[pfSense] pfSense 2.4 Sporadic Routing Issues
Hi List- I'm having some issues with a pfSense 2.4.2 installed on a VM in Proxmox VE. I've kinda run into a stumper for me, and I'm not really sure where to start looking. Basically, the router will stop routing traffic at times and requires a restart. The node is still "up," I think, because VPN clients are able to connect (although they can't reach anything) and CARP doesn't fail over to the second router. The Zabbix agent on the node becomes unresponsive along with pings on all interfaces though. I don't think it's an issue with CARP, since CARP fails over correctly in all other instances and once the node is powered off, failover occurs immediately. This has occurred a number of times, all around 12:50 - 1:15 in the morning local time. Nodes do not run Snort and backups scheduled for that time complete well before the node goes offline. Dates seem random, no rhyme or reason on which days it actually occurs. I've also changed which physical node the router runs on and how the disk is stored, to try and isolate if it's an issue with PVE, but the issue remains. I have all the logs from the machine, and have local monitoring that records various network / service errors on applications running on the network during the failures, I'm happy to send along whatever would be helpful, I'm just not sure where to start looking :/ -- Thanks, Andrew Kester The Storehouse https://sthse.co ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
In System/Update/Update Settings I think you can choose a 2.3 branch...? I haven't had any issues with installing the upgrade, but in two cases after the GUI updated the repository for 2.4 it wouldn't proceed with the upgrade, and I had to connect via SSH and run the update at the console/shell, where it installed fine. -- Steve Yates ITS, Inc. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Friday, December 1, 2017 2:08 PM To: pfSense Support and Discussion Mailing ListSubject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade? inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade system to latest 2.3.* series without reinstalling? online upgrade wants to update 2.4.2.. Eero 1.12.2017 16.27 "Alberto Moreno"
kirjoitti: > The last version from 2.3.x is 2.3.5 u can stick with latter u can test > 2.4.2 upgrade. > > > On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen > wrote: > > > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any > > known issues? > > > > it's not so complex setup, but running as our hq main firewall. so, some > > ipsec and openvpn connections are running against it. > > > > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade system to latest 2.3.* series without reinstalling? online upgrade wants to update 2.4.2.. Eero 1.12.2017 16.27 "Alberto Moreno"kirjoitti: > The last version from 2.3.x is 2.3.5 u can stick with latter u can test > 2.4.2 upgrade. > > > On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen > wrote: > > > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any > > known issues? > > > > it's not so complex setup, but running as our hq main firewall. so, some > > ipsec and openvpn connections are running against it. > > > > > > > > Eero > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > > > > -- > LIving the dream... > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements
Thanks for the assist/validation. It is a bit awkward to set up because one can’t put an active NIC into a LAGG so there’s a bit of round robin to get igb0 into a LAGG and assigned to WAN again. But it does work as long as one has a spare interface. I think it’d be difficult if not impossible to configure remotely but we can config a replacement router and take it to the data center. Once I did it here and could export the config, it was much easier to just edit the to-be-replaced router’s config file and paste in the LAGG section and update the interface names, and it gets set up all at once upon restore. -- Steve Yates ITS, Inc. From: Adam Thompson [mailto:athom...@athompso.net] Sent: Wednesday, November 29, 2017 3:03 PM To: Steve YatesSubject: RE: [pfSense] Using LAGG interfaces with CARP to allow future router replacements Yeah, in theory that should work. I've never need to care *that* much about downtime, so haven't tested it. -Adam On November 29, 2017 1:42:29 PM CST, Steve Yates > wrote: OK thanks for the observations. Fortunately the 4860 has a bunch of ports but dedicating one to a management port would seem to require 4 in our case, instead of 3. My thought would be that in the future we could edit a saved config file to change interface names and just restore it to the new hardware, and have it sync states with the LAGGs. Hopefully that’s not going to happen for many years, but… -- Steve Yates ITS, Inc. From: Adam Thompson [mailto:athom...@athompso.net] Sent: Tuesday, November 28, 2017 5:29 PM To: pfSense Support and Discussion Mailing List >; Steve Yates
> Subject: Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements Yes, there's downtime to set up LAGs. So this won't help avoid all downtime. Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL soon, perhaps next quarter (Q1’18). There is a small performance hit. It's not large - certainly not large enough that I ever cared to measure it. Unless you are pinning the CPU regularly, I expect it would be undetectable. There is a much bigger hit in complexity, since you still can't set up LAGs during initial setup, necessitating a dedicated mgmt interface to avoid certain types of "oops, oh shit" problems. -Adam On November 28, 2017 5:08:48 PM CST, Steve Yates > wrote: We had two routers set up using CARP and unfortunately had some issues with them, and currently have a temporary router in place. We will be replacing the temp router with a SG-4860 1U HA however that unfortunately has different interface names, so state sync won't work, and the cutover won't be transparent. I understand from https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync that using LAGGs can work around this. My question is, is it worth setting up LAGGs just to allow for future proofing to have the state sync working on disparate devices if we ever replace a router down the road? Is there any sort of performance penalty or significant complexity? Note we have five CARP interfaces, IPv4 and IPv6 for WAN and LAN, and a LAN IPv4 on a second subnet. So as a first run-through on LAGGs, it seems like we would need at least four LAGGs for the WAN and LAN interfaces (we can ignore the secondary LAN for this purpose)? So we would set up four LAGG interfaces using Failover (?) with one interface each, and have WAN and LAN use those? Avoiding downtime would be really nice, but I don't think we can get around that at this point (for this router replacement) since LAGGs apparently can't be set on an interface that is in use already and thus there would be downtime to set up LAGGs on our temp router anyway. -- Steve Yates ITS, Inc. pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
The last version from 2.3.x is 2.3.5 u can stick with latter u can test 2.4.2 upgrade. On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinenwrote: > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any > known issues? > > it's not so complex setup, but running as our hq main firewall. so, some > ipsec and openvpn connections are running against it. > > > > Eero > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- LIving the dream... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold