Unexpected packet loss on WAN after 16.7 update

[denmmx]

Hi,
today at 3 AM I updated my OPNSense machine to 16.7 from 16.1.20 v and encountered a problem with big packet loss on WAN interface (to H/W router), which has not previously been observed. Router and switch are working normally, users of LAN2 has no problem or packet loss to router; problem started after OPNSense update finished. Attached screenshots show this problem on graphs. Also attached network scheme. What could be the problem?

P.S. SSH connection from Internet to opnsense also very unstable, using of the terminal is very hard...

Thanks!

[denmmx]

Reading some topics in 16.7 prod. series, decided to kill Suricata IDS/IPS, then fully disabled that and reboot. I'm fine, no suspicious packet loss to router, SSH works smooth!  :)
And the question: will be Suricata package fixed in the next release?

[franco]

Are you using IPS mode? I've seen the same and a kernel fix is pending for 16.7.1.


Cheers,
Franco

[denmmx]

Yes, Suricata has worked in the IPS mode. Ok, waiting for a fix!

[franco]

Ok, you also have the Intel em(4) driver?

Current workaround is to disable IPS mode. 16.7.1 will be better, but still not what it was in FreeBSD 10.2. We're trying to pin it down further, but it will take a while given that FreeBSD 10.3 has been out for a bit and there were no real fixes in that kernel area.

It also opens questions about how many FreeBSD people really use netmap(4) in the field.


Cheers,
Franco

[denmmx]

Ok, you also have the Intel em(4) driver?

Yes, this is my both integrated NICs:

1-st

Code: [Select]

em0@pci0:0:25:0:        class=0x020000 card=0x35788086 chip=0x15028086 rev=0x05 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '82579LM Gigabit Network Connection'
    class      = network
    subclass   = ethernet
2-nd

Code: [Select]

em1@pci0:2:0:0: class=0x020000 card=0x35788086 chip=0x10d38086 rev=0x00 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '82574L Gigabit Network Connection'
    class      = network
    subclass   = ethernet
I'm fully disable Suricata service (no IDS/no IPS) just to be sure, IPS not so critical for me.
Nevertheless, can I apply this fix?

Code: [Select]

opnsense-update -khr 16.7-em
or it is better not to do until 16.7.1?

[franco]

It's essentially the same fix, it's ok to use it. Feedback welcome.