Подвисает Pfsense 2.2.1 в составе Proxmox 3.1.2

firewall, freebsd, nat, pfsense, proxmox

0

1

Всем, привет!

Конфигурация системы:

Pfsense 2.2.1-RELEASE (i386) 
built on Fri Mar 13 08:16:53 CDT 2015 
FreeBSD 10.1-RELEASE-p6
Proxmox 3.2-1 1933730b

2 Сетевых интерфейса: WAN и LAN, dhcp-сервер ISP раздаёт IP с привязкой к MAC-адресу WAN.

Конфигурация сет интерфейсов в Proxmox (/etc/network/interfaces):

# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet manual
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0

auto vmbr1
iface vmbr1 inet static
    address  192.168.0.7
    netmask  255.255.255.0
    # gateway  192.168.0.1
    bridge_ports eth1
    bridge_stp off
    bridge_fd 0

Конфигурация сет интерфейсов в Pfsense (ifconfig -a):

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
    ether 9e:32:a0:9c:7c:91
    inet6 fe80::9c32:a0ff:fe9c:7c91%em0 prefixlen 64 scopeid 0x1 
    inet 188.113.156.235 netmask 0xffffff00 broadcast 188.113.156.255 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
em1: flags=88843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP> metric 0 mtu 1500
    options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
    ether 0e:0e:5f:44:9c:a1
    inet6 fe80::c0e:5fff:fe44:9ca1%em1 prefixlen 64 scopeid 0x2 
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
pflog0: flags=100<PROMISC> metric 0 mtu 33172
pfsync0: flags=0<> metric 0 mtu 1500
    syncpeer: 224.0.0.240 maxupd: 128 defer: on
    syncok: 1
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd0: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd1: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd2: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd3: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd4: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd5: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd6: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pptpd7: flags=8890<POINTOPOINT,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1500
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Время от времени внутренний локальный сетевой интерфейс отваливается без явных ошибок в логах, при всём при это внешний сетевой интерфейс функционирует, как должное. Предполагаю, проблема в настройке правил файерволла либо в настройке сетевых интерфейсов, последние настраивал по ссылке http://forum.proxmox.com/threads/2020-Proxmox-Pfsense-working-setup-solved-2-NIC.

Привожу правила файервола (pfctl -sr):

