Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Linux clients with static IP have limited connectivity

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 940 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      smithjoe1
      last edited by

      Thanks in advance for having a look at this issue, I’ve spent days trying to find out whats going wrong and I’m stumped. I’m having a strange connectivity issue for Linux clients connected via static IP using a pfsense firewall as a gateway.
      I have set the linux system to use a static IP on the adsl routers subnet and it works flawlessly.
      Windows systems, both static and DHCP have perfect connectivity.
      Linux systems through DHCP work fine.

      The Setup is a Debian KVM host running several virtual machines, the KVM host is experiencing this issue but the virtual windows client is running without issue.

      Static IP’s are assigned in the usual way through /etc/network/interfaces with the /etc/resolv.conf file pointing to the correct nameserver. They all use the following

      Address 10.0.100.2
      Netmask 255.255.255.0
      Gateway 10.0.100.1

      The LAN has the default firewall rule,
      IPv4 * LAN net * * * * none   Default allow LAN to any rule

      The WAN firewall has
      Block private networks
      Block bogon networks
      And a few port forwards.

      I have also tried changing the NAT reflection mode but it didn’t fix anything.

      I also have an OpenVPN server running on the firewall which works fine except that I cant talk to any of the linux systems either. I can browse the shares on the virtual windows system, communicate with printers directly, use the PFsense webui to configure the system, but I’m unable to ssh to any system or browse the windows shares.

      On the clients they ping without any problems to a remote host.

      $ ping 216.58.220.100
      PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
      64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
      64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
      64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
      64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
      64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
      ^C
      –- 216.58.220.100 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4006ms
      rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms

      And can use nslookup against the firewall
      $ nslookup google.com
      Server:        10.0.100.1
      Address:        10.0.100.1#53

      Non-authoritative answer:
      Name:  google.com
      Address: 216.58.220.110

      I can telnet on port 80
      $ telnet google.com 80
      Trying 216.58.220.110...
      Connected to google.com.
      Escape character is '^]'.
      I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
      I've tested connectivity with ping.
      $ ping 216.58.220.100
      PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
      64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
      64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
      64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
      64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
      64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
      ^C
      --- 216.58.220.100 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4006ms
      rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
      Nslookup works fine
      $ nslookup google.com
      Server:        10.0.100.1
      Address:        10.0.100.1#53

      Non-authoritative answer:
      Name:  google.com
      Address: 216.58.220.110
      I can telnet on port 80
      $ telnet google.com 80
      Trying 216.58.220.110...
      Connected to google.com.
      Escape character is '^]'.
      However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
      I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
      1  0.000000    IntelCor_93:8f:4b  Broadcast  ARP 60  Who has IP.IP.IP.10?  Tell IP.IP.IP.200
      2  2.130120    IP.IP.IP.10 216.58.220.100  TCP 66  55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
      3  3.816772    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0x13ec  A www.google.com
      4  3.816839    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0xf326  AAAA www.google.com
      5  4.003369    IP.IP.IP.1  IP.IP.IP.10 DNS 102 Standard query response 0xf326  AAAA 2404:6800:4006:801::2004
      6  4.035623    IP.IP.IP.1  IP.IP.IP.10 DNS 90  Standard query response 0x13ec  A 216.58.220.100
      7  4.036683    IP.IP.IP.10 216.58.220.100  TCP 74  55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
      8  4.086164    216.58.220.100  IP.IP.IP.10 TCP 74  80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
      9  4.086474    IP.IP.IP.10 216.58.220.100  TCP 66  55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
      10  4.548559    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
      11  4.548808    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
      12  6.547488    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
      13  6.547774    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
      14  8.532081    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP segment of a reassembled PDU]
      15  8.781690    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
      16  9.033636    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
      17  9.453382    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] [TCP segment of a reassembled PDU]
      18  9.537284    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
      19  10.544897  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
      20  10.545286  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
      21  10.545542  IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
      22  12.563760  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
      23  16.601741  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
      24  18.540457  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128
      I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
      I've tested connectivity with ping.
      $ ping 216.58.220.100
      PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
      64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
      64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
      64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
      64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
      64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
      ^C
      –- 216.58.220.100 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4006ms
      rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
      Nslookup works fine
      $ nslookup google.com
      Server:        10.0.100.1
      Address:        10.0.100.1#53

