Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port 1024 - 1025 Flood = Connection Loss?

    General pfSense Questions
    4
    15
    1193
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Soarin
      Soarin last edited by

      Hello, I just recently installed pfSense in an ESXI vm and I noticed every 5-10 minutes there would be a bad hiccup in the connection. My friends who are connected through SSH working on their servers would get disconnected, people on my game servers would have a lag spike, and even I'd have connection issues when joining my servers through my public IP.

      This only happens on my public IP, it works fine connecting through my own network and I don't think that any of my friends doing something since this happened on a fresh install of pfSense and before they even were connected to my network.

      I tried everything from:

      • TCP Segment Offload (tried on and off)
      • Hardware Checksum Offloading (tried that on and off too)
      • I slapped in a brand new Intel NIC that I used for my previous pfSense build
      • Reinstalled pfSense
      • Tried stock pfSense
      • Changed network interfaces and different ethernet cables
      • Tried setting MTU to 1492, but left it at 1500 because that's how it always worked before.

      Nothing worked, but I decided to look at my firewall logs and I noticed something that I ignored since day 1, and my firewall gets spammed with port 1024 connections and coincidentally my network cuts out too.



      This is Double-NAT'd to my MoCA that only has 3 phones connected to it, I opened all the ports from my MoCA to my pfSense box. This is to explain the 192.168.1.3 IP - The IP I blocked out was my IP

      What could be causing this? The only computer on the network is my dad's laptop (it happened before he ever even connected) and my desktop, I am thinking it could be some trojan and I will try to leave my computer off for a couple hours and see if this problem persists even after that, if it does then hopefully there will be some suggestions. Thanks in advance!

      I hardly understand pfSense but it was love at first sight.

      1 Reply Last reply Reply Quote 0
      • Soarin
        Soarin last edited by

        I don't think unplugging my computer from my network will fix it seeing as the traffic isn't coming from my computer at all, I'll keep trying but I'll check in for a post. bump

        EDIT: I read my game server's console and I saw this popped up when this happened.

        71.163.34.91:1024:corrupted packet 12830 at 15663
        107.215.206.27:27005:corrupted packet 15219 at 5546
        98.163.121.68:27005:corrupted packet 70043 at 13410
        73.8.218.122:27005:corrupted packet 13542 at 15472
        73.0.226.46:27005:corrupted packet 57130 at 7079
        107.215.206.27:27005:corrupted packet 7293 at 6084
        71.163.34.91:27005:corrupted packet 17184 at 22563
        71.163.34.91:27005:corrupted packet 6921 at 22873

        I hardly understand pfSense but it was love at first sight.

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66 last edited by

          It's possible the logging of the event is overloading your firewall. Create a rule to block that port but not log and see if the issue goes away.

          1 Reply Last reply Reply Quote 0
          • Soarin
            Soarin last edited by

            I did that and the port spam is gone, but the connectivity issue is still there. Is there another way to log and find out what's happening to get a better understanding of this issue?

            I hardly understand pfSense but it was love at first sight.

            1 Reply Last reply Reply Quote 0
            • Soarin
              Soarin last edited by

              Still not solved

              I hardly understand pfSense but it was love at first sight.

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Why are you obfuscating the source address?

                If you control that host go there and figure out what is doing it and make it stop.

                Nothing about what you are seeing should cause any connectivity problems. Especially with logging off.

                Unless that is just a representation of what is actually thousands of connection attempts per second.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • Soarin
                  Soarin last edited by

                  @Derelict:

                  Why are you obfuscating the source address?

                  If you control that host go there and figure out what is doing it and make it stop.

                  Nothing about what you are seeing should cause any connectivity problems. Especially with logging off.

                  Unless that is just a representation of what is actually thousands of connection attempts per second.

                  The source address is my IP address which is what makes it so weird, it looks like my pfSense is trying to connect to my MoCA? (My IP going into my pfSense WAN IP being 192.168.1.3) I'm not sure what's causing it at all.

