Errors Out on VLANs

[firewalled101]

I setup OPNSENSE virtualized on proxmox desktop machine.  I use Intel I350 Quad Port by CISCO UCSC-PCIE-IRJ45 via bridge in proxmox. I have 1 port for WAN and 1 port for LAN (and carries all VLAN segments). I use managed switch by TPLink TL-SG108E between LAN and my Wifi AP. I exclusively use VLANs on my network and preserved LAN for management. I have over 1300 errors outs on firewall statistics.

How can I approach this issue? Thanks in advance.

[lilsense]

Firewall error may be resource utilization issue.

Please post your stats that you are referring to..

[firewalled101]

Here is my stat page:

[lilsense]

I'd say replace the cable on the LAN to see if this is fixed. If not then it may be due to the CPU/proxmox resource issue.

[firewalled101]

The LAN cable is one supplied by my NAS so I expect it to be decent but I will try.

Can you elaborate on the CPU/proxmox issue?

I am wondering whether this is related to my switch because it is a budget one. Sp I will setup another trunk port and route LAN/VLANs through it.

The other thing is I do not use my LAN at all this is why it is 0 errors (in part). I will wire connect to LAN over my switch and see if this generates errors. This way I skip my AP route.

Of note, I added a third NIC to opnsense VM and I lost connection to opnsense GUI and connectivity although post was showing on proxmox console but without a WAN IP address. Not sure if this has to do anything with the errors.

Thanks!

[lilsense]

I am not sure now if I understand your issue clearly. Are you stating that all four interfaces from the Quad NIC is part of the OPNSense? but your picture shows 6 interfaces. I am not clear which interface is what. Can you clarify maybe with a diagram?

I was under the presumption that one NIC is for all the connections using VLANS.

[firewalled101]

You are right, and I do not know how to draw a network. I am not an engineer or IT person  ;D

My proxmox host has 2 Ethernet ports from the motherboard and 4 others from the I-350 card. I use one on the motherboard to access proxmox interface wired to my network switch. I assigned 2 ports on I-350 to opnsense VM as Linux bridge: one goes to my modem as WAN; and the other goes to my trunk port on my switch as LAN. The LAN carried all VLANs.

What I meant by adding a 3rd port to opnsense is that I attempted to assign a 3rd physical port to opnsense but it stopped working for me as I detailed. I though I would use this for DMZ or VPN.

I hope this clarifies the confusion.

[lilsense]

If this is the case then I'd look at the proxmox interface statistics to see if there are any errors. If there are any then it would be the cable issue. If not then the allotted CPU would need to increase so that the traffic would not drop..

[firewalled101]

I switched my LAN cable and did not make a difference. Errors counts slowed down after I changed my switch IP address to static but did not last for long. Why do you think it is a CPU issue. The CPU work load is barely 3% all times. It seems like people have had this problem for awhile now https://github.com/opnsense/src/issues/74

[firewalled101]

I uninstalled Zenarmor (Sensei) for I found Elasticsearch Database was taking so much disc space. And the surprise, all interface errors disappeared. It has been 24 hours so far. You may close this post. Thank you.

[lilsense]

As I stated originally, packets get dropped when resources are being depleted. So, in your case it would be Zenarmor, either due to too much data being written (CPU HOG) as opposed to too much data inspection (CPU HOG).

It's not ideal to place a virtual firewall in place, unless you are running Threadripper... LOL