Unexpected packet loss on WAN after 16.7 update

Started by denmmx, August 01, 2016, 02:28:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 01, 2016, 02:28:14 PM Last Edit: August 01, 2016, 02:37:03 PM by denmmx
Hi,
today at 3 AM I updated my OPNSense machine to 16.7 from 16.1.20 v and encountered a problem with big packet loss on WAN interface (to H/W router), which has not previously been observed. Router and switch are working normally, users of LAN2 has no problem or packet loss to router; problem started after OPNSense update finished. Attached screenshots show this problem on graphs. Also attached network scheme. What could be the problem?

P.S. SSH connection from Internet to opnsense also very unstable, using of the terminal is very hard...

Thanks!
August 01, 2016, 06:33:44 PM #1
Reading some topics in 16.7 prod. series, decided to kill Suricata IDS/IPS, then fully disabled that and reboot. I'm fine, no suspicious packet loss to router, SSH works smooth!  :)
And the question: will be Suricata package fixed in the next release?
August 02, 2016, 07:43:28 AM #2
Are you using IPS mode? I've seen the same and a kernel fix is pending for 16.7.1.


Cheers,
Franco
August 02, 2016, 03:19:51 PM #3 Last Edit: August 02, 2016, 03:21:45 PM by denmmx
Yes, Suricata has worked in the IPS mode. Ok, waiting for a fix!
August 02, 2016, 05:03:58 PM #4
Ok, you also have the Intel em(4) driver? ;)

Current workaround is to disable IPS mode. 16.7.1 will be better, but still not what it was in FreeBSD 10.2. We're trying to pin it down further, but it will take a while given that FreeBSD 10.3 has been out for a bit and there were no real fixes in that kernel area.

It also opens questions about how many FreeBSD people really use netmap(4) in the field.


Cheers,
Franco
August 02, 2016, 05:37:10 PM #5
Quote from: franco on August 02, 2016, 05:03:58 PM
Ok, you also have the Intel em(4) driver? ;)

Yes, this is my both integrated NICs:

1-st
Code Select
em0@pci0:0:25:0:        class=0x020000 card=0x35788086 chip=0x15028086 rev=0x05 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '82579LM Gigabit Network Connection'
    class      = network
    subclass   = ethernet

2-nd
Code Select
em1@pci0:2:0:0: class=0x020000 card=0x35788086 chip=0x10d38086 rev=0x00 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = '82574L Gigabit Network Connection'
    class      = network
    subclass   = ethernet

I'm fully disable Suricata service (no IDS/no IPS) just to be sure, IPS not so critical for me.
Nevertheless, can I apply this fix?
Code Select

opnsense-update -khr 16.7-em

or it is better not to do until 16.7.1?


August 02, 2016, 09:13:13 PM #6
It's essentially the same fix, it's ok to use it. Feedback welcome. :)
Print
Go Up Pages1
User actions