OPNsense Forum
English Forums => General Discussion => Topic started by: pfiatde on May 11, 2023, 01:56:46 pm
-
I have the following setup.
- Rootserver in a datacenter
- single Public IP, single NIC
- Proxmox as Hypervisor
- Opnsense running as VM
On the proxmox a DNAT is configured.
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp0s31f6
iface enp0s31f6 inet static
address 168.119.39.103/26
gateway 168.119.39.65
up route add -net <<publicIP>> netmask 255.255.255.192 gw <<GATEWAY>> dev enp0s31f6
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A PREROUTING -i ens33 -p tcp -m multiport ! --dport 22,8006 -j DNAT --to 10.10.10.12
post-up iptables -t nat -A PREROUTING -i ens33 -p udp -j DNAT --to 10.10.10.12
auto vmbr1
iface vmbr1 inet static
address 192.168.100.253/24
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
auto vmbr99
iface vmbr99 inet static
address 10.10.10.10/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o enp0s31f6 -j MASQUERADE
On the OPNsense for the WAN vmbr99 is used and for LAN vmbr1.
On the LAN side several VMs are hosted and configured via DHCP.
No additional firewall rules (with block) configured.
My problem is, that TCP connections are not stable and get interruptions.
If i make several curls to an hostname or IP (DNS is working), every 3rd or so it timeouts (75s). Seems that there is no pattern.
Things I allready found out:
- Ping (ICMP) is stable
- Behaviour is the same directly on a shell on the firewall
- If I disable the FW in the settings, connections get stable
- adding a firewall rule allowing everything in and out does not change the behaviour.
--> Therefore I assume that it is something with NAT and specially with the double NAT?
At the moment I am a little bit lost where to look at. Any ideas?
-
Nobody an idea, or any information missing?
On OPNsense side no special settings are made. And in the livelog I can not see any blocks or rules triggering then the normal / default ones.
Attached there is a shell session on the firewall showing the problem. If I set "disable Packet filtering" in the firewall every request gets a response.
(http://2023-05-15_14-07.png)
Ideas are still appreciated :)
Thanks!