My OPNSense installation works without any problems - more or less...
The only issue I have is that I have no access to http/https targets after a certain uptime (from 4 - 24 hours). A rebbot solves always the problem.
Environment:OPNsense 20.7.7_1-amd64 on KVM virtualization (proxmox)
Multiqueue set to 8 (as recommended)
virtio or ne1000 virtual nic's (no difference)
2 GB ram
no proxy server active
Sympthomes:
- Access to http/https sites are getting slow first, then slower and at the end you'll get a timeout
- Other traffic like vpn, voip, ssh to other (outside) systems seems to unaffeccted
- I could not find anything at the logfiles
any ideas..?
Hi Robert,
Are you running a proxy?
Does ping work to 8.8.8.8 and google.com?
What browser error do you get?
Bart...
Hi Bart,
No proxy in charge - neither OPNsense ist providing proxy services to the inside network nor OPNsense is using a proxy behind
ping to the google nameserver works always - there is also no name resolution problem
Browser: firefox, opera, chrome, safari - if http(s) is dead everywhere the same situation
If I've some minutes I'll run a tcpdump on the outside interface from the proxmox side of view...
regards
Robert
Quote from: robert.schuster on January 27, 2021, 08:37:27 AM
If I've some minutes I'll run a tcpdump on the outside interface from the proxmox side of view...
That was my next suggestion ;) You can also capture packets within OPNsense
Hi Bart,
it took same time to get here a bit clearer view...
As it looks like - if the case happens - I can see a lot of retransmissions and incomplete/timoute requests in the tcpdump trace.
Even if the "state table size" and the "MBUF usage" is never > 5% a "States Reset" with both options checked instead of a reboot solves the problem always - for the next couple of hours.
regards
Robert
Hi Robert,
Quote from: robert.schuster on February 06, 2021, 11:35:21 AM
As it looks like - if the case happens - I can see a lot of retransmissions and incomplete/timoute requests in the tcpdump trace.
Interesting, do you have the same MTU along the path? Does the same issue happen with IPv6 sites?
Bart...
Hi Bart,
ipv6 I have at the moment just internal - no ipv6 routing to the outside (at least in my private network @home)
Unfortunately (of course) the MTU size is not the same on all interfaces...
A simple ping from a Windows Workstation (ping -f -l 1432 8.8.8.8) showed me a MTU of 1432 for a not fragmented packet. Therefore I switched MTU to 1432 and MSS to 1392 on the WAN interface.
Robert