@0(0) scrub on em0 all fragment reassemble
  [ Evaluations: 21543761  Packets: 11208135  Bytes: 4133611838  States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366888296]
@1(0) scrub on em1 all fragment reassemble
  [ Evaluations: 10347084  Packets: 10302007  Bytes: 5002554367  States: 0     ]
  [ Inserted: pid 8272 State Creations: 3368153344]
@0(0) anchor "relayd/*" all
  [ Evaluations: 164231    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449392]
@1(0) anchor "openvpn/*" all
  [ Evaluations: 164232    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449416]
@2(0) anchor "ipsec/*" all
  [ Evaluations: 164229    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449440]
@3(1000000101) block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
  [ Evaluations: 451398    Packets: 6         Bytes: 408         States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449464]
@4(1000000102) block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
  [ Evaluations: 243167    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449488]
@5(1000000103) block drop in log inet all label "Default deny rule IPv4"
  [ Evaluations: 243167    Packets: 534       Bytes: 90920       States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449512]
@6(1000000104) block drop out log inet all label "Default deny rule IPv4"
  [ Evaluations: 451221    Packets: 82        Bytes: 4200        States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449536]
@7(1000000105) block drop in log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 451403    Packets: 179       Bytes: 12888       States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449560]
@8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 208194    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449584]
@9(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 194       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449608]
@10(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 194       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449632]
@11(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 194       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449656]
@12(1000000107) pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 194       Packets: 3         Bytes: 216         States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449680]
@13(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449704]
@14(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449728]
@15(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449752]
@16(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449776]
@17(1000000108) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449800]
@18(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3362874040]
@19(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449816]
@20(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449840]
@21(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449864]
@22(1000000109) pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449888]
@23(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449912]
@24(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449936]
@25(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449960]
@26(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449984]
@27(1000000110) pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450008]
@28(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450032]
@29(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450056]
@30(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450080]
@31(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450104]
@32(1000000111) pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450128]
@33(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366450152]
@34(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453248]
@35(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453272]
@36(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453296]
@37(1000000112) pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
  [ Evaluations: 120       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453320]
@38(1000000113) block drop log quick inet proto tcp from any port = 0 to any
  [ Evaluations: 451391    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453344]
@39(1000000113) block drop log quick inet proto udp from any port = 0 to any
  [ Evaluations: 374697    Packets: 1         Bytes: 131         States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453368]
@40(1000000114) block drop log quick inet proto tcp from any to any port = 0
  [ Evaluations: 451225    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453392]
@41(1000000114) block drop log quick inet proto udp from any to any port = 0
  [ Evaluations: 374583    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453416]
@42(1000000115) block drop log quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 451361    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453440]
@43(1000000115) block drop log quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 287187    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453464]
@44(1000000116) block drop log quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453488]
@45(1000000116) block drop log quick inet6 proto udp from any to any port = 0
  [ Evaluations: 179       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453512]
@46(1000000117) block drop log quick from <snort2c:0> to any label "Block snort2c hosts"
  [ Evaluations: 451381    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453536]
@47(1000000118) block drop log quick from any to <snort2c:0> label "Block snort2c hosts"
  [ Evaluations: 451403    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453560]
@48(1000000301) block drop in log quick proto tcp from <sshlockout:0> to (self:7) port = 8122 label "sshlockout"
  [ Evaluations: 451411    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453584]
@49(1000000351) block drop in log quick proto tcp from <webConfiguratorlockout:0> to (self:7) port = https label "webConfiguratorlockout"
  [ Evaluations: 104738    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358028592]
@50(1000000400) block drop in log quick from <virusprot:0> to any label "virusprot overload table"
  [ Evaluations: 243819    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358028616]
@51(1000001570) block drop in log on ! em0 inet from 188.113.156.0/24 to any
  [ Evaluations: 243350    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453608]
@52(1000001570) block drop in log inet from 188.113.156.235 to any
  [ Evaluations: 243350    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453632]
@53(1000001570) block drop in log on em0 inet6 from fe80::9c32:a0ff:fe9c:7c91 to any
  [ Evaluations: 243350    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453680]
@54(1000001591) pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 12232     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453704]
@55(1000001592) pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 216710    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453728]
@56(1000002620) block drop in log on ! em1 inet from 192.168.0.0/24 to any
  [ Evaluations: 451424    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453752]
@57(1000002620) block drop in log inet from 192.168.0.1 to any
  [ Evaluations: 376816    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453800]
@58(1000002620) block drop in log on em1 inet6 from fe80::c0e:5fff:fe44:9ca1 to any
