Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - cyberganny

Pages: [1]

21.1 Legacy Series / Suddenly high packet loss rate between OPNsense and Fritzbox

« on: April 14, 2021, 10:39:09 pm »

Hallo Community,

since 3 days I do have massive issues with the combination of my OPNSense Cluster and two attached Fritzboxes.

I see massive packet loss rates up to 50% on the connection of the different cluster nodes and the attached Fritzboxes. The Fritzboxen are direkt connected vie Lan cables, no switch involved. I already checked the cables, they are fine. Pings to OPNSense nodes from inside the LAN are getting top rates. When I log into the OPNSense nodes and start pings to the Fritzboxes I get these results:

Code: [Select]

root@fw-master:~ # ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1): 56 data bytes
64 bytes from 192.168.188.1: icmp_seq=0 ttl=64 time=78.418 ms
64 bytes from 192.168.188.1: icmp_seq=1 ttl=64 time=4.887 ms
64 bytes from 192.168.188.1: icmp_seq=2 ttl=64 time=0.585 ms
64 bytes from 192.168.188.1: icmp_seq=3 ttl=64 time=30.765 ms
64 bytes from 192.168.188.1: icmp_seq=4 ttl=64 time=99.968 ms
64 bytes from 192.168.188.1: icmp_seq=5 ttl=64 time=285.366 ms
64 bytes from 192.168.188.1: icmp_seq=6 ttl=64 time=0.715 ms
64 bytes from 192.168.188.1: icmp_seq=8 ttl=64 time=0.585 ms
64 bytes from 192.168.188.1: icmp_seq=9 ttl=64 time=227.395 ms
64 bytes from 192.168.188.1: icmp_seq=10 ttl=64 time=0.746 ms
64 bytes from 192.168.188.1: icmp_seq=11 ttl=64 time=3.116 ms
64 bytes from 192.168.188.1: icmp_seq=12 ttl=64 time=0.603 ms
64 bytes from 192.168.188.1: icmp_seq=13 ttl=64 time=0.787 ms
64 bytes from 192.168.188.1: icmp_seq=14 ttl=64 time=0.543 ms

A complet inconsistent result. The RTTd values are therefor in 3 digits.

The adapter configs:

Code: [Select]

root@fw-master:~ # ifconfig em1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=852098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO>
	ether 00:e0:67:09:5d:05
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Code: [Select]

root@fw-master:~ # ifconfig lagg0
lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=852098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO>
	ether 00:e0:67:09:5d:04
	inet6 fe80::2e0:67ff:fe09:5d04%lagg0 prefixlen 64 scopeid 0x9
	inet 10.x.x.101 netmask 0xffffff00 broadcast 10.x.x.255
	inet 10.x.x.1 netmask 0xffffff00 broadcast 10.x.x.255 vhid 1
	laggproto failover lagghash l2,l3,l4
	laggport: em0 flags=5<MASTER,ACTIVE>
	groups: lagg
	carp: MASTER vhid 1 advbase 1 advskew 0
	media: Ethernet autoselect
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Is it possible that the last updates of OPNSense delivered Ethernet driver updates or new adapter configs that results in these problems with Fritzboxes, maybe also with other devices?

Recently installed:

Code: [Select]

OPNsense 21.1.4-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
OpenSSL 1.1.1k 25 Mar 2021

Am I the only one with that issue?
I am thankful for every helpful hint.

-Micha

German - Deutsch / Plötzlich jede Menge Packet Loss zwischen OPNsense und Fritzboxen

« on: April 14, 2021, 07:32:26 pm »

Hallo Community,

seit 3 Tagen habe ich massive Probleme im Zusammenspiel zwischen meinem OPNSense Cluster und den zwei dahinter liegenden Fritzboxen.
Ich habe massive Packet Loss Raten bis zu 50% in der Verbindung zwischen den einzelnen Clusterknoten und den Fritzboxen. Die Fritzboxen sind direkt über Kabel angebunden, kein Switch dazwischen. Die Kabel sind ok, habe auch schon getauscht kein Unterschied. Wenn ich die OPNSense Knoten aus dem LAN anpinge sind die Ping raten Top. Logge ich mich auf den OPNSense Knoten ein und pinge die Fritzboxen an sieht das so aus:

Code: [Select]

root@fw-master:~ # ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1): 56 data bytes
64 bytes from 192.168.188.1: icmp_seq=0 ttl=64 time=78.418 ms
64 bytes from 192.168.188.1: icmp_seq=1 ttl=64 time=4.887 ms
64 bytes from 192.168.188.1: icmp_seq=2 ttl=64 time=0.585 ms
64 bytes from 192.168.188.1: icmp_seq=3 ttl=64 time=30.765 ms
64 bytes from 192.168.188.1: icmp_seq=4 ttl=64 time=99.968 ms
64 bytes from 192.168.188.1: icmp_seq=5 ttl=64 time=285.366 ms
64 bytes from 192.168.188.1: icmp_seq=6 ttl=64 time=0.715 ms
64 bytes from 192.168.188.1: icmp_seq=8 ttl=64 time=0.585 ms
64 bytes from 192.168.188.1: icmp_seq=9 ttl=64 time=227.395 ms
64 bytes from 192.168.188.1: icmp_seq=10 ttl=64 time=0.746 ms
64 bytes from 192.168.188.1: icmp_seq=11 ttl=64 time=3.116 ms
64 bytes from 192.168.188.1: icmp_seq=12 ttl=64 time=0.603 ms
64 bytes from 192.168.188.1: icmp_seq=13 ttl=64 time=0.787 ms
64 bytes from 192.168.188.1: icmp_seq=14 ttl=64 time=0.543 ms

Ein total inkonsistentes Ping-Bild. Die RTTd Werte sind entsprechend hoch im 3 stelligen Bereich.