                  When I had my pfSense running on it's own hardware a few months back it had no issue like this, I'm using the same NIC now and the same MoCa with the same configs. I'm not sure what it is at this point, I'll reinstall pfSense again later to see if that fixes it though.

                  I hardly understand pfSense but it was love at first sight.

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    Sounds like you might have some sort of loop.

                    Chattanooga, Tennessee, USA
                    The pfSense Book is free of charge!
                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • Soarin
                      Soarin last edited by

                      You know what I would believe that, I have all of my network interfaces on my ESXI set to VLAN ID 0 which I wondered about, I set LAN to 4095 like the wiki said. Would I set my Server Network to the same VLAN ID as LAN or would it be something below it?

                      Thanks!

                      I hardly understand pfSense but it was love at first sight.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        " I set LAN to 4095 like the wiki said."

                        What wiki?  Yes you would need/want to set your vswitch to that if your going to be sending tagged traffic to the VMs connected to that switch.

                        How exactly are you all connected?  Im with Derelict here sure looks like you have a switching loop, or not actually a loop lack of isolation and or running multiple layer 3 networks over the same layer 2..

                        A drawing of your actually connected hardware and how that is tied to your vswitches and we can figure out what is not right..  If your doing vlans, you have a smart switch right?  How it is configured?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                        1 Reply Last reply Reply Quote 0
                        • Soarin
                          Soarin last edited by

                          @johnpoz:

                          " I set LAN to 4095 like the wiki said."

                          What wiki?  Yes you would need/want to set your vswitch to that if your going to be sending tagged traffic to the VMs connected to that switch.

                          How exactly are you all connected?  Im with Derelict here sure looks like you have a switching loop, or not actually a loop lack of isolation and or running multiple layer 3 networks over the same layer 2..

                          A drawing of your actually connected hardware and how that is tied to your vswitches and we can figure out what is not right..  If your doing vlans, you have a smart switch right?  How it is configured?

                          I honestly have no idea where I saw the 4095 thing, I thought I clicked the wiki but I guess I didn't. I was half awake while typing that.


                          I hardly understand VLANs, would this cause a loop? The VSWitches all have the same settings as each other too. Could this be the issue?

                          Thanks!

                          I hardly understand pfSense but it was love at first sight.

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            What about the real connections?

                            So are you running vlans on your lan vswitch1 on the vms that are connected?  Where does that go in the physical world?

                            Are you running a vlan on your server with the ID of 4094.. Why do you think you need to set that on the vswitch?  Again how is that connected to the real world?  What switch(es) are connected - how are they configured for vlans.  Running 4095 would tell me that is a Trunk connection with all your other vlan running on it..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                            1 Reply Last reply Reply Quote 0
                            • Soarin
                              Soarin last edited by

                              It's hooked up in the real world like this:

                              MoCA (192.168.1.3) –> WAN Port of my NIC --> LAN NIC --> My LAN switch for my computer

                              My server network (Vlan ID of 0 now) is virtual, it doesn't hook into any switch but is just there for my VM's to run on, it doesn't hook into anything physically.
                              The virtual switches are setup the same, all of them are setup like the default vswitch0.

                              I noticed that my internet speeds have also tanked, I used to get 90~ mbps now I get 3mbps and lucky moments is 20mbps on my download.

                              I hardly understand pfSense but it was love at first sight.

                              1 Reply Last reply Reply Quote 0
                              • Soarin
                                Soarin last edited by

                                I noticed that the loop destroys even my MoCA that is giving it internet. It loops straight back into my MoCA and shuts it down, cuts everyone off the network even who aren't connected through pfSense.

                                I hardly understand pfSense but it was love at first sight.

                                1 Reply Last reply Reply Quote 0
                                • Soarin
                                  Soarin last edited by

                                  It turns out it was neither pfSense of eSXI, my MoCA was the problem. The NAT tables were too small or something because it'd spit out a bunch of NAT errors and flush the state table. I'm bridging the MoCA to pfSense to try and fix this. Thanks for the help, this post could help somebody else in the future.

                                  I hardly understand pfSense but it was love at first sight.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post