Bug #11942
closed
Disconnecting WAN Interface Kills OpenVPN Servers on Other Interfaces
0%
Description
Netgate SG-2100
21.02.2-RELEASE (arm64)
I have a cable modem plugged into WAN getting a DHCP address from a provider.
I have the 4 port switch configured each with their own VLAN. I followed the SG2100 guide. All except port 1. I left port one as an access port, and lan port, and left it alone.
Here is a copy and paste:
SG-2100 Switch 802.1Q VLANs
EnableEnable 802.1q VLAN mode
If enabled, packets with unknown VLAN tags will be dropped.
VLAN table
VLAN group VLAN tag Members Description Action
0 1 1,5 Default System VLANDefault System VLAN
1 4084 4,5t LAN Switch Port 4
2 4083 3,5t LAN Switch Port 3
3 4082 2,5t LAN Switch Port 2
LAN1 - mvneta1
LAN4VZW - VLAN 4084 on mvneta1
WAN - mvneta0
When I pull the cable from the WAN. The TCP OpenVPN running over LAN4VZW stops instantly, and will not work again until I plug the cable back into the WAN.
I tested just internet failure, and leaving the interface up. I had someone unscrew the coax from the back of the modem, and let the gateway fail, and the VPN did not stop working running over LAN4VZW.
I also tested the reverse. If I unplug a cable from LAN4VZW, the VPN on WAN keeps on trucking.
VPN on WAN:
WAN UDP4 / 45465
(TUN)
VPN on LAN4VZW:
LAN4VZW TCP4 / 45465
(TUN)
Both have the same mode:
Mode: Remote Access ( SSL/TLS + User Auth )
Data Ciphers: AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305, AES-256-CBC
Digest: SHA1
D-H Params: 4096 bits
Different users/same users, makes no difference.
tun layer 3 vpn/tcp on ipv4 only with the specific interface selected in each config respectivly.
subnet topology with different unused /24 subnets dedicated to each VPN.
Gateway creation ipv4 only.
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Not a Bug
Not enough information here to rule out a configuration problem. In certain cases the behavior you describe is expected, but that depends on more specific aspects of your configuration/environment. This site is not for support or diagnostic discussion, however, so it is not the proper place to go over that.
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Web Dawg almost 3 years ago
Well,
I have 19 other netgate routers configured the same, and they do not do this. Same config.
Only this model of router.
Do you need the config?
It is pretty simple.
Updated by Viktor Gurov almost 3 years ago
Web Dawg wrote:
Well,
I have 19 other netgate routers configured the same, and they do not do this. Same config.
Only this model of router.
Do you need the config?
It is pretty simple.
What OpenVPN protocol are you using? UDP/TCP or UDP/TCP multihome?
Please pull the WAN cable and post the last ~30 lines of the `/var/log/system.log` here.
Updated by Web Dawg almost 3 years ago
UDP ipv4
It seems to work better if their is a static assigned to WAN, but not scientific test. Will test here soon, ISP is having issues getting static assigned.
here is some info:
Jun 15 18:35:28 skpahi-defense kernel: mvneta0: link state changed to DOWN Jun 15 18:35:28 skpahi-defense check_reload_status[381]: Linkup starting mvneta0 Jun 15 18:35:29 skpahi-defense php-fpm[30744]: /rc.linkup: DEVD Ethernet detached event for wan Jun 15 18:35:30 skpahi-defense check_reload_status[381]: Reloading filter Jun 15 18:36:12 skpahi-defense rc.gateway_alarm[75465]: >>> Gateway alarm: WAN_DHCP (Addr:301.256.278.958 Alarm:1 RTT:27.641ms RTTsd:3.037ms Loss:36%) Jun 15 18:36:12 skpahi-defense check_reload_status[381]: updating dyndns WAN_DHCP Jun 15 18:36:12 skpahi-defense check_reload_status[381]: Restarting ipsec tunnels Jun 15 18:36:12 skpahi-defense check_reload_status[381]: Restarting OpenVPN tunnels/interfaces Jun 15 18:36:12 skpahi-defense check_reload_status[381]: Reloading filter