Die Adaptereinstellungen sind wie folgt:

Code: [Select]

root@fw-master:~ # ifconfig em1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=852098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO>
	ether 00:e0:67:09:5d:05
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Code: [Select]

root@fw-master:~ # ifconfig lagg0
lagg0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=852098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO>
	ether 00:e0:67:09:5d:04
	inet6 fe80::2e0:67ff:fe09:5d04%lagg0 prefixlen 64 scopeid 0x9
	inet 10.x.x.101 netmask 0xffffff00 broadcast 10.x.x.255
	inet 10.x.x.1 netmask 0xffffff00 broadcast 10.x.x.255 vhid 1
	laggproto failover lagghash l2,l3,l4
	laggport: em0 flags=5<MASTER,ACTIVE>
	groups: lagg
	carp: MASTER vhid 1 advbase 1 advskew 0
	media: Ethernet autoselect
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Kann es sein, dass mit den Updates sich etwas an den Ethernet Treibern oder Einstellungen geändert hat, das zu Problemen mit Fritzboxen führt?

Aktuell installiert:

Code: [Select]

OPNsense 21.1.4-amd64
FreeBSD 12.1-RELEASE-p15-HBSD
OpenSSL 1.1.1k 25 Mar 2021

Bin ich der Einzige mit diesem Phänomen?
Für jeden hilfreichen Tip dankbar.

-Micha

19.7 Legacy Series / Help needed: LAGG to homogenize interfaces

« on: November 23, 2019, 11:55:06 am »

Hi all,

I have the challenge, that I want to build a HA Cluster of two OPNSense Firewalls that are similar but not equal. On one system is the naming schema of the interface emX on the other igbX. To make pfsync work I need two systems with equal interface names. In the doumentation is a hint to workaround via using LAGG on the interfaces:

"When using different network drivers on both machines, like running a HA setup with one physical machine as master and a virtual machine as slave, states can not be synced as interface names differ. The only workaround would be to set up a LAGG."

Now my concrete questions: How do I setup the Interfaces that it will work.

Which type of LAGG do I have to choose, due to the fact that I do not want any LAG features I only want homogenous interface names on both machines. Chosing "none" seems not be an option, because the interface will not deliver any traffic.

Which mode shall I use?

NONE
LACP
FAILOVER
FEC
LOADBALANCE
ROUNDROBIN

And how to configure it, if addtional settings are necessary?

Thanks in advance for help
Micha

18.7 Legacy Series / Can not ping OPNSense LAN Interface

« on: November 29, 2018, 11:49:26 am »

Hi all,

OPNSense runs fine but I have the Problem that I am not able to ping the FW LAN Interface (10.1.1.1) from within the local Network.

The Ping ist routed through the WAN Interface! Why?
Login in on the OPNSense Admin Interface at 10.1.1.1 works fine.

Here the traceroute:

traceroute to 10.1.1.1 (10.1.1.1), 30 hops max, 60 byte packets
1 10.1.1.1 (10.1.1.1) 0.672 ms 0.446 ms 0.490 ms
2 192.168.0.1 (192.168.0.1) 0.855 ms 0.877 ms 0.790 ms
3 213-146-234-185.skytron.de (213.146.234.185) 3.467 ms 2.431 ms 2.202 ms
4 10.255.2.116 (10.255.2.116) 3.402 ms 3.312 ms 3.223 ms
5 10.255.7.97 (10.255.7.97) 3.156 ms !H 4.818 ms !H 4.734 ms !H

Any ideas?

18.1 Legacy Series / [SOLVED] Routing trouble with MultiWAN failover

« on: March 24, 2018, 11:50:51 pm »

I set up my firewall as discriped in the documentation. I have 2 WAN gateways. My problem is, that I am not able to access the "passive" gateway from inside the lan. Access from extern works via both gateways. When I try to access the passiv gateway (192.168.5.1) from internal, the traffic is always routed through the active (192.168.0.1) gateway.

See traceroute:

traceroute to 192.168.5.1 (192.168.5.1), 64 hops max, 52 byte packets
1 10.1.1.1 (10.1.1.1) 0.723 ms 0.384 ms 0.319 ms
2 192.168.0.1 (192.168.0.1) 0.959 ms 0.858 ms 0.859 ms
3 213-146-234-185.xxxx.de (213.146.234.185) 8.447 ms 4.396 ms 15.199 ms
4 ...

the routes to the passive gateway exist in the active routing table:

Internet:
Destination Gateway Flags Netif Expire
default 192.168.5.1 UGS em2
google-public-dns- 192.168.5.1 UGHS em2
google-public-dns- 192.168.0.1 UGHS em1
10.1.1.0/24 link#1 U em0
OPNsense link#1 UHS lo0
localhost link#5 UH lo0
192.168.0.0/24 link#2 U em1
OPNsense link#2 UHS lo0
192.168.5.0/24 link#3 U em2
OPNsense link#3 UHS lo0

Any Ideas what I have to do, that I can reach my gateway?

Thanks in advance

Pages: [1]