  [ Evaluations: 375955    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366453824]
@59(1000002641) pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 228856    Packets: 488       Bytes: 160560      States: 3     ]
  [ Inserted: pid 8272 State Creations: 3358028544]
@60(1000002642) pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 90        Packets: 188       Bytes: 65723       States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358028568]
@61(1000002643) pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 336192    Packets: 344       Bytes: 112866      States: 2     ]
  [ Inserted: pid 8272 State Creations: 3358023680]
@62(1000004761) pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 450678    Packets: 29594     Bytes: 12089497    States: 12    ]
  [ Inserted: pid 8272 State Creations: 3352470504]
@63(1000004762) pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 4528      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470480]
@64(1000004763) pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 4528      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470456]
@65(1000004764) pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 2264      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470432]
@66(1000004765) pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 450689    Packets: 109305    Bytes: 40329647    States: 24    ]
  [ Inserted: pid 8272 State Creations: 3352470408]
@67(1000004766) pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 207735    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470384]
@68(1000004861) pass out route-to (em0 188.113.156.1) inet from 188.113.156.235 to ! 188.113.156.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 207757    Packets: 11832834  Bytes: 8639875635  States: 755   ]
  [ Inserted: pid 8272 State Creations: 3352470360]
@69(1000005171) pass in quick on em1 proto tcp from any to (em1:2) port = https flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 450687    Packets: 44846     Bytes: 16446027    States: 0     ]
  [ Inserted: pid 8272 State Creations: 3352470336]
@70(1000005171) pass in quick on em1 proto tcp from any to (em1:2) port = http flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 287654    Packets: 3307      Bytes: 1929023     States: 1     ]
  [ Inserted: pid 8272 State Creations: 3352470312]
@71(1000005171) pass in quick on em1 proto tcp from any to (em1:2) port = 8122 flags S/SA keep state label "anti-lockout rule"
  [ Evaluations: 287647    Packets: 4835      Bytes: 2271299     States: 1     ]
  [ Inserted: pid 8272 State Creations: 3352470288]
@72(1000005181) pass in on em0 inet proto tcp from any to 188.113.156.235 port = pptp flags S/SA modulate state label "allow pptpd 188.113.156.235"
  [ Evaluations: 318817    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3364127584]
@73(1000005182) pass in on em0 proto gre all keep state label "allow gre pptpd"
  [ Evaluations: 140971    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366888152]
@74(0) anchor "userrules/*" all
  [ Evaluations: 163451    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887736]
@75(1430369056) pass on em0 inet proto tcp from any to any port = 8006 flags S/SA keep state label "USER_RULE"
  [ Evaluations: 451775    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3358266272]
@76(1430369056) pass on em1 inet proto tcp from any to any port = 8006 flags S/SA keep state label "USER_RULE"
  [ Evaluations: 371657    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887592]
@77(0) pass in quick on openvpn all flags S/SA keep state label "USER_RULE: OpenVPN pfsense_openVPN_server wizard"
  [ Evaluations: 163466    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366884280]
@78(1430891835) pass in quick on pptp inet all flags S/SA keep state label "USER_RULE"
  [ Evaluations: 451818    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366884304]
@79(1427951034) pass in quick on em0 reply-to (em0 188.113.156.1) inet all flags S/SA keep state label "USER_RULE"
  [ Evaluations: 451803    Packets: 66462     Bytes: 23026288    States: 89    ]
  [ Inserted: pid 8272 State Creations: 3366884328]
@80(1431672987) pass in quick on em0 reply-to (em0 188.113.156.1) inet from 89.188.243.66 to 188.113.156.235 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
  [ Evaluations: 46        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887424]
@81(0) pass in quick on em0 reply-to (em0 188.113.156.1) inet proto udp from any to 188.113.156.235 port = 8123 keep state label "USER_RULE: OpenVPN pfsense_openVPN_server wizard"
  [ Evaluations: 30        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887448]
@82(1427954019) pass in quick on em1 inet proto tcp from <Yes:30> to 188.113.156.0/24 flags S/SA keep state label "USER_RULE: Group3 - speed unlimited"
  [ Evaluations: 235259    Packets: 7625      Bytes: 1935773     States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887472]
@83(1427954019) pass in quick on em1 inet proto udp from <Yes:30> to 188.113.156.0/24 keep state label "USER_RULE: Group3 - speed unlimited"
  [ Evaluations: 196737    Packets: 7625      Bytes: 1934341     States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887520]
@84(1429490599) block drop in quick on em1 inet from <NO:38> to 192.168.0.1 label "USER_RULE: Group2 - speed 0mb"
  [ Evaluations: 227162    Packets: 37871     Bytes: 2566598     States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887544]
@85(1429661390) pass in quick on em1 inet from <NO:38> to any flags S/SA keep state label "USER_RULE" dnpipe(4, 3)
  [ Evaluations: 9383      Packets: 40        Bytes: 3043        States: 18    ]
  [ Inserted: pid 8272 State Creations: 3366887616]
@86(1429844695) pass in quick on em1 inet from <1MB:34> to ! (self:3) flags S/SA keep state label "USER_RULE: 1 mb" dnpipe(1, 2)
  [ Evaluations: 179908    Packets: 3049301   Bytes: 2535177197  States: 389   ]
  [ Inserted: pid 8272 State Creations: 3366887640]
@87(1434495594) pass in quick on em1 inet proto tcp from <1MB:34> to ! (self:3) flags S/SA keep state label "USER_RULE: 1mb" dnpipe(1, 2)
  [ Evaluations: 45        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887664]
@88(1434495594) pass in quick on em1 inet proto udp from <1MB:34> to ! (self:3) keep state label "USER_RULE: 1mb" dnpipe(1, 2)
  [ Evaluations: 45        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887688]
@89(1429845913) pass in quick on em1 inet all flags S/SA keep state label "USER_RULE"
  [ Evaluations: 140445    Packets: 7383347   Bytes: 5935825548  States: 499   ]
  [ Inserted: pid 8272 State Creations: 3366887712]
@90(100000101) pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
  [ Evaluations: 488       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887760]
@91(0) anchor "tftp-proxy/*" all
  [ Evaluations: 76302     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887784]
@92(0) anchor "miniupnpd" all
  [ Evaluations: 76307     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887808]
@93(0) pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
  [ Evaluations: 76303     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887832]
@94(0) pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
  [ Evaluations: 98        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887856]
@95(0) pass in quick on pptp inet proto tcp from any to ! 127.0.0.1 port = 3128 flags S/SA keep state
  [ Evaluations: 75399     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366887880]

