Linux clients with static IP have limited connectivity



  • Thanks in advance for having a look at this issue, I’ve spent days trying to find out whats going wrong and I’m stumped. I’m having a strange connectivity issue for Linux clients connected via static IP using a pfsense firewall as a gateway.
    I have set the linux system to use a static IP on the adsl routers subnet and it works flawlessly.
    Windows systems, both static and DHCP have perfect connectivity.
    Linux systems through DHCP work fine.

    The Setup is a Debian KVM host running several virtual machines, the KVM host is experiencing this issue but the virtual windows client is running without issue.

    Static IP’s are assigned in the usual way through /etc/network/interfaces with the /etc/resolv.conf file pointing to the correct nameserver. They all use the following

    Address 10.0.100.2
    Netmask 255.255.255.0
    Gateway 10.0.100.1

    The LAN has the default firewall rule,
    IPv4 * LAN net * * * * none   Default allow LAN to any rule

    The WAN firewall has
    Block private networks
    Block bogon networks
    And a few port forwards.

    I have also tried changing the NAT reflection mode but it didn’t fix anything.

    I also have an OpenVPN server running on the firewall which works fine except that I cant talk to any of the linux systems either. I can browse the shares on the virtual windows system, communicate with printers directly, use the PFsense webui to configure the system, but I’m unable to ssh to any system or browse the windows shares.

    On the clients they ping without any problems to a remote host.

    $ ping 216.58.220.100
    PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
    64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
    64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
    64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
    64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
    64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
    ^C
    –- 216.58.220.100 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4006ms
    rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms

    And can use nslookup against the firewall
    $ nslookup google.com
    Server:        10.0.100.1
    Address:        10.0.100.1#53

    Non-authoritative answer:
    Name:  google.com
    Address: 216.58.220.110

    I can telnet on port 80
    $ telnet google.com 80
    Trying 216.58.220.110...
    Connected to google.com.
    Escape character is '^]'.
    I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
    I've tested connectivity with ping.
    $ ping 216.58.220.100
    PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
    64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
    64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
    64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
    64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
    64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
    ^C
    --- 216.58.220.100 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4006ms
    rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
    Nslookup works fine
    $ nslookup google.com
    Server:        10.0.100.1
    Address:        10.0.100.1#53

    Non-authoritative answer:
    Name:  google.com
    Address: 216.58.220.110
    I can telnet on port 80
    $ telnet google.com 80
    Trying 216.58.220.110...
    Connected to google.com.
    Escape character is '^]'.
    However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
    I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
    1  0.000000    IntelCor_93:8f:4b  Broadcast  ARP 60  Who has IP.IP.IP.10?  Tell IP.IP.IP.200
    2  2.130120    IP.IP.IP.10 216.58.220.100  TCP 66  55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
    3  3.816772    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0x13ec  A www.google.com
    4  3.816839    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0xf326  AAAA www.google.com
    5  4.003369    IP.IP.IP.1  IP.IP.IP.10 DNS 102 Standard query response 0xf326  AAAA 2404:6800:4006:801::2004
    6  4.035623    IP.IP.IP.1  IP.IP.IP.10 DNS 90  Standard query response 0x13ec  A 216.58.220.100
    7  4.036683    IP.IP.IP.10 216.58.220.100  TCP 74  55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
    8  4.086164    216.58.220.100  IP.IP.IP.10 TCP 74  80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
    9  4.086474    IP.IP.IP.10 216.58.220.100  TCP 66  55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
    10  4.548559    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
    11  4.548808    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
    12  6.547488    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
    13  6.547774    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
    14  8.532081    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP segment of a reassembled PDU]
    15  8.781690    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
    16  9.033636    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
    17  9.453382    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] [TCP segment of a reassembled PDU]
    18  9.537284    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
    19  10.544897  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
    20  10.545286  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
    21  10.545542  IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
    22  12.563760  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
    23  16.601741  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
    24  18.540457  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128
    I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
    I've tested connectivity with ping.
    $ ping 216.58.220.100
    PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
    64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
    64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
    64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
    64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
    64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
    ^C
    –- 216.58.220.100 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4006ms
    rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
    Nslookup works fine
    $ nslookup google.com
    Server:        10.0.100.1
    Address:        10.0.100.1#53

