Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] Unable to update opnsense and frequent TCP failures (no route to host)
« previous
next »
Print
Pages: [
1
]
Author
Topic: [SOLVED] Unable to update opnsense and frequent TCP failures (no route to host) (Read 295 times)
gregyski
Newbie
Posts: 1
Karma: 0
[SOLVED] Unable to update opnsense and frequent TCP failures (no route to host)
«
on:
September 24, 2024, 03:20:30 am »
Conditions:
OPNsense running behind a Hetzner firewall (such as on their dedicated root servers)
Symptoms:
OPNsense update attempts were extremely slow and ultimately would fail, usually with a `No Route To Host` error. Further testing showed that any TCP connections out from OPNsense had an approximately 50% chance of failing with either `No Route To Host` or timing out.
Cause:
Hetzner's default firewall rules for established connections expect the ephemeral ports to be in the range of 32768–65535. OPNsense, by default, creates ephemeral ports in the range of 1024-65535. Therefore, ~50% of outbound TCP connections will fail at random as their return traffic is blocked.
Resolution (taken from
https://forum.proxmox.com/threads/strange-issues-with-proxmox-and-opnsense-on-hetzner-root-server.135609/#post-601879
by alh):
- change ephemeral port range in Hetzner stateless firewall to 1024-65535
- change the settings in OPNsense for the port range on the outbound nat ("Translation / port")
- change the settings in OPNsense globally by changing System > Settings > Tunables: net.inet.ip.portrange.first
«
Last Edit: September 25, 2024, 05:01:08 am by gregyski
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[SOLVED] Unable to update opnsense and frequent TCP failures (no route to host)
