Solved: [24.7.4] Some UDP traffic causes packet loss

[hifol792]

Hello everyone

This mostly comes from 'mtr --udp 8.8.8.8' (the same situation happens when downloading torrents). After the launch, 10 seconds pass and all devices on the network cannot reach via UDP (for example, dns requests) or if ping is started over again. TCP continues to work.

If the ping was started before, then there is no packet loss.

I also ran mtr (with the udp flag) directly on the router and this does not happen

OPNsense 24.7.4_1-amd64

[meyergru]

Try a tcpdump on your WAN interface and see if there is any traffic that should occur, like RFC1918 IPs leaking out because of NAT misconfiguration. There is also an obscure bug with the traffic shaper - if you use that, disable it.

[hifol792]

Hello, thanks for the reply.

I did the checks and couldn't find the IP leak. I also disabled traffic shaper, but it didn't help

I checked again that the problem is not with my provider. The problem is reproduced only with the router

Code Select Expand


root@opnsense:/tmp # cat dump | wc -l
    7317
root@opnsense:/tmp # cat dump | grep "MY PPPOEE IP" | wc -l
    7317


[meyergru]

If it is only UDP traffic that is causing this, it could be a wrong MTU setting.

[hifol792]

I checked the MTU via ping with don't fragment. The same value as was set before (1492) is suitable. I also tried to lower it, it didn't help.

Maybe it has something to do with the firewall? At the time of the test, if I run and do not disable ping, then there is no packet loss in it and it works fine. But at the same time, if I launch a new ping, it doesn't work.

Also, during the test, it affects other devices on the network

[meyergru]

I genuinely have no idea.

[Seimus]

What is your OPNsense uptime?
Did you try to reboot after disabling the shaper and retest?

Regards,
S.

[hifol792]

Hello.

I've rebooted it many times. By the way, I tried restarting the router right now. Nothing has changed.

I also deleted almost all custom tunables (also with restart). Now I have only these:

hw.ibrs_disable = 1
net.inet.rss.bits = 2
net.inet.rss.enabled = 1
net.isr.bindthreads = 1
net.isr.dispatch = deferred
net.isr.maxthreads = -1
vm.pmap.pti = 0

Also tried to switch NAT without manual rules, it also did not give anything.

UPD: Traffic shaper was disabled a few days ago. It also didn't help solve the problem.

[iMx]

I'd be disabling RSS and re-testing :)

... i.e defaults, for everything, no custom stuff at all. Re-test.

[newsense]

Don't disable RSS.

This is something that Crowdsec might be responsible for...is it running ?

[hifol792]

Hello. Thanks for trying to help

I have just done the following:
- Disabled all LAN rules, leaving only one that allows all traffic (I don't have rules on the WAN)
- Turned off hardware acceleration
- Turned off all gateways leaving only pppoe
- Removed all non-standard tunables
- Switched NAT to automatic

In each step, I restarted the router and checked how it behaves with mtr --udp.

None of this helped

[hifol792]

@newsense You mean https://www.crowdsec.net / ? I don't use it.

[newsense]

OK, no crowdsec.

What else is running there, what is your setup ? You're triggering something with mtr, the question is what exactly.

[iMx]

Don't disable RSS.

This is something that Crowdsec might be responsible for...is it running ?

This makes zero sense.

The default install, is with RSS disabled.  If you have problems, the absolute first thing anyone should do, is go back to stock/default.

[hifol792]

Here is a video with the problem: https://www.youtube.com/watch?v=17CJXPKaLWo

> What else is running there
I had Wireguard running. During the test below, I disabled it.
I attached a screenshot
I don't use anything custom anymore.

> what is your setup ?
What do you mean by that?