Project

General

Profile

Actions

Bug #14659

open

vlan (add/modify/delete) with pfblockerNG installed - all interfaces flap

Added by Mike Moore over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
23.05.1
Affected Architecture:

Description

Hard to say if this is a bug per se but its a reproducible problem.

1. create a LAGG with assigned VLANs and those VLANs are assigned interfaces.
2. install pfBlockerNG and assign your incoming and outgoing interfaces per usual. Incoming will be WAN and outgoing will be the VLAN interfaces
3. If you modify any part of the vlan configuration - change the description or change the vlan.id, this triggers a complete flap of all interfaces. If you have FRR routing neighbors, those neighbors will flap as well.

The workaround is to modify the LAGG during a maintenance window.
Changing a VLAN description shouldn't trigger this system-wide outage behavior.

I have found that if you disable the pfBlocker package then the LAGG doesn't bounce and the system operates normally. I traced this issue to pfblocker by removing all packages and installing them one by one and going through the process of vlan modifications. pfBlocker is the only package that triggers this.

system.log file shown when vlan description changed

Aug 7 16:51:17 GAFW kernel: vlan5: changing name to 'lagg0.3'
Aug 7 16:51:17 GAFW php-fpm9054: /interfaces_vlan_edit.php: Gateway, NONE AVAILABLE
Aug 7 16:51:17 GAFW check_reload_status441: Restarting IPsec tunnels
Aug 7 16:51:17 GAFW check_reload_status441: updating dyndns opt4
Aug 7 16:51:17 GAFW php-fpm9054: /interfaces_vlan_edit.php: Configuration Change: (Local Database Fallback): VLAN interface added
Aug 7 16:51:17 GAFW check_reload_status441: Syncing firewall
Aug 7 16:51:17 GAFW php-fpm9054: /interfaces_vlan_edit.php: Beginning configuration backup to https://acb.netgate.com/save
Aug 7 16:51:21 GAFW arpwatch39747: bogon 0.0.0.0 da:e2:d7:9b:a5:bc
Aug 7 16:51:21 GAFW arpwatch39747: bogon 0.0.0.0 da:e2:d7:9b:a5:bc
Aug 7 16:51:21 GAFW arpwatch39747: bogon 0.0.0.0 da:e2:d7:9b:a5:bc
Aug 7 16:51:33 GAFW php-fpm1682: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Aug 7 16:51:33 GAFW check_reload_status441: Reloading filter
Aug 7 16:51:33 GAFW php-fpm1682: /rc.newipsecdns: Gateway, NONE AVAILABLE
Aug 7 16:51:33 GAFW php-fpm1682: /rc.newipsecdns: Gateway, NONE AVAILABLE
Aug 7 16:51:34 GAFW php-fpm1682: /rc.newipsecdns: Gateway, NONE AVAILABLE
Aug 7 16:51:34 GAFW php-fpm86524: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_AllowedCountries_v4' for rule 'Allowed countries to VPN'
Aug 7 16:51:34 GAFW php-fpm86524: /rc.filter_configure_sync: New alert found: Unresolvable source alias 'pfB_AllowedCountries_v4' for rule 'NAT Redirct to Jitsi VCB'
Aug 7 16:51:34 GAFW php-fpm86524: /rc.filter_configure_sync: New alert found: Unresolvable destination alias 'pfB_DNS_4_v4' for rule 'Block DoH and External'
Aug 7 16:51:34 GAFW php-fpm86524: /rc.filter_configure_sync: New alert found: Unresolvable destination alias 'pfB_DNS_4_v4' for rule 'Block DoH and External'
Aug 7 16:51:40 GAFW vnstatd49111: Traffic rate for "ipsec4" higher than set maximum 1000 Mbit (20s->2673868800, r4294889635 t4294888716, 64bit:0), syncing.
Aug 7 16:51:40 GAFW vnstatd49111: Traffic rate for "ipsec3" higher than set maximum 1000 Mbit (20s->2673868800, r4294889368 t4294888849, 64bit:0), syncing.
Aug 7 16:51:40 GAFW vnstatd49111: Traffic rate for "ipsec2" higher than set maximum 1000 Mbit (20s->2673868800, r4294894185 t4294821515, 64bit:0), syncing.
Aug 7 16:51:49 GAFW php-cgi99958: notify_monitor.php: Message sent to , OK
Aug 7 16:52:00 GAFW newsyslog18417: logfile turned over due to size>500K

Actions #1

Updated by Jordan G over 1 year ago

do you still see this flapping issue after removing or correcting the unresolvable source/destination alias messages you have?

Actions #2

Updated by Mike Moore over 1 year ago

This is still an issue but I have a feeling it’s related to 14484
Edit any interface will lead to a reconfiguration of all interfaces which disrupts any package that relies on an interface to work (IPsec or FRR).
It’s a nasty bug but I don’t think it’s related to pfblocker

Actions

Also available in: Atom PDF