Re: Multi-Wan and DNS issues!

thanks guys nevermind, the system was in a mission critical environment, and format and reinstall was the fastest way to solve it

thanks guys nevermind, the system was in a mission critical environment, and format and reinstall was the fastest way to solve it

Everything seems to be normal, the system stopped navigating again and had to restart as soon as the reboot ended the system surfed again

Wed Sep 26 07:44:30 2018 info: system - heartbeat...
Wed Sep 26 07:54:30 2018 info: system - heartbeat...
Wed Sep 26 08:04:30 2018 info: system - heartbeat...
Wed Sep 26 08:14:31 2018 info: system - heartbeat...
Wed Sep 26 08:23:29 2018 info: system - syswatch terminated
Wed Sep 26 08:24:59 2018 info: system - syswatch started
Wed Sep 26 08:24:59 2018 info: config - IP referrer tool is not installed
Wed Sep 26 08:24:59 2018 info: config - debug level - 0
Wed Sep 26 08:24:59 2018 info: config - retries - 5
Wed Sep 26 08:24:59 2018 info: config - heartbeat - 10
Wed Sep 26 08:24:59 2018 info: config - interval - 60 seconds
Wed Sep 26 08:24:59 2018 info: config - offline interval - 10 seconds
Wed Sep 26 08:24:59 2018 info: config - referrer IP detection - disabled
Wed Sep 26 08:24:59 2018 info: config - ping server auto-detect - enabled
Wed Sep 26 08:24:59 2018 info: config - try pinging gateway - yes
Wed Sep 26 08:24:59 2018 info: config - number of external networks - 1
Wed Sep 26 08:24:59 2018 info: config - monitoring external network - eno2
Wed Sep 26 08:24:59 2018 info: config - number of standby networks - 0
Wed Sep 26 08:24:59 2018 info: info - loading network configuration
Wed Sep 26 08:24:59 2018 info: info - network configuration for eno2 - config: ifcfg-eno2
Wed Sep 26 08:24:59 2018 info: info - network configuration for eno2 - onboot: enabled
Wed Sep 26 08:24:59 2018 info: info - network configuration for eno2 - type: static
Wed Sep 26 08:24:59 2018 info: info - network configuration for eno2 - wifi: disabled
Wed Sep 26 08:24:59 2018 info: info - network configuration for eno2 - gateway: XXX.XX.XX.169
Wed Sep 26 08:24:59 2018 info: eno2 - network - IP address - XXX.XX.XX.171
Wed Sep 26 08:24:59 2018 info: eno2 - network - gateway - XXX.XX.XX.169
Wed Sep 26 08:24:59 2018 info: eno2 - network - type - public IP range
Wed Sep 26 08:24:59 2018 info: system - changing active WAN list - eno2 (was startup)
Wed Sep 26 08:24:59 2018 info: system - current WANs in use - eno2
Wed Sep 26 08:24:59 2018 info: system - restarting firewall
Wed Sep 26 08:25:02 2018 info: system - updating intrusion prevention whitelist
Wed Sep 26 08:25:02 2018 info: system - adding ping server 54.152.208.245
Wed Sep 26 08:25:02 2018 info: system - adding ping server 8.8.8.8
Wed Sep 26 08:25:02 2018 info: system - adding DNS server 8.8.8.8
Wed Sep 26 08:25:02 2018 info: system - adding DNS server 8.8.4.4
Wed Sep 26 08:25:02 2018 info: system - reloading intrusion prevention system

Multi-Wan and DNS issues!

Good morning, ladies and gentlemen,

I am facing a problem that began after the 21/09 updates. The Multi-wan system has blocked the Internet use after a primary link failure. Having to be removed because it did not return to the main link, even when we restart the system. However after that, even with only 1 link the System needs to be restarted every 30min on average, because the internet stops working and the browsers present a DNS error message

Nick Howitt wrote:

There does not look like there is anything in the script to cause any looping when creating the firewall rules. It could be the files /etc/netify-fwa.conf or /usr/clearos/apps/netify_fwa/deploy/netify-fwa.sed have duplicate data in them. Can you post them both?

The firewall panic seems because of MultiWAN, perhaps where you have multiwan loaded but only a single WAN IP address showing or something like that. It would take me a while to understand what is going on. It would be better for the devs to look at it.

Sorry for the delay Nick

[nfa]
disable_protocol_rules = false
disable_service_rules = false
file_pid = /run/netify-fwa/netify-fwa.pid
file_reload_lock = /run/netify-fwa/netify-fwa.reload
file_state = /var/lib/netify-fwa/state.dat
rule_ttl = 600
rule_mark_base = 0x900000
syslog_facility = local0

[netify]
node = /var/lib/netifyd/netifyd.sock
service = 0

[service_whitelist]

[protocol_whitelist]

[service_rules]

# Netify FWA rule parser for firewall scriptlet

# Remove rule prefix
s/^rule\[[0-9]*\][[:space:]]*=[[:space:]]*//g

# Remove rule enabled flag from end of rule
s/,1$//g
s/,true$//g

# Substitute commas with spaces
s/,/ /g

Nick and Dave, I tried to boot with only the fastest internet link and it shows the UG Flag with the gateway but the IPV4 Firewall starts in panic mode. I run the "firewall start -d" and got this error at the end of the log:

firewall: Error: /usr/clearos/apps/firewall/deploy/firewall.lua:2232: bad argument #1 to 'pairs' (table expected, got nil)
firewall: Running firewall panic mode...

Any ideas?

Nick Howitt wrote:

@Dave,
Are you able to spot the error with the netify script which is loading the firewall rules too often? Is there a race somewhere caused by the -w flag in iptables? Is NFA_RELOAD_TIMEOUT big enough?

How can i do this Nick?

Dave Loper wrote:

Do the following to troubleshoot...

Stop the netify services (Protocol Filter and Application Filter)

Next, pull the connection on the slower ISP while monitoring the syswatch logs.

When the faster pipe is the only pipe, does the internet work? If not, see if you can ping using the following command

ping -I eno1 8.8.8.8

This will specifically send the ping down the eno1 interface.

You can also see if you can ping the gateway interface for your eno1.

Also, check your routing tables:

netstat -rn

Lastly, try rebooting your server with ONLY the faster connection attached.

Dave Looks Like the faster connection is not getting the UG flag

[root@gateway ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 XXX.XXX.XXX.XXX 0.0.0.0 UG 0 0 0 eno2
10.26.13.0 0.0.0.0 255.255.255.0 U 0 0 0 ens2f1
YYY.YY.YY.YYY 0.0.0.0 255.255.255.248 U 0 0 0 eno1
XXX.XXX.XXX.XXX 0.0.0.0 255.255.255.240 U 0 0 0 eno2
[root@gateway ~]#