pfSense with CrowdSec - Reboot Hang - Waiting for Crowdsec

[daygle]

After installing CrowdSec on pfSense using:

fetch https://raw.githubusercontent.com/crowdsecurity/pfSense-pkg-crowdsec/refs/heads/main/install-crowdsec.sh
sh install-crowdsec.sh

I configured the service and attempted a reboot via the pfSense WebUI. The system hung indefinitely at:

Stopping package crowdsec...

This appears to be caused by the CrowdSec firewall bouncer retrying LAPI connections during shutdown, even after the LAPI has already terminated. The bouncer waits for a response that never arrives, and since pfSense (FreeBSD) does not enforce service timeouts or force-kill stalled processes, the reboot sequence stalls.

From crowdsec-firewall-bouncer.log:

level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8088: connect: connection refused"
level=error msg="failed to connect to LAPI, retrying in 10s"
...
level=fatal msg="process terminated with error: received SIGTERM"

I previously encountered this exact issue on OPNsense, and I’m disappointed to see it persists on pfSense. The behavior is consistent across both platforms: GUI-triggered reboots hang, while shell-based reboot works because it bypasses graceful service shutdown.

CrowdSec and its bouncer should:

• Exit cleanly on SIGTERM
• Avoid retrying LAPI connections during shutdown
• Respect FreeBSD’s service lifecycle without blocking reboots

[daygle]

I believe I’ve resolved the shutdown hang. In /usr/local/etc/rc.d/crowdsec_firewall, I updated the crowdsec_firewall_stop() function with a more reliable termination strategy. Initial testing looks promising - no hangs so far. I’ll continue monitoring over the next few days to confirm stability

crowdsec_firewall_stop()
{
    if [ ! -f "$pidfile" ]; then
        echo "${name} is not running."
        return
    fi

    pid=$(cat "$pidfile")
    if kill -0 "$pid" >/dev/null 2>&1; then
        echo "Stopping ${name} (PID $pid)."
        kill -s TERM "$pid" >/dev/null 2>&1

        # Start a watchdog to enforce timeout
        (
            sleep 15
            if kill -0 "$pid" 2>/dev/null; then
                echo "Timeout reached. Force-killing ${name} (PID $pid)."
                kill -s KILL "$pid" >/dev/null 2>&1
            fi
        ) &

        # Wait for process to exit
        wait "$pid" 2>/dev/null
        rm -f "$pidfile"
        echo "${name} stopped."
    else
        echo "${name} is not running."
    fi
}

[daygle]

False alarm - unfortunately, the code change didn’t resolve the issue. I’ve performed a reboot, but it still hangs at Stopping package crowdsec....

[dgooijer]

Have the same issues. Retried with a fresh install but issue persists. Force reboot of the firewall resulted for me in a 50x error and certain packages not coming up. Crowdsec remains in zombie state with quite a few orphans. Only removing crowdsec brings pfsense back to stability.