几周前,我在其中一个板上安装了pfSense,它一直运行良好,但今天开始发生奇怪的事情。
网页未正确加载,但只有特定元素失败(例如此处的日期选择器不起作用)。我一直无法准确指出失败的原因,只是某些页面无法正常工作。
将我的笔记本电脑连接到防火墙外会使奇怪的行为消失。现在,在 nuke-and-paving 之后,大多数 pfSense 配置似乎都运行良好,但我仍然看到防火墙本身存在一些问题。
在进行故障排除时,我开始查看 pfSense Web UI,并且某些页面加载速度非常慢,最一致的是更新页面,它的加载速度慢到 nginx 大部分时间都会超时:
我重新安装了 pfSense,从 nanobsd 切换到正常安装,但行为是一样的。
如果我重新加载页面足够多次,它将最终成功加载:
仪表板上的旋转齿轮也有同样的问题:
我也完成了 pfSense 出厂默认重置,但它的行为仍然很奇怪。
编辑:
即使从昨天开始精简配置,今晚的互联网再次表现得很奇怪。
例如前两个连接工作,第三个失败:
➜ ~ curl-trace https://redmine.pfsense.org/issues/5434
Request Details:
url: https://redmine.pfsense.org/issues/5434
num_redirects: 0
content_type: text/html; charset=utf-8
response_code: 200
remote_ip: 208.123.73.75
Timing Analysis:
time_namelookup: 0.005
time_connect: 0.197
time_appconnect: 0.963
time_pretransfer: 0.963
time_redirect: 0.000
time_starttransfer: 1.422
----------
time_total: 1.578
➜ ~ curl-trace https://redmine.pfsense.org/issues/5434
Request Details:
url: https://redmine.pfsense.org/issues/5434
num_redirects: 0
content_type: text/html; charset=utf-8
response_code: 200
remote_ip: 208.123.73.75
Timing Analysis:
time_namelookup: 0.005
time_connect: 0.161
time_appconnect: 0.948
time_pretransfer: 0.948
time_redirect: 0.000
time_starttransfer: 1.486
----------
time_total: 1.643
➜ ~ curl-trace https://redmine.pfsense.org/issues/5434
Request Details:
url: https://redmine.pfsense.org/issues/5434
num_redirects: 0
content_type:
response_code: 000
remote_ip:
Timing Analysis:
time_namelookup: 0.004
time_connect: 0.000
time_appconnect: 0.000
time_pretransfer: 0.000
time_redirect: 0.000
time_starttransfer: 0.000
----------
time_total: 74.512
➜ ~ alias | grep curl-trace
curl-trace='curl -L -w "@/Users/user/.curl-format" -o /dev/null -s'
➜ ~ cat .curl-format
\n
Request Details:\n
url: %{url_effective}\n
num_redirects: %{num_redirects}\n
content_type: %{content_type}\n
response_code: %{response_code}\n
remote_ip: %{remote_ip}\n
\n
Timing Analysis:\n
time_namelookup: %{time_namelookup}\n
time_connect: %{time_connect}\n
time_appconnect: %{time_appconnect}\n
time_pretransfer: %{time_pretransfer}\n
time_redirect: %{time_redirect}\n
time_starttransfer: %{time_starttransfer}\n
----------\n
time_total: %{time_total}\n
\n
直接从防火墙运行时的行为是相同的:
[2.3-RELEASE][root@pfSense]/root: curl -L -w "@/root/.curl-format" -o /dev/null -s https://redmine.pfsense.org/issues/5434
Request Details:
url: https://redmine.pfsense.org/issues/5434
num_redirects: 0
content_type: text/html; charset=utf-8
response_code: 200
remote_ip: 208.123.73.75
Timing Analysis:
time_namelookup: 0.268
time_connect: 0.422
time_appconnect: 1.700
time_pretransfer: 1.700
time_redirect: 0.000
time_starttransfer: 2.137
----------
time_total: 2.904
[2.3-RELEASE][root@pfSense]/root: curl -L -w "@/root/.curl-format" -o /dev/null -s https://redmine.pfsense.org/issues/5434
Request Details:
url: https://redmine.pfsense.org/issues/5434
num_redirects: 0
content_type:
response_code: 000
remote_ip:
Timing Analysis:
time_namelookup: 0.005
time_connect: 0.000
time_appconnect: 0.000
time_pretransfer: 0.000
time_redirect: 0.000
time_starttransfer: 0.000
----------
time_total: 74.128
并且可以复制更多的家庭目标:
[2.3-RELEASE][root@pfSense]/root: curl -L -w "@/root/.curl-format" -o /dev/null -s https://facebook.com
Request Details:
url: https://facebook.com/
num_redirects: 0
content_type:
response_code: 000
remote_ip:
Timing Analysis:
time_namelookup: 0.032
time_connect: 0.000
time_appconnect: 0.000
time_pretransfer: 0.000
time_redirect: 0.000
time_starttransfer: 0.000
----------
time_total: 74.707
当 https 不支持时,Ping 有效:
--- 208.123.73.75 ping statistics ---
128 packets transmitted, 127 packets received, 0.8% packet loss
round-trip min/avg/max/stddev = 153.258/154.631/156.355/0.897 ms
当连接失败时,pfsense 面向 Internet 的接口上的 tcpdump 如下所示:
20:05:38.825739 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24901876 ecr 0], length 0
20:05:41.825422 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24904876 ecr 0], length 0
20:05:45.025395 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24908076 ecr 0], length 0
20:05:48.225507 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24911276 ecr 0], length 0
20:05:51.425435 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24914476 ecr 0], length 0
20:05:54.625394 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24917676 ecr 0], length 0
20:06:00.825409 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24923876 ecr 0], length 0
20:06:13.025405 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24936076 ecr 0], length 0
20:06:37.225431 IP c83-249-212-155.bredband.comhem.se.35177 > redmine.pfsense.org.https: Flags [S], seq 2899311544, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 24960276 ecr 0], length 0
MTU 让我有点困惑,但 ping 显示 1500 的限制可能一直在 iirc 中磨练出来(如果我读错了请纠正我):
[2.3-RELEASE][root@pfSense]/root: ping -s 1471 -n -c 1 redmine.pfsense.org
PING redmine.pfsense.org (208.123.73.75): 1471 data bytes
1479 bytes from 208.123.73.75: icmp_seq=0 ttl=48 time=155.314 ms
--- redmine.pfsense.org ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 155.314/155.314/155.314/0.000 ms
[2.3-RELEASE][root@pfSense]/root: ping -s 1472 -n -c 1 redmine.pfsense.org
PING redmine.pfsense.org (208.123.73.75): 1472 data bytes
--- redmine.pfsense.org ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
我似乎能够在 pfsense 中设置 MTU 和 MSS:
但不幸的是(?)我目前无法重现该问题。这使我进一步相信问题出在上游。
我如何证明/确定罪魁祸首是我的盒子还是 ISP?当我开始更改配置(移动电缆等)时,问题往往会在一段时间内“迅速恢复”到工作状态。