    Non-authoritative answer:
    Name:  google.com
    Address: 216.58.220.110
    I can telnet on port 80
    $ telnet google.com 80
    Trying 216.58.220.110...
    Connected to google.com.
    Escape character is '^]'.
    However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
    I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
    1  0.000000    IntelCor_93:8f:4b  Broadcast  ARP 60  Who has IP.IP.IP.10?  Tell IP.IP.IP.200
    2  2.130120    IP.IP.IP.10 216.58.220.100  TCP 66  55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
    3  3.816772    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0x13ec  A www.google.com
    4  3.816839    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0xf326  AAAA www.google.com
    5  4.003369    IP.IP.IP.1  IP.IP.IP.10 DNS 102 Standard query response 0xf326  AAAA 2404:6800:4006:801::2004
    6  4.035623    IP.IP.IP.1  IP.IP.IP.10 DNS 90  Standard query response 0x13ec  A 216.58.220.100
    7  4.036683    IP.IP.IP.10 216.58.220.100  TCP 74  55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
    8  4.086164    216.58.220.100  IP.IP.IP.10 TCP 74  80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
    9  4.086474    IP.IP.IP.10 216.58.220.100  TCP 66  55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
    10  4.548559    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
    11  4.548808    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
    12  6.547488    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
    13  6.547774    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
    14  8.532081    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP segment of a reassembled PDU]
    15  8.781690    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
    16  9.033636    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
    17  9.453382    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] [TCP segment of a reassembled PDU]
    18  9.537284    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
    19  10.544897  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
    20  10.545286  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
    21  10.545542  IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
    22  12.563760  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
    23  16.601741  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
    24  18.540457  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128
    but whenever I try to use something like wget the request fails.
    $ wget -T60 google.com
    –2015-09-03 11:28:31--  http://google.com/
    Resolving google.com (google.com)... 216.58.220.110, 2404:6800:4006:801::200e
    Connecting to google.com (google.com)|216.58.220.110|:80... connected.
    HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
    Retrying.
    I'm also getting a strange traceroute response
    $ traceroute to google.com (216.58.220.110), 30 hops max, 60 byte packets
    1  Firewall.domain.lan (Removed)  1.002 ms  0.994 ms  0.973 ms
    2  192.168.1.1 (192.168.1.1)  2.018 ms  2.010 ms  1.991 ms
    3  * * *
    te1-1-6.sydgscore1.wireline.com.au (103.19.172.61)  103.634 ms  107.541 ms                                    109.968 ms
    ge1-1-2.sydgsbdr2.wireline.com.au (103.19.172.34)  111.886 ms  115.329 ms  1                                  17.046 ms
    as15169.nsw.ix.asn.au (218.100.52.3)  120.206 ms  121.862 ms  123.631 ms
    7  209.85.242.124 (209.85.242.124)  128.192 ms  147.385 ms  129.917 ms
    8  * * *
    9  * * *
    ...
    29  * * *
    30  * * *
    But works fine from windows
    $ tracert google.com
    Tracing route to google.com [216.58.220.110] over a maximum of 30 hops:

    1    1 ms    2 ms    2 ms  Firewall.domain.lan [Removed]
      2    2 ms    2 ms    2 ms  192.168.1.1
      3    63 ms    62 ms    67 ms  1.1.1.1
      4    99 ms    74 ms    55 ms  te1-1-6.sydgscore1.wireline.com.au [103.19.172.61]
      5    63 ms    51 ms    51 ms  ge1-1-2.sydgsbdr2.wireline.com.au [103.19.172.34]
      6    50 ms    55 ms    52 ms  as15169.nsw.ix.asn.au [218.100.52.3]
      7    51 ms    52 ms    62 ms  209.85.242.124
      8    51 ms    51 ms    52 ms  209.85.142.11
      9    52 ms    52 ms    64 ms  syd10s01-in-f14.1e100.net [216.58.220.110]

    Trace complete.

    I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
    I've tested connectivity with ping.

    $ ping 216.58.220.100
    PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
    64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
    64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
    64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
    64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
    64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
    ^C
    –- 216.58.220.100 ping statistics ---
    5 packets transmitted, 5 received, 0% packet loss, time 4006ms
    rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
    Nslookup works fine
    $ nslookup google.com
    Server:        10.0.100.1
    Address:        10.0.100.1#53

    Non-authoritative answer:
    Name:  google.com
    Address: 216.58.220.110
    I can telnet on port 80
    $ telnet google.com 80
    Trying 216.58.220.110...
    Connected to google.com.
    Escape character is '^]'.

    However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.

    I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.

