Bug #12490
closed
pfSense(CE) completely freezes up with WireGuard
0%
Description
Hello everyone,
I encountered a strange issue with the Wireguard plugin installed (and in use).
I had a very difficult time with my Firewall as it was completely freezing up. Nothing works anymore. No Networkservices are working in my network (Routing, DHCP, NAT, DNS), the System cannot be pinged either threw the IP or the Hostname, Devices cannot obtain a IP Adress, and if I am on my Console (VGA) with a keyboard (Currently always plugged in to investigate the issue) nothing is responsive. The "choose a option" was there on top of some successful login sequences but if i press Enter or any other key, nothing happens.
The only way to get around this was to perform a Hardware reset threw the reset key on my Firewall (AMD Ryzen 3 1200, GA-A320M-S2H, a Broadcom 2-Port Networkinterface I salvaged from a old Server, and a Nvidia NVS 295 for primitive graphics output).
I tried everything i could imagine:
- I checked the logs, but nothing noticeable
- observed and let it run but it happend every day or more often which is annoying
- performed multiple resets, after which i installed a Backup file.
- I tried to uninstall the Wireguard Experimental Package.
The last one seemed to work as my Firewall is now running for a long period of time without freezing.
I used wireguard to obtain a public IPv4 address threw a cheap VPS-Server because I have CG-NAT and aldough I prefer IPv6 it is mandatory to access my home (Nextcloud and stuff) even if I am in a IPv4 only Network.
I believe this will be very difficult to recreate and I hope it was not because of a fatal misconfiguration on my part, and even if this behaviour should not be the result of it.
If anyone needs further information I will provide them as soon as possible.
I wish everyone a nice day!
Updated by Christian McDonald over 2 years ago
- Assignee set to Christian McDonald
Hi Mark,
We haven't run into any deadlocks and/or crashes like this for quite some time. First thing I would check is to ensure that your WireGuard tunnel subnets are not overlapping with any local subnets. Remember, WireGuard only tunnels L3 packets and should be treated as a 'tun' and not a 'tap' mode tunnel (hence why we prefix wg interfaces with tun_).
Because this issue is still a bit nebulous and hard to replicate, it is probably better to at least begin the troubleshooting with a post on the Netgate Forum and/or Reddit and see what comes from that discussion. Though, it does sound like you've managed to hit some fatal misconfiguration. If that's the case, then a Redmine issue would be then be appropriate to either a) update the docs to warn other uses about this particular situation or b) build in the appropriate validation checks to protect users from unnecessary footgun...the later being preferred, if possible.
Updated by Christian McDonald over 2 years ago
- Subject changed from pfsense (CE) compleatley freezes up with wireguard to pfSense(CE) completely freezes up with WireGuard
- Status changed from New to Rejected
Closing due to inactivity.
If this continues to be a problem, please reach out via our social media and/or forum communities and we can investigate further.