Jun 15 18:36:13 skpahi-defense php-fpm[13151]: /rc.dyndns.update: MONITOR: WAN_DHCP has packet loss, omitting from routing group VZWFAILOVER Jun 15 18:36:13 skpahi-defense php-fpm[13151]: 301.256.278.958|10.1.10.101|WAN_DHCP|27.651ms|3.049ms|37%|down|highloss Jun 15 18:36:14 skpahi-defense php-fpm[45012]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Jun 15 18:36:14 skpahi-defense php-fpm[45012]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP. Jun 15 18:36:14 skpahi-defense php-fpm[13151]: /rc.dyndns.update: Dynamic DNS (anonhost.ignorelist.com) There was an error trying to determine the public IP for interface - wan (mvneta0 ). Jun 15 18:36:15 skpahi-defense php[3564]: notify_monitor.php: Could not send the message to alerts@support.coolbusiness.com -- Error: Failed to connect to ssl://sub5.mail.dreamhost.com:465 [SMTP: Failed to connect socket: php_network_getaddresses: getaddrinfo failed: Name does not resolve (code: -1, response: )] Jun 15 18:36:52 skpahi-defense check_reload_status[381]: Linkup starting mvneta0 Jun 15 18:36:52 skpahi-defense kernel: mvneta0: link state changed to UP Jun 15 18:36:53 skpahi-defense php-fpm[96996]: /rc.linkup: DEVD Ethernet attached event for wan Jun 15 18:36:53 skpahi-defense php-fpm[96996]: /rc.linkup: HOTPLUG: Configuring interface wan Jun 15 18:36:54 skpahi-defense check_reload_status[381]: rc.newwanip starting mvneta0 Jun 15 18:36:54 skpahi-defense php-fpm[96996]: /rc.linkup: Gateway, none 'available' for inet6, use the first one configured. '' Jun 15 18:36:54 skpahi-defense check_reload_status[381]: Restarting ipsec tunnels Jun 15 18:36:55 skpahi-defense php-fpm[13151]: /rc.newwanip: rc.newwanip: Info: starting on mvneta0. Jun 15 18:36:55 skpahi-defense php-fpm[13151]: /rc.newwanip: rc.newwanip: on (IP address: 10.1.10.101) (interface: WAN[wan]) (real interface: mvneta0). Jun 15 18:36:55 skpahi-defense check_reload_status[381]: Reloading filter Jun 15 18:36:55 skpahi-defense dhcpleases[8128]: Could not deliver signal HUP to process 98819: No such process. Jun 15 18:36:56 skpahi-defense dhcpleases[25648]: Could not deliver signal HUP to process 98819: No such process. Jun 15 18:36:59 skpahi-defense check_reload_status[381]: updating dyndns wan Jun 15 18:37:02 skpahi-defense dhcpleases[51977]: Could not deliver signal HUP to process 84088: No such process. Jun 15 18:37:04 skpahi-defense check_reload_status[381]: Reloading filter Jun 15 18:37:08 skpahi-defense php-fpm[53657]: /rc.dyndns.update: phpDynDNS (anonhost.ignorelist.com): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry. Jun 15 18:38:21 skpahi-defense rc.gateway_alarm[81071]: >>> Gateway alarm: WAN_DHCP (Addr:301.256.278.958 Alarm:0 RTT:27.696ms RTTsd:2.828ms Loss:27%) Jun 15 18:38:21 skpahi-defense check_reload_status[381]: updating dyndns WAN_DHCP Jun 15 18:38:21 skpahi-defense check_reload_status[381]: Restarting ipsec tunnels Jun 15 18:38:21 skpahi-defense check_reload_status[381]: Restarting OpenVPN tunnels/interfaces Jun 15 18:38:21 skpahi-defense check_reload_status[381]: Reloading filter Jun 15 18:38:23 skpahi-defense php-fpm[45012]: /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Jun 15 18:38:23 skpahi-defense php-fpm[45012]: /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WAN_DHCP. Jun 15 18:38:23 skpahi-defense php-fpm[81143]: /rc.dyndns.update: MONITOR: WAN_DHCP is available now, adding to routing group VZWFAILOVER Jun 15 18:38:23 skpahi-defense php-fpm[81143]: 301.256.278.958|10.1.10.101|WAN_DHCP|27.71ms|2.79ms|26%|online|loss Jun 15 18:38:26 skpahi-defense php[35425]: notify_monitor.php: Message sent to alerts@support.coolbusiness.com OK Jun 15 18:38:26 skpahi-defense php-fpm[81143]: /rc.dyndns.update: phpDynDNS (anonhost.ignorelist.com): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.