from 2.3.x is 2.3.5 u can stick with latter u can test
> 2.4.2 upgrade.
>
>
> On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen 
> wrote:
>
> > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
> > known issues?
> >
> > it's not so complex setup, but running as our hq main firewall. so, some
> > ipsec and openvpn connections are running against it.
> >
> >
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

[Eero Volotinen]

inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade
system to latest 2.3.* series without reinstalling? online upgrade wants to
update 2.4.2..

Eero

1.12.2017 16.27 "Alberto Moreno"  kirjoitti:

> The last version from 2.3.x is 2.3.5 u can stick with latter u can test
> 2.4.2 upgrade.
>
>
> On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen 
> wrote:
>
> > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
> > known issues?
> >
> > it's not so complex setup, but running as our hq main firewall. so, some
> > ipsec and openvpn connections are running against it.
> >
> >
> >
> > Eero
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
>
>
>
> --
> LIving the dream...
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements

[Steve Yates]

Thanks for the assist/validation.  It is a bit awkward to set 
up because one can’t put an active NIC into a LAGG so there’s a bit of round 
robin to get igb0 into a LAGG and assigned to WAN again.  But it does work as 
long as one has a spare interface.  I think it’d be difficult if not impossible 
to configure remotely but we can config a replacement router and take it to the 
data center.

Once I did it here and could export the config, it was much 
easier to just edit the to-be-replaced router’s config file and paste in the 
LAGG section and update the interface names, and it gets set up all at once 
upon restore.

--

Steve Yates
ITS, Inc.

From: Adam Thompson [mailto:athom...@athompso.net]
Sent: Wednesday, November 29, 2017 3:03 PM
To: Steve Yates 
Subject: RE: [pfSense] Using LAGG interfaces with CARP to allow future router 
replacements

Yeah, in theory that should work. I've never need to care *that* much about 
downtime, so haven't tested it.
-Adam
On November 29, 2017 1:42:29 PM CST, Steve Yates 
> wrote:
OK thanks for the observations.  Fortunately the 4860 has a bunch of ports but 
dedicating one to a management port would seem to require 4 in our case, 
instead of 3.  My thought would be that in the future we could edit a saved 
config file to change interface names and just restore it to the new hardware, 
and have it sync states with the LAGGs.  Hopefully that’s not going to happen 
for many years, but…


--


Steve Yates
ITS, Inc.


From: Adam Thompson [mailto:athom...@athompso.net]
Sent: Tuesday, November 28, 2017 5:29 PM
To: pfSense Support and Discussion Mailing List 
>; Steve Yates 
>
Subject: Re: [pfSense] Using LAGG interfaces with CARP to allow future router 
replacements


Yes, there's downtime to set up LAGs. So this won't help avoid all downtime.
Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL 
soon, perhaps next quarter (Q1’18).
There is a small performance hit. It's not large - certainly not large enough 
that I ever cared to measure it. Unless you are pinning the CPU regularly, I 
expect it would be undetectable.
There is a much bigger hit in complexity, since you still can't set up LAGs 
during initial setup, necessitating a dedicated mgmt interface to avoid certain 
types of "oops, oh shit" problems.
-Adam
On November 28, 2017 5:08:48 PM CST, Steve Yates 
> wrote:

 We had two routers set up using CARP and unfortunately had some issues with 
them, and currently have a temporary router in place.  We will be replacing the 
temp router with a SG-4860 1U HA however that unfortunately has different 
interface names, so state sync won't work, and the cutover won't be transparent.

 I understand from 
https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync
 that using LAGGs can work around this.  My question is, is it worth setting up 
LAGGs just to allow for future proofing to have the state sync working on 
disparate devices if we ever replace a router down the road?  Is there any sort 
of performance penalty or significant complexity?

 Note we have five CARP interfaces, IPv4 and IPv6 for WAN and LAN, and a LAN 
IPv4 on a second subnet.  So as a first run-through on LAGGs, it seems like we 
would need at least four LAGGs for the WAN and LAN interfaces (we can ignore 
the secondary LAN for this purpose)?  So we would set up four LAGG interfaces 
using Failover (?) with one interface each, and have WAN and LAN use those?

 Avoiding downtime would be really nice, but I don't think we can get around 
that at this point (for this router replacement) since LAGGs apparently can't 
be set on an interface that is in use already and thus there would be downtime 
to set up LAGGs on our temp router anyway.

--

Steve Yates
ITS, Inc.



pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

[Alberto Moreno]

The last version from 2.3.x is 2.3.5 u can stick with latter u can test
2.4.2 upgrade.


On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen 
wrote:

> just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
> known issues?
>
> it's not so complex setup, but running as our hq main firewall. so, some
> ipsec and openvpn connections are running against it.
>
>
>
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
LIving the dream...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold