[Resolved] Long connections dropping across VLANs

Started by apazzy, July 02, 2019, 01:56:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 02, 2019, 01:56:44 AM Last Edit: July 03, 2019, 08:45:32 AM by apazzy
Hi all, I'm running in to an issue that I don't believe I'm experienced enough to investigate on my own.

I'm running OPNsense 19.7.b (testing, same issue occurred in 19.1) and whenever I am accessing something across VLANs that needs to stay established for long period of time it seems to drop.

For testing I've been using a video file on an SMB share, it will run for a few minutes and error out with an 'end of file' in VLC.

I can see the connection establish, in Windows I'm seeing the connection is listed as ESTABLISHED in netstat:
   TCP    192.168.10.98:50235    192.168.1.99:445       ESTABLISHED     4

I check the same thing in the state dump table and I see:
   all   tcp   192.168.10.98:50235 -> 192.168.1.99:445   SYN_SENT:CLOSED

I initially thought this was firewall related, even though my rules were set to allow all traffic out I was seeing default denies in the firewall log

   LAN interface:
      Protocol   Source   Port   Destination   Port   Gateway   Schedule   Description
      IPv4+6 *   LAN net   *   *   *   *   *   Allow LAN to any
   LAN_UNTAGGED interface:
      Protocol   Source   Port   Destination   Port   Gateway   Schedule   Description
      IPv4+6 *   LAN_UNTAGGED net   *   *   *   *   *   Allow LAN_UNTAGGED to any

Because of this I went and tried adding floating rules in:

   Protocol   Source   Port   Destination   Port   Gateway   Schedule   Description
   IPv4+6 *   LAN net   *   *   *   *   *   Allow LAN to any      
   IPv4+6 *   LAN_UNTAGGED net   *   *   *   *   *   Allow LAN_UNTAGGED to any

Inter-VLAN drops seem to have disappeared, but I'm still seeing drops with a default deny in the firewall log live view.

Based on things I've found I have:
- Set Firewall Optimization to 'conservative'
- Enabled 'Disable hardware checksum offload'
- Enabled 'Disable hardware TCP segmentation offload'
- Enabled 'Disable hardware large receive offload'
- Set VLAN Hardware Filtering to 'Disable VLAN Hardware Filtering'

None of these have done anything AFAIK.

EDIT: Prior to yesterday I was running a Ubiquiti firewall. I moved to more powerful hardware and OPNsense in order to run suricata and move some services I need running 24/7 to the router. Suricata is running in IDS mode, and I've tested with Suricata disabled.

EDIT2: Ugh. Of course, it's always the last place you look. Turns out it's an issue with Unraid having an IP on the same VLAN as my Windows VM. Linking here in case anyone has the same issue. https://forums.unraid.net/topic/72530-smb-and-vlan-issue/
Print
Go Up Pages1
User actions