И правила NAT:

@0(0) no nat proto carp all
  [ Evaluations: 75638     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3368153368]
@1(0) nat-anchor "natearly/*" all
  [ Evaluations: 75642     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3368153416]
@2(0) nat-anchor "natrules/*" all
  [ Evaluations: 75651     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363353528]
@3(0) nat on em0 inet from <tonatsubnets:7> to any port = isakmp -> 188.113.156.235 static-port
  [ Evaluations: 75644     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363353552]
@4(0) nat on em0 inet from <tonatsubnets:7> to any -> 188.113.156.235 port 1024:65535
  [ Evaluations: 28544     Packets: 905784    Bytes: 589093960   States: 479   ]
  [ Inserted: pid 8272 State Creations: 3363353576]
@0(0) no rdr proto carp all
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363397632]
@1(0) rdr-anchor "relayd/*" all
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3363397656]
@2(0) rdr-anchor "tftp-proxy/*" all
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449272]
@3(0) rdr on em0 inet proto tcp from any to 188.113.156.235 port = 8006 -> 192.168.0.7
  [ Evaluations: 88978     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449296]
@4(0) rdr on em1 inet proto tcp from any to ! (em1:1) port = http -> 127.0.0.1 port 3128
  [ Evaluations: 84111     Packets: 2954780   Bytes: 2644077049  States: 237   ]
  [ Inserted: pid 8272 State Creations: 3366449320]
@5(0) rdr on pptp inet proto tcp from any to ! 127.0.0.1 port = http -> 127.0.0.1 port 3128
  [ Evaluations: 3792      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449344]
@6(0) rdr-anchor "miniupnpd" all
  [ Evaluations: 70325     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 8272 State Creations: 3366449368]

В чем может быть проблема? Срочно нужны хоть какие-то осмысленные советы, куда копать, так как уже давно длится проблема, диагностика и танцы с бубном уже не помогают: сервер может некорректно функционировать и после перезагрузки, а может заработать как положено. :)

Ссылка

←	Анонимность в интернете черет Tor - шлюз. Как правильно реализовать в Gentoo?

Ломают по сети. Помогите)

→

Кто ж такую портянку будет чилать? :)

- если свичи управляемые, посмотри логи, вдруг там есть какие-нить матюки по поводу порт статуса.

- покажи вывод dmesg, забрось куда-нить на pastebin

- попробуй поотключать все аппаратные фичи сетевух. К примеру: ifconfig_em0="inet netmask -vlanmtu -vlanhwtag -vlanhwfilter -vlanhwtso -rxcsum -txcsum" в /etc/rc.conf

iron ★★★★★
(06.07.15 19:32:07 MSK)

Ответ на: комментарий от iron 06.07.15 19:32:07 MSK

Отключил hardware checksum offload - пока работает (там на веб-интерфейсе такое можно или через ethtool). Вот схожая проблема: https://forum.pfsense.org/index.php?topic=88467.0, только у меня обычные дрова от Intel на Proxmox, а не Virtue. Пока работает, но иногда пинг на внешний ISP gateway провисает до 20-30 ms. dmesg ничего хорошего и плохого не кажет

Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)
Bump sched buckets to 256 (was 0)

Гуглил эту ошибку, как я понял, это отладочное сообщение.

Портянку написал, чтобы более ясно проблема представлялась =)

rockitin
(07.07.15 07:02:22 MSK) автор топика

Ссылка

Ответ на: комментарий от iron 06.07.15 19:32:07 MSK

dmesg => http://pastebin.com/B7LimV9L

rockitin
(07.07.15 07:05:50 MSK) автор топика

Ссылка

Ответ на: комментарий от iron 06.07.15 19:32:07 MSK

И вот часть логов с самого pfsense (они дублируются, поэтому только часть=) http://pastebin.com/CDaLFeBm

rockitin
(07.07.15 07:12:11 MSK) автор топика

Ответ на: комментарий от rockitin 07.07.15 07:12:11 MSK

В логах ничего подозрительного не нашел. Попробуй пока что по очереди выключать аппаратные фичи сетевухи, должно помочь. Попробуй найти на каком именно интерфейсе траффик «подвисает» (попингуй разные интерфейсы, нужно найти закономерность).

iron ★★★★★
(07.07.15 23:43:18 MSK)

Ответ на: комментарий от iron 07.07.15 23:43:18 MSK

Очевидно, что проблема с сетевым интерфейсом в локальную сеть (LAN), так как если подвисает pfsense, я могу извне подключиться к нему по ssh или https через внешний сетевой интерфейс WAN, а оттуда я могу пинговаться на любую машинку в LAN: итого, LAN-интерфейс gateway работает частично - через него я могу отправить пинг на любую машинку локальной сети, а с любой локальной машинки сети он не виден, т.е. отправленный к нему пинг не возвращается, и сеть не получает интернет. Попробую ещё покрутить аппаратные настройки сетевухи. После отключения checksum offload, gateway проработал стабильно около 10 часов, потом внутренний интерфейс потерял сеть ровно в 21:00, логи: http://pastebin.com/VVPswdvZ.

rockitin
(08.07.15 02:06:43 MSK) автор топика

Ответ на: комментарий от rockitin 08.07.15 02:06:43 MSK

Сетевуха <Intel(R) PRO/1000 Legacy Network Connection 1.0.6>

rockitin
(08.07.15 02:09:03 MSK) автор топика

Ссылка

Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.

←	Анонимность в интернете черет Tor - шлюз. Как правильно реализовать в Gentoo?

Security

Ломают по сети. Помогите)

→

Похожие темы