pfSense randomly drops internet


#1

Hi all! I’m really new to pfSense and I’ve run into a bit of a problem. I’m running pfSense as a VM within proxmox. I set up everything last night and made the switch. Everything was working great… And then it wasn’t. Internet dropped but I had no problem with my internal Network. The dashboard was veeeeery slow to load, but when it did it still showed that it was receiving a WAN IP address. When I reboot the VM, it would show that it is not receiving a WAN IP address. If I reboot the cable modem, it will get a WAN IP address and will connect to the internet. Also, the dashboard will load much faster. Its done it three times now and I can’t figure out what seems to be causing this. I have no rules or extra servives…yet.

Thanks in advance for the help.


#2

Hi,

I will do my best to help as i have been using psense for a while now, small disclaimer mine is running on bare-metal so you may be running into quirks of running it in a vm.

That said i have also noticed that the front end on pfsense becomes lethargic when a DHCP interface is down, i think it has something to do with the fact that everything running pfsense is going on php for the most part so when its trying to bring up the interface again the webui takes a backseat.

as for the random droping of the internet since this in a vm and if you have not passed thru a pci-e nic for it to use you may need to go in and disable the hardware offloading


#3

I saw the tip about disabling hardware offloading when I initially set it up. The webGUI was fast before and after disabling it. I don’t believe I passed it through, just assigned the network interfaces per Netgates own documentation.
https://www.netgate.com/docs/pfsense/virtualization/virtualizing-pfsense-with-proxmox.html

I feel like it’s some kind of DHCP issue as it only happens after about 4-5 hours and will resolve after resetting the cable modem.


#4

I also had my pfSense firewall running in a XCP-ng VM for a time and experienced the same problem. My connection would intermittently disconnect, and then reconnect after a 1-5 mins.

I came to realize my problem was Suricata. Something about the way it analyzes packets didn’t agree with the VM setup. I ran into a number of other VM related problems, plus I read a few forum posts about the extra risk associated with running an edge router in a VM, so I ended up returning to a dedicated hardware firewall.


#5

Mine won’t resolve itself. It’s very odd. It’ll take a while to load the login screen. Whenever I log in it will take forever to load the dashboard. Once in the dashboard I can see it’s getting the correct WAN IP address. If I navigate to other tabs its quick but if I go back to the dashboard it takes a few minutes to load. I’m not running any packages or anything right now. It’s just the DHCP server. My modem is a SB8200 that will hand out DHCP addresses if a device is plugged in so I’m wondering if it’s causing issues. I’m not sure how to resolve it. I have an ER-X that I have configured to use until I can figure out what’s breaking it in pfSense. It’s annoying to troubleshoot though because I don’t know if I’ve fixed the issue until hours later (when I’m asleep or at work and can’t do anything about it.)

I like the idea of virtualization. I thought it would save more headaches in the long run but I may need to go baremetal. Feels like it will be a waste of the i7 and 16GB of RAM though…


#6

Oh that reminds me, one of the other issues I alluded to was whenever I would load the dashboard, it would crash pfSense. I would have to quickly click to another page every time I logged into the web interface to avoid loading the dash. Since the dashboard would cause a crash after loading certain widgets, I didn’t have time to remove the widgets through the UI. I ended up removing any widgets that showed hardware stats (like the System Information widget, the SMART Status, and Thermal Sensor widgets) manually from an exported XML config file, then reloaded the modified version.


#7

It doesn’t sound like your crashing though. Have you gotten pfSense working in a baremetal config prior to putting it in a VM? If your modem isn’t in bridge mode you may be complicating matters by double NATing

Edit: Also, you can verify if DHCP is what’s failing by connecting a device after you start experiencing this problem and see if it still gets assigned a local IP address. If it does, then DHCP is working normally and the problem may instead be regarding the DNS resolver or your firewall / NAT settings. What does your network setup look like? Meaning does your modem go directly to your VM server, and then directly to other devices, is there a switch in the mix, etc.


#8

If it’s working fine (after a modem reboot) then everything loads just fine.

I’ve not tried it in a bare metal configuration.

The SB8200 defaults to bridge i believe.

