OPNsense Forum

English Forums => General Discussion => Topic started by: pfiatde on May 11, 2023, 01:56:46 pm

Title: WAN (TCP) get interrupts (Rootserver, single NIC, Proxmox)
Post by: pfiatde on May 11, 2023, 01:56:46 pm

I have the following setup.
- Rootserver in a datacenter
- single Public IP, single NIC
- Proxmox as Hypervisor
- Opnsense running as VM

On the proxmox a DNAT is configured.

Code: [Select]

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp0s31f6
iface enp0s31f6 inet static
        address 168.119.39.103/26
        gateway 168.119.39.65
        up route add -net <<publicIP>> netmask 255.255.255.192 gw <<GATEWAY>> dev enp0s31f6
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A PREROUTING -i ens33 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.10.10.12
        post-up iptables -t nat -A PREROUTING -i ens33 -p udp -j DNAT --to 10.10.10.12


auto vmbr1
iface vmbr1 inet static
        address 192.168.100.253/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr99
iface vmbr99 inet static
        address 10.10.10.10/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE


On the OPNsense for the WAN vmbr99 is used and for LAN vmbr1.

On the LAN side several VMs are hosted and configured via DHCP.

No additional firewall rules (with block) configured.

My problem is, that TCP connections are not stable and get interruptions.
If i make several curls to an hostname or IP (DNS is working), every 3rd or so it timeouts (75s). Seems that there is no pattern.
Things I allready found out:
- Ping (ICMP) is stable
- Behaviour is the same directly on a shell on the firewall
- If I disable the FW in the settings, connections get stable
- adding a firewall rule allowing everything in and out does not change the behaviour.

--> Therefore I assume that it is something with NAT and specially with the double NAT?
At the moment I am a little bit lost where to look at. Any ideas?

Title: Re: WAN (TCP) get interrupts (Rootserver, single NIC, Proxmox)
Post by: pfiatde on May 15, 2023, 02:09:54 pm

Nobody an idea, or any information missing?

On OPNsense side no special settings are made. And in the livelog I can not see any blocks or rules triggering then the normal / default ones.

Attached there is a shell session on the firewall showing the problem. If I set "disable Packet filtering" in the firewall every request gets a response.
(http://2023-05-15_14-07.png)

Ideas are still appreciated :)
Thanks!