Random blocking UDP packets when playing multiplayer games

[vlnc]

Hi everyone,

I'm running this version of OPNSense in a VM ESXi hosted:
OPNsense 25.7.5-amd64
FreeBSD 14.3-RELEASE-p4
OpenSSL 3.0.18

Since I don't really know when this is happening (I mean since which opnsense update), I got this side effect :
While playing online on a server on my favorite game (squad on pc as an example), I got huge lags for a limited time (dozen of seconds) with effects like no more VOIP, everyone running into walls ect... cause of UDP packets are blocked/not processed by OPNSense. Result is sometimes after the lag and UDP packets transmitted again, I'm disconnected from the server, sometimes I'm not.

My network setup is pretty simple :

My PC : 192.168.2.2/24 using 192.168.2.1/24 (opnsense) as default gateway
Opnsense : using my ISP router as main and only gateway / DNS server (I need to SNAT traffic from/to 192.168.2.0/24 by 192.168.2.1 to my ISP router to access Internet cause I can't setup a static route on my ISP router (which is in 192.168.1.0/24) like "ip route 192.168.2.0/24 via 192.168.2.1/32".

Firewall rules on User interface is : 192.168.2.0/24 any any allow

As drawing is better than writing :



For your understanding of my OPNSense current configuration, list of services (enabled/disabled) :

• Captive portal -> Disabled
• DHCRelay -> Disabled
• Dnsmasq DNS & DHCP -> Disabled
• Intrusion Detection -> Disabled
• ISC DHCPv4 -> Enabled
• ISC DHCPv6 -> Disabled
• Kea DHCP -> Disabled
• Monit -> Enabled
• Network Time -> Enabled
• OpenDNS -> Disabled
• Unbound DNS -> Enabled

Start ask chatgpt, redirected me to :
-> bug in opnsense since switching to pf (XD)
-> flush state table (pfctl -F states)
-> UDP State timeout to short
-> Service IDS/IPS suricata (disabled as you seen)
-> Update Bogons / GeoIP (weird cause I shouldn't be able to connect to the game server at the first place no ?)
-> Normalization rules on WAN interface (timeout parameter is missing in GUI)
-> System > Settings > Tunables then add these parameters net.pf.udp_first to 120, net.pf.udp_single to 120 and net.pf.udp_multiple to 180

I don't really know where to look for right now and I don't want to change parameters that I don't really know it will have a good or bad effect without your advices.

Anyone as an idea ? I'm only using GUI, doesn't made in changes via CLI/SSH.

I will investigate if this impact TCP traffic too.

Thanks for your help.

Regards,
vlnc

[Kets_One]

While i don't have similar problems, first thoughts are its either one of the following:
- Bad/marginal cable. Replace some cables to see if it helps.
- Loss of ICMP / ICMPv6 packets at the WAN interface, similar to what is discussed in this topic: https://forum.opnsense.org/index.php?topic=46990.0
You could try the suggested solutions.

[relief-melone]

I am experiencing a similar (possibly same) issue. The following is my behaviour. I have not been able to get a clear pattern of the outages but they usually are in the 10s of seconds and the following is affected

- same lags at online gaming. Basically the game hangs and eventually disconnects
- discord calls are broken during that period of time. People can still hear me but I am unable to hear them
- streaming on TVs in the house seems to be affected in the same way altough I cannot be certain that it's the same issue

My guess is that traffic of ingoing udp traffic is affected. As e.g. I can still run a speedtest on my mobile phone which seems to work just fine so I guess tcp is working. I have already set the firewall optimization to conservative but that did not solve the issue. Will update if I find the cause. Would be great if someone has an idea as I am a little lost at the moment.

[noahharold]

Hi everyone,

I'm running this version of OPNSense in a VM ESXi hosted:
OPNsense 25.7.5-amd64
FreeBSD 14.3-RELEASE-p4
OpenSSL 3.0.18 bat smash game

Since I don't really know when this is happening (I mean since which opnsense update), I got this side effect :
While playing online on a server on my favorite game (squad on pc as an example), I got huge lags for a limited time (dozen of seconds) with effects like no more VOIP, everyone running into walls ect... cause of UDP packets are blocked/not processed by OPNSense. Result is sometimes after the lag and UDP packets transmitted again, I'm disconnected from the server, sometimes I'm not.

