Port 1024 - 1025 Flood = Connection Loss?

Soarin

Hello, I just recently installed pfSense in an ESXI vm and I noticed every 5-10 minutes there would be a bad hiccup in the connection. My friends who are connected through SSH working on their servers would get disconnected, people on my game servers would have a lag spike, and even I'd have connection issues when joining my servers through my public IP.

This only happens on my public IP, it works fine connecting through my own network and I don't think that any of my friends doing something since this happened on a fresh install of pfSense and before they even were connected to my network.

I tried everything from:

• TCP Segment Offload (tried on and off)
• Hardware Checksum Offloading (tried that on and off too)
• I slapped in a brand new Intel NIC that I used for my previous pfSense build
• Reinstalled pfSense
• Tried stock pfSense
• Changed network interfaces and different ethernet cables
• Tried setting MTU to 1492, but left it at 1500 because that's how it always worked before.

Nothing worked, but I decided to look at my firewall logs and I noticed something that I ignored since day 1, and my firewall gets spammed with port 1024 connections and coincidentally my network cuts out too.

This is Double-NAT'd to my MoCA that only has 3 phones connected to it, I opened all the ports from my MoCA to my pfSense box. This is to explain the 192.168.1.3 IP - The IP I blocked out was my IP

What could be causing this? The only computer on the network is my dad's laptop (it happened before he ever even connected) and my desktop, I am thinking it could be some trojan and I will try to leave my computer off for a couple hours and see if this problem persists even after that, if it does then hopefully there will be some suggestions. Thanks in advance!

Soarin

I don't think unplugging my computer from my network will fix it seeing as the traffic isn't coming from my computer at all, I'll keep trying but I'll check in for a post. bump

EDIT: I read my game server's console and I saw this popped up when this happened.

71.163.34.91:1024:corrupted packet 12830 at 15663
107.215.206.27:27005:corrupted packet 15219 at 5546
98.163.121.68:27005:corrupted packet 70043 at 13410
73.8.218.122:27005:corrupted packet 13542 at 15472
73.0.226.46:27005:corrupted packet 57130 at 7079
107.215.206.27:27005:corrupted packet 7293 at 6084
71.163.34.91:27005:corrupted packet 17184 at 22563
71.163.34.91:27005:corrupted packet 6921 at 22873

Harvy66

It's possible the logging of the event is overloading your firewall. Create a rule to block that port but not log and see if the issue goes away.

Soarin

I did that and the port spam is gone, but the connectivity issue is still there. Is there another way to log and find out what's happening to get a better understanding of this issue?

Soarin

Still not solved

Derelict

Why are you obfuscating the source address?

If you control that host go there and figure out what is doing it and make it stop.

Nothing about what you are seeing should cause any connectivity problems. Especially with logging off.

Unless that is just a representation of what is actually thousands of connection attempts per second.

Soarin

@Derelict:

Why are you obfuscating the source address?

If you control that host go there and figure out what is doing it and make it stop.

Nothing about what you are seeing should cause any connectivity problems. Especially with logging off.

Unless that is just a representation of what is actually thousands of connection attempts per second.

The source address is my IP address which is what makes it so weird, it looks like my pfSense is trying to connect to my MoCA? (My IP going into my pfSense WAN IP being 192.168.1.3) I'm not sure what's causing it at all.

When I had my pfSense running on it's own hardware a few months back it had no issue like this, I'm using the same NIC now and the same MoCa with the same configs. I'm not sure what it is at this point, I'll reinstall pfSense again later to see if that fixes it though.

Derelict

Sounds like you might have some sort of loop.

Soarin

You know what I would believe that, I have all of my network interfaces on my ESXI set to VLAN ID 0 which I wondered about, I set LAN to 4095 like the wiki said. Would I set my Server Network to the same VLAN ID as LAN or would it be something below it?

Thanks!

johnpoz

" I set LAN to 4095 like the wiki said."

What wiki?  Yes you would need/want to set your vswitch to that if your going to be sending tagged traffic to the VMs connected to that switch.

How exactly are you all connected?  Im with Derelict here sure looks like you have a switching loop, or not actually a loop lack of isolation and or running multiple layer 3 networks over the same layer 2..

A drawing of your actually connected hardware and how that is tied to your vswitches and we can figure out what is not right..  If your doing vlans, you have a smart switch right?  How it is configured?

Soarin

@johnpoz:

" I set LAN to 4095 like the wiki said."

What wiki?  Yes you would need/want to set your vswitch to that if your going to be sending tagged traffic to the VMs connected to that switch.

How exactly are you all connected?  Im with Derelict here sure looks like you have a switching loop, or not actually a loop lack of isolation and or running multiple layer 3 networks over the same layer 2..

A drawing of your actually connected hardware and how that is tied to your vswitches and we can figure out what is not right..  If your doing vlans, you have a smart switch right?  How it is configured?

I honestly have no idea where I saw the 4095 thing, I thought I clicked the wiki but I guess I didn't. I was half awake while typing that.

I hardly understand VLANs, would this cause a loop? The VSWitches all have the same settings as each other too. Could this be the issue?

Thanks!

johnpoz

What about the real connections?

So are you running vlans on your lan vswitch1 on the vms that are connected?  Where does that go in the physical world?

Are you running a vlan on your server with the ID of 4094.. Why do you think you need to set that on the vswitch?  Again how is that connected to the real world?  What switch(es) are connected - how are they configured for vlans.  Running 4095 would tell me that is a Trunk connection with all your other vlan running on it..

Soarin

It's hooked up in the real world like this:

MoCA (192.168.1.3) –> WAN Port of my NIC --> LAN NIC --> My LAN switch for my computer

My server network (Vlan ID of 0 now) is virtual, it doesn't hook into any switch but is just there for my VM's to run on, it doesn't hook into anything physically.
The virtual switches are setup the same, all of them are setup like the default vswitch0.

I noticed that my internet speeds have also tanked, I used to get 90~ mbps now I get 3mbps and lucky moments is 20mbps on my download.

Soarin

I noticed that the loop destroys even my MoCA that is giving it internet. It loops straight back into my MoCA and shuts it down, cuts everyone off the network even who aren't connected through pfSense.

Soarin

It turns out it was neither pfSense of eSXI, my MoCA was the problem. The NAT tables were too small or something because it'd spit out a bunch of NAT errors and flush the state table. I'm bridging the MoCA to pfSense to try and fix this. Thanks for the help, this post could help somebody else in the future.