Messages

1

20.7 Legacy Series / Re: http/https traffic problem

« on: February 08, 2021, 12:26:44 pm »

Hi Bart,

ipv6 I have at the moment just internal - no ipv6 routing to the outside (at least in my private network @home)

Unfortunately (of course) the MTU size is not the same on all interfaces...

A simple ping from a Windows Workstation (ping  -f -l 1432 8.8.8. showed me a MTU of 1432 for a not fragmented packet. Therefore I switched MTU to 1432 and MSS to 1392 on the WAN interface.

Robert

2

20.7 Legacy Series / Re: http/https traffic problem

« on: February 06, 2021, 11:35:21 am »

Hi Bart,

it took same time to get here a bit clearer view...
As it looks like - if the case happens - I can see a lot of retransmissions and incomplete/timoute requests in the tcpdump trace.

Even if the "state table size" and the "MBUF usage" is never > 5% a "States Reset" with both options checked instead of a reboot solves the problem always - for the next couple of hours.

regards
Robert

3

20.7 Legacy Series / Re: http/https traffic problem

« on: January 27, 2021, 08:37:27 am »

Hi Bart,

No proxy in charge  - neither OPNsense ist providing proxy services to the inside network nor OPNsense is using a proxy behind
ping to the google nameserver works always  - there is also no name resolution problem
Browser: firefox, opera, chrome, safari - if http(s) is dead everywhere the same situation

If I've some minutes I'll run a tcpdump on the outside interface from the proxmox side of view...

regards
Robert

4

20.7 Legacy Series / http/https traffic problem

« on: January 26, 2021, 09:09:39 am »

My OPNSense installation works without any problems - more or less...

The only issue I have is that I have no access to http/https targets after a certain uptime (from 4 - 24 hours). A rebbot solves always the problem.

Environment:
OPNsense 20.7.7_1-amd64 on KVM virtualization (proxmox)
Multiqueue set to 8 (as recommended)
virtio or ne1000 virtual nic's (no difference)
2 GB ram
no proxy server active

Sympthomes:

• Access to http/https sites are getting slow first, then slower and at the end you'll get a timeout
• Other traffic like vpn, voip, ssh to other (outside) systems seems to unaffeccted
• I could not find anything at the logfiles

any ideas..?

5

20.7 Legacy Series / Re: [solved]Routing Problem (?) in OPNSense

« on: September 07, 2020, 11:15:44 am »

Just to clarify: My issue was NOT a OPNsense problem.
After I have changed to the "new" routing address everithing worked like a charm.

I just switched back to the old vyos setup because of the lost time I couldn't transfer my openvpn tunnels to the new system. I'll see - may I can mange this in during the next weekend.

6

20.7 Legacy Series / Re: Routing Problem (?) in OPNSense

« on: September 06, 2020, 08:03:22 pm »

Incredible - a chain of stupid coincidences!
My provider had a core switch failure. Somehow the system had a different routing for my networks after the failover. Instead of routing the productive network to .2 of the border network, it was routed to .3 all at once.
Exactly at the moment when I configured my installation.

7

20.7 Legacy Series / Re: Routing Problem (?) in OPNSense

« on: September 06, 2020, 06:05:34 pm »

Thnak's for the hint but Suricata is not eanbled at all. I haven't changed anything at the service section.

8

20.7 Legacy Series / [solved]Routing Problem (?) in OPNSense

« on: September 06, 2020, 12:45:24 pm »

Hi,

I've tried to switch from my cli based Vyos Firewall to OPNSense this weekend.
Unfortunately without success.

I've installed a a current downloaded version which I updated emediately inside my Proxmox (KVM) Hypervisor box.

I've three (3) Networks. A small /29 border net, a /24 "production one" and a private /24 behind for internal use. Everything worked fine and I could create al the aliases for weberserver, mailserver, DNS-server etc.
One of my first rules was a icmp ping rule to be able to ping all hosts with an official ip-adresse from the outside during installation.
To make a long story short: I haver had a permanent ping from the outside to one address inside the official /24 net. and it responds like acharm. Also the webservices. mail and dns-services were already rechable from the oudside like it should be.
Suddenly the ping stopped (timeout) and also the access to all the other services were blocked.

Nothing helped until now - not even a reboot of the whloe virt-host.

Any idea where I could have a look?

regards
Robert