My network setup is pretty simple :

My PC : 192.168.2.2/24 using 192.168.2.1/24 (opnsense) as default gateway
Opnsense : using my ISP router as main and only gateway / DNS server (I need to SNAT traffic from/to 192.168.2.0/24 by 192.168.2.1 to my ISP router to access Internet cause I can't setup a static route on my ISP router (which is in 192.168.1.0/24) like "ip route 192.168.2.0/24 via 192.168.2.1/32".

Firewall rules on User interface is : 192.168.2.0/24 any any allow

As drawing is better than writing :



For your understanding of my OPNSense current configuration, list of services (enabled/disabled) :

• Captive portal -> Disabled
• DHCRelay -> Disabled
• Dnsmasq DNS & DHCP -> Disabled
• Intrusion Detection -> Disabled
• ISC DHCPv4 -> Enabled
• ISC DHCPv6 -> Disabled
• Kea DHCP -> Disabled
• Monit -> Enabled
• Network Time -> Enabled
• OpenDNS -> Disabled
• Unbound DNS -> Enabled

Start ask chatgpt, redirected me to :
-> bug in opnsense since switching to pf (XD)
-> flush state table (pfctl -F states)
-> UDP State timeout to short
-> Service IDS/IPS suricata (disabled as you seen)
-> Update Bogons / GeoIP (weird cause I shouldn't be able to connect to the game server at the first place no ?)
-> Normalization rules on WAN interface (timeout parameter is missing in GUI)
-> System > Settings > Tunables then add these parameters net.pf.udp_first to 120, net.pf.udp_single to 120 and net.pf.udp_multiple to 180

I don't really know where to look for right now and I don't want to change parameters that I don't really know it will have a good or bad effect without your advices.

Anyone as an idea ? I'm only using GUI, doesn't made in changes via CLI/SSH.

I will investigate if this impact TCP traffic too.

Thanks for your help.

Regards,
vlnc

It sounds like a frustrating issue! Try flushing the state table with pfctl -F states and adjusting your UDP timeout settings in the Tunables (set net.pf.udp_first and net.pf.udp_single to 120, and net.pf.udp_multiple to 180). Also, make sure your firewall rules are allowing all necessary UDP traffic for your game. Good luck!

[lolaFF]

I am experiencing a similar (possibly same) issue. The following is my behaviour. I have not been able to get a clear pattern of the outages but they usually are in the 10s of seconds and the following is affected

- same lags at online gaming. Basically the game hangs and eventually disconnects
- discord calls are broken during that period of time. People can still hear me but I am unable to hear them
- streaming on TVs in the house seems to be affected in the same way altough I cannot be certain that it's the same issue

My guess is that traffic of ingoing udp traffic is affected. As e.g. I can still run a speedtest on my mobile phone which seems to work just fine so I guess tcp is working. I have already set the firewall optimization to conservative but that did not solve the issue. Will update if I find the cause. Would be great if someone has an idea as I am a little lost at the moment.

Sounds like UDP packet loss or routing instability; try testing another network, checking ISP logs, or temporarily disabling QoS/firewall rules.

[nero355]

For all those annoying P2P based games all you need to do is setup the following :
- Enable Hybrid NAT Rules.
- Add a NAT Rule which makes sure that all traffic from one IP Address or whole Subnet uses Static Port so that your LAN and WAN port are the same and not randomized.

You can see all the options here : https://docs.opnsense.org/manual/nat.html#outbound
This is the one you are looking for :

Static-port

Prevents pf(4) from modifying the source port on TCP and UDP packets.

When dealing with PlayStation/X-Box Consoles this will make sure your NAT goes from Strict NAT to Moderate NAT but ofcourse works just as good for PC Games that are P2P based or have NAT issues :)