    1  0.000000    IntelCor_93:8f:4b  Broadcast  ARP 60  Who has IP.IP.IP.10?  Tell IP.IP.IP.200
    2  2.130120    IP.IP.IP.10 216.58.220.100  TCP 66  55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
    3  3.816772    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0x13ec  A www.google.com
    4  3.816839    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0xf326  AAAA www.google.com
    5  4.003369    IP.IP.IP.1  IP.IP.IP.10 DNS 102 Standard query response 0xf326  AAAA 2404:6800:4006:801::2004
    6  4.035623    IP.IP.IP.1  IP.IP.IP.10 DNS 90  Standard query response 0x13ec  A 216.58.220.100
    7  4.036683    IP.IP.IP.10 216.58.220.100  TCP 74  55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
    8  4.086164    216.58.220.100  IP.IP.IP.10 TCP 74  80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
    9  4.086474    IP.IP.IP.10 216.58.220.100  TCP 66  55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
    10  4.548559    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
    11  4.548808    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
    12  6.547488    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
    13  6.547774    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
    14  8.532081    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP segment of a reassembled PDU]
    15  8.781690    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
    16  9.033636    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
    17  9.453382    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] [TCP segment of a reassembled PDU]
    18  9.537284    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
    19  10.544897  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
    20  10.545286  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
    21  10.545542  IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
    22  12.563760  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
    23  16.601741  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
    24  18.540457  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128

    but whenever I try to use something like wget the request fails.

    $ wget -T60 google.com

    –2015-09-03 11:28:31--  http://google.com/
    Resolving google.com (google.com)... 216.58.220.110, 2404:6800:4006:801::200e
    Connecting to google.com (google.com)|216.58.220.110|:80... connected.
    HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
    Retrying.
    I'm also getting a strange traceroute response
    $ traceroute to google.com (216.58.220.110), 30 hops max, 60 byte packets
    1  Firewall.domain.lan (Removed)  1.002 ms  0.994 ms  0.973 ms
    2  192.168.1.1 (192.168.1.1)  2.018 ms  2.010 ms  1.991 ms
    3  * * *
    te1-1-6.sydgscore1.wireline.com.au (103.19.172.61)  103.634 ms  107.541 ms                                    109.968 ms
    ge1-1-2.sydgsbdr2.wireline.com.au (103.19.172.34)  111.886 ms  115.329 ms  1                                  17.046 ms
    as15169.nsw.ix.asn.au (218.100.52.3)  120.206 ms  121.862 ms  123.631 ms
    7  209.85.242.124 (209.85.242.124)  128.192 ms  147.385 ms  129.917 ms
    8  * * *
    9  * * *
    ...
    29  * * *
    30  * * *

    But works fine from windows

    $ tracert google.com
    Tracing route to google.com [216.58.220.110] over a maximum of 30 hops:

    1    1 ms    2 ms    2 ms  Firewall.domain.lan [Removed]
      2    2 ms    2 ms    2 ms  192.168.1.1
      3    63 ms    62 ms    67 ms  1.1.1.1
      4    99 ms    74 ms    55 ms  te1-1-6.sydgscore1.wireline.com.au [103.19.172.61]
      5    63 ms    51 ms    51 ms  ge1-1-2.sydgsbdr2.wireline.com.au [103.19.172.34]
      6    50 ms    55 ms    52 ms  as15169.nsw.ix.asn.au [218.100.52.3]
      7    51 ms    52 ms    62 ms  209.85.242.124
      8    51 ms    51 ms    52 ms  209.85.142.11
      9    52 ms    52 ms    64 ms  syd10s01-in-f14.1e100.net [216.58.220.110]

    Trace complete.
    export | grep -i proxy returns nothing as I dont have a proxy configured
    IPTables configuration on KVM host.
    $ iptables -L -n
    Chain INPUT (policy ACCEPT)
    target    prot opt source              destination
    ACCEPT    all  –  0.0.0.0/0            0.0.0.0/0

    Chain FORWARD (policy ACCEPT)
    target    prot opt source              destination

    Chain OUTPUT (policy ACCEPT)
    target    prot opt source              destination


  • Rebel Alliance Global Moderator

    You have a problem with your kvm host if you ask me..  Your sniff on your lan inteface of pfsense and your seeing retrans..

    There are lots of known issues with KVM.. its sticky all over the board
    https://forum.pfsense.org/index.php?topic=88467.0
    IMPORTANT: Xen/KVM networking will not work on 2.2 using default hypervisor settings!



  • Do you also use Snort? If so, its worth checking the KVM guests/virtual machines havent been blocked by Snort.

    Do you log your firewall rules and if so what do you see going on in there, can you also post your fw rules?



  • Thankyou for that! It fixed the problem instantly. It was the TX offloading from the virtIO interface.