Bug #4086
closed
Gateway monitoring DoS
0%
Description
Default configuration is to monitor the WAN gateway once per second and to take action if it doesn't respond for 10 seconds. Taking action seems a little superfluous in a situation with a single WAN connection (e.g. SOHO Internet) because no alternative is available anyway. As part of the action it seems the WAN interface is brought up and down, and in particular, rules are reloaded.
In my case my ISP's cable gateway stopped responding to pings, most of the time. Internet connectivity was not affected, however pfsense starts playing yoyo with interfaces, rules reloading, and burning 100% CPU on the check_reload_status process plus a whole lot of php processes.
As part of the rule reload all pf tables are cleared of their FQDN entries. Because they have an (up to 5 minute?) delay of being re-established they effectively are never there in the WAN-yoyo case.
Not rate-limiting the GW up/down effectively produces a DoS.
Observed on 2.1.5 amd64, but probably present on all architectures and other 2.1 versions.
Updated by Chris Buechler over 9 years ago
- Project changed from pfSense Packages to pfSense
- Status changed from New to Rejected
not true in general, though I'm sure there are unusual edge cases where that's possible. Even the described flapping scenario isn't uncommon and I've been on many systems that legitimately had a WAN flapping that frequently without significant issue. There have been a number of improvements in those areas verified in 2.2. Please try your circumstance there, and if you can still replicate issues, post to the 2.2 board on the forum and we'll help investigate.
Updated by Volker Kuhlmann over 9 years ago
It took me a long time to find the problem because there are few symptoms that immediately break things, other than as detailed in #4087. Because of the flipflop and incomplete rule reload pfsense effectively never runs with the rules as configured in the user interface. That's a DoS.
I'd like to test it in 2.2 but I've already spend so much time on pfsense problems this year that I can't do it immediately. Thanks Chris.