OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Just »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - Just

Pages: [1]
1
General Discussion / Re: TCP errors for some websites
« on: January 11, 2020, 10:50:05 pm »
I am not 100% sure if I solved this mystery, but I'll try to explain what I found out.

This issue seems to be an DNS problem in combination with Unbound and DNS-over-TLS using Quad 9 servers (I didn't test any other servers). I used the following guide (https://stafwag.github.io/blog/blog/2018/12/09/configure-dns-tls-on-opnsense/) for DNS over TLS and this worked fine (no DNS issues at all and there was TLS traffic on port 853).
But if I use these custom options, I have the loading problem I described in my original post. If I remove these, the problem is gone. Even when I send the queries directly to 9.9.9.9 instead to the firewall the issue is still there if I haven't removed the custom options for DNS-over-TLS .

My workaround is to use normal DNS for now, but maybe someone knows a different solution, since I would like to keep using DoT.

2
General Discussion / [Solved] TCP errors for some websites
« on: January 11, 2020, 06:27:16 pm »
Hello guys,

I hope this is the right thread for it. Anyway I recently switched from pfSense to opnSense and I face a kinda annoying problem.
For some websites I get alot of "TCP Dup ACK" and "Ignored Unknown Record" messages while tracing the traffic with wireshark. For some sites it makes no difference in performance, they just load fine but for some others they take like 40-60 seconds to finish loading.

For example reddit.com needs like 50 seconds until it finished loading. My wireshark trace looks most of the time like this.


My current setup is the following

ISP <-> FRITZBOX 7490 <-> OPNsense

FRITZ!Box 7490
  • wan0: DHCP provided by ISP
  • lan1: 10.255.0.1
OPNsense
  • wan0: 10.255.0.2
  • lan1: 192.168.0.1
Info about OPNsense
  • Hardware is an APU2C4 (Firwamre from Dec. 2019)
  • OPNsense version 19.7.9_1
  • Firewall rules allow anything from the subnet (log is clear)
  • using Hybrid NAT, this subnet has no extra NAT rules
  • using an OpenVPN client as an alternative gateway, but not for this subnet
  • using haproxy as a reverse proxy, but no other proxies
How do I know it must be an issue related to the firewall?
  • no TCP errors in wireshark when I'm directly connected to the router of my ISP (loading time is like 5seconds instead 50)
  • no TCP errors in wireshark when I use OpenVPN  (also just 5 seconds)
What did I already do?
  • changed MTU of WAN Interface (1492, 1300...)
  • disabled TCP offload engine
  • tried different DNS Servers, browsers and clients (pc, mobile
  • hours of googling...
I hope anybody can help me out, since I have absolutly no idea what I can do about it.

Best regards
Just

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2