1501 length packages - problem with MTU on virtual pfSense (Proxmox)

Virtualization
Log in to reply
  • T

    Hello all,

    I'm running into some strange problems with too large packets on our WAN interface.

    Setup:

    • pfSense 2.2 64Bit on Proxmox 3.4 host, 2 cores, 4GB RAM, CPU max 5%
    • HW NIC eth1 => WAN, MTU 1500
    • HW NIC eth4 = > LAN, MTU 9000
    • HW NIC eth2 => LAN, connected to same switch, but not active
    • vmbr0, OVS Bridge => eth4 => LAN
    • vmbr1, OVS Bridge => eth1 => WAN
    • Jumbo Frames on switches enabled
    • pfSense MTU WAN If.: 1500
    • Clear invalid DF bits instead of dropping the packets: Enabled
    • Disable hardware checksum offload: Enabled
    • Disable hardware TCP segmentation offload: Enabled
    • Disable hardware large receive offload: Enabled
    • All other local if's on 9000 MTU
    • Storage cluster (Synology): 9000 MTU
    • VMs on all proxmox hosts: Default MTU 1500

    Log on Proxmox hosts tells me:

    
...
Mar 24 18:40:46 vmhost1 kernel: __ratelimit: 6 callbacks suppressed
Mar 24 18:40:46 vmhost1 kernel: openvswitch: tap108i7: dropped over-mtu packet: 1501 > 1500
Mar 24 18:40:46 vmhost1 kernel: openvswitch: tap108i7: dropped over-mtu packet: 1501 > 1500
Mar 24 18:40:46 vmhost1 kernel: openvswitch: tap108i7: dropped over-mtu packet: 1501 > 1500
Mar 24 18:40:46 vmhost1 kernel: openvswitch: tap108i7: dropped over-mtu packet: 1501 > 1500
Mar 24 18:40:46 vmhost1 kernel: openvswitch: tap108i7: dropped over-mtu packet: 1501 > 1500
Mar 24 18:40:46 vmhost1 kernel: openvswitch: tap108i7: dropped over-mtu packet: 1501 > 1500
...

    tap108i7 is the OVS bridge on the Proxmox host for WAN If. (vtnet7).

    I did some package capturing showing that large packets on the WAN interface come from an virtual IP, i.e. inside the network:

    
Id = 12
Source = 217.76.xxx.xx
Destination = 7x.x.x.xxx
Captured Length = 1506
Packet Length = 1506
Protocol = TCP
Date Received = 2015-03-24 17:28:54 +0000
Time Delta = 0.00888514518737793
Information = HTTP -> 58826 ([ACK], Seq=4188548632, Ack=3381854676, Win=243)

    The source IP is a public IP from our public pool currently NATing to a VM on another proxmox host on the same network.
    Destination is some random public IP (not ours).

    Any ideas why these large packages are beeing generated? Where do they come from? How do I stop them?

    The VMs "behind" the pfSense are on multiple vlans, each having their own DHCP server. The VLANs are created on the switches and assigned to the pfSense's virtual NICs. Should I set the VMs MTU to 9000, too, as they are on the local networks (the public IP's are NATed on the pfSense and not directly connected to the VM)?

    Thanks
    Sebastian

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy