Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Anti DDOS enable syncookies causes timeouts for specific VPNs and Dilbert
« previous
next »
Print
Pages: [
1
]
Author
Topic: Anti DDOS enable syncookies causes timeouts for specific VPNs and Dilbert (Read 1268 times)
Frostbite8289
Newbie
Posts: 7
Karma: 0
Anti DDOS enable syncookies causes timeouts for specific VPNs and Dilbert
«
on:
January 04, 2023, 05:31:12 pm »
I am running the latest production release as of 2022-01-04 i.e. 22.7.10_2.
I am trying to understand what OPNSense is doing with syncookies. They seem to appear both as a tunable under System -> Settings -> Tunables:
"net.inet.tcp.syncookies Generate SYN cookies for outbound SYN-ACK packets " (which is 1 or on by default)
and under Firewall -> Settings -> Advanced
the Anti DDOS enable syncookies (which is never by default).
Can someone explain what the 2nd option is doing and how is it related to the 1st tunable? I do want Anti DDOS. The help is sparse and when I turn it on I get some very strange specific issues. To be clear other web traffic and VPNs work fine from the LAN out to the Internet ex. AnyConnect etc.
It is not clear to me how to use the adaptive option. When that 2nd option is set to always that is when the weird timeout problems appear but only for two very specific instances:
1. Palo Alto Global Protect VPN connections from LAN to Internet cannot connect. HTTPS connections from LAN to Palo Alto firewall get 6KB of a login 12KB page and timeout. The same connection works using curl directly on the OPNSense firewall.
2. Parts of the Dilbert web comic cannot complete loading.
Can anyone shed some light on this?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Anti DDOS enable syncookies causes timeouts for specific VPNs and Dilbert