I didn’t think about connecting a new device when having the issue. I’ll give that a shot this evening hopefully. Setup is:

SB8200 Modem> pfsense VM (i350T4 NIC) > US-8-60W Switch


#9

What I would recommend is to take the switch out of the equation to reduce the complexity. Connect the PC you’re testing with directly to the pfSense box. Make sure your default gateway is set (System->Routing). And disable any extraneous settings in pfSense (like DNS over TLS, IPv6, VLANs, unused interfaces, static routes, plugins, and LAN firewall rules other than ‘allow LAN -> Any’) That will help distill troubleshooting down to core functionality.

If it still fails, try connecting another device to test is DHCP is correctly assigning new addresses.

If it does work: The problem is elsewhere, DNS and Firewall / NAT are the usual suspects
If it doesn’t work: Go through all your DHCP settings, interface and pool IP assignments, looking for errors. Try assigning a static IP to your testing PC.

I mention this last cause I know it’s a pain, but if nothing else is working you should try installing pfSense baremetal to see if the problem persists. If it does, there may be a hardware or upstream issue.


#10

Hi. If you are using Proxmox, i highly recommend watching the YouTube channel learnlinux.tv He is the best resource i have found on using Proxmox. I also run PfSense in Bare-Metal. My guess is that you are having problems in the Virtualization department.
Please check learnlinux.tv i am sure it will be helpful!
Good Luck.


#11

I’m curious, why do you use Proxmox instead of KVM @pedracho ?


#12

No my friend. My production machine is XCP-NG. But, i have a test box with Proxmox to learn, and i watch learnlinux.tv to get better in proxmox, and make up my mind as to witch is better.
So far, i like XCP-NG better, if you have not tried it, i highly recommend it.


#13

I also use XCP-ng. I wish there was a better admin dashboard for Linux though. Eventually I plan to build XOA from source since the free pre-compiled version is pretty much just a demo. But for testing purposes I use KVM on my desktop. I was just wondering if there was a specific reason you choose Proxmox over KVM for a type 2 hypervisor.


#14

No particular reason. Just that i stumbled upon LearnLinux.tv on YouTube and I said…“Lets give it a shot” hehehe.
On my XCP-NG Server i got Xen Orchestra. For sure its much better. If you need to compile it from Source, do check this great video Tom did a while back.
There he shows what script he used to compile from source and he forked it also.
Do check it out. It really helped me.


#15

I’ve actually watched all of his videos regarding Proxmox! I feel like there is some configuration that I’m missing. I’m currently waiting for it to fail again so I can troubleshoot the issue.


#16

Thanks for your help. I’ll follow your steps and see if I can get it to work. DNS is always a headache to figure out.

My only gripe with bare-metal is that I’d be wasting resources of the machine I currently have. I am getting ready to migrate to new server to be my main VM host. Just waiting on a few more potential freebies from work…

On the other hand…I’d really like to buy a bunch of stuff and have a sweet miniature lab. Free > $$$ though.


#17

Yea the waste of resources is a little sad, but since it sits on the edge of my network i like keeping the virtual layer away from the edge, eliminating any possibility of a vm escape or any other exploit should a weakness be found in the hypervisor.


#18

I reverted to bare metal setup for the same reason. I didn’t see any known vulnerabilities, but the possibility of it made me nervous. Plus I had an old Dell SC1525 1U server that wasn’t good for much else. But if I was in your situation @Fortress it would be worth the trouble to avoid wasting the resources. Unless you’re a target and have reason to fear baddies actively working to break your network security, you should be fine using a virtualized edge router. Whatever type of hypervisor you go with, you should keep an eye out for any security vulnerabilities that are announced.

BTW, have you looked into type 1 hypervisors like XCP-ng or ESXi? The guest OS’es are a bit more secure since they don’t share a host OS.


#19

Good thinking. Did not think about that.


#20

Well I was unable to troubleshoot it yesterday. I did leave the VM up but not connected just to hopefully determine if it was an issue with the install. I reset the modem, plugged into the NIC and plugged my PC directly into the LAN NIC. I received a DHCP address and everything appears to be working fine. I plugged in the rest of my network and it appears to be working fine as well. Hopefully this will be the end of it.