      Non-authoritative answer:
      Name:  google.com
      Address: 216.58.220.110
      I can telnet on port 80
      $ telnet google.com 80
      Trying 216.58.220.110...
      Connected to google.com.
      Escape character is '^]'.
      However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
      I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
      1  0.000000    IntelCor_93:8f:4b  Broadcast  ARP 60  Who has IP.IP.IP.10?  Tell IP.IP.IP.200
      2  2.130120    IP.IP.IP.10 216.58.220.100  TCP 66  55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
      3  3.816772    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0x13ec  A www.google.com
      4  3.816839    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0xf326  AAAA www.google.com
      5  4.003369    IP.IP.IP.1  IP.IP.IP.10 DNS 102 Standard query response 0xf326  AAAA 2404:6800:4006:801::2004
      6  4.035623    IP.IP.IP.1  IP.IP.IP.10 DNS 90  Standard query response 0x13ec  A 216.58.220.100
      7  4.036683    IP.IP.IP.10 216.58.220.100  TCP 74  55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
      8  4.086164    216.58.220.100  IP.IP.IP.10 TCP 74  80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
      9  4.086474    IP.IP.IP.10 216.58.220.100  TCP 66  55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
      10  4.548559    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
      11  4.548808    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
      12  6.547488    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
      13  6.547774    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
      14  8.532081    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP segment of a reassembled PDU]
      15  8.781690    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
      16  9.033636    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
      17  9.453382    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] [TCP segment of a reassembled PDU]
      18  9.537284    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
      19  10.544897  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
      20  10.545286  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
      21  10.545542  IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
      22  12.563760  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
      23  16.601741  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
      24  18.540457  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128
      but whenever I try to use something like wget the request fails.
      $ wget -T60 google.com
      –2015-09-03 11:28:31--  http://google.com/
      Resolving google.com (google.com)... 216.58.220.110, 2404:6800:4006:801::200e
      Connecting to google.com (google.com)|216.58.220.110|:80... connected.
      HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
      Retrying.
      I'm also getting a strange traceroute response
      $ traceroute to google.com (216.58.220.110), 30 hops max, 60 byte packets
      1  Firewall.domain.lan (Removed)  1.002 ms  0.994 ms  0.973 ms
      2  192.168.1.1 (192.168.1.1)  2.018 ms  2.010 ms  1.991 ms
      3  * * *
      4  te1-1-6.sydgscore1.wireline.com.au (103.19.172.61)  103.634 ms  107.541 ms                                    109.968 ms
      5  ge1-1-2.sydgsbdr2.wireline.com.au (103.19.172.34)  111.886 ms  115.329 ms  1                                  17.046 ms
      6  as15169.nsw.ix.asn.au (218.100.52.3)  120.206 ms  121.862 ms  123.631 ms
      7  209.85.242.124 (209.85.242.124)  128.192 ms  147.385 ms  129.917 ms
      8  * * *
      9  * * *
      ...
      29  * * *
      30  * * *
      But works fine from windows
      $ tracert google.com
      Tracing route to google.com [216.58.220.110] over a maximum of 30 hops:

      1    1 ms    2 ms    2 ms  Firewall.domain.lan [Removed]
        2    2 ms    2 ms    2 ms  192.168.1.1
        3    63 ms    62 ms    67 ms  1.1.1.1
        4    99 ms    74 ms    55 ms  te1-1-6.sydgscore1.wireline.com.au [103.19.172.61]
        5    63 ms    51 ms    51 ms  ge1-1-2.sydgsbdr2.wireline.com.au [103.19.172.34]
        6    50 ms    55 ms    52 ms  as15169.nsw.ix.asn.au [218.100.52.3]
        7    51 ms    52 ms    62 ms  209.85.242.124
        8    51 ms    51 ms    52 ms  209.85.142.11
        9    52 ms    52 ms    64 ms  syd10s01-in-f14.1e100.net [216.58.220.110]

      Trace complete.

      I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
      I've tested connectivity with ping.

      $ ping 216.58.220.100
      PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
      64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
      64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
      64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
      64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
      64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
      ^C
      –- 216.58.220.100 ping statistics ---
      5 packets transmitted, 5 received, 0% packet loss, time 4006ms
      rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
      Nslookup works fine
      $ nslookup google.com
      Server:        10.0.100.1
      Address:        10.0.100.1#53

      Non-authoritative answer:
      Name:  google.com
      Address: 216.58.220.110
      I can telnet on port 80
      $ telnet google.com 80
      Trying 216.58.220.110...
      Connected to google.com.
      Escape character is '^]'.

      However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.

      I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.

      1  0.000000    IntelCor_93:8f:4b  Broadcast  ARP 60  Who has IP.IP.IP.10?  Tell IP.IP.IP.200
      2  2.130120    IP.IP.IP.10 216.58.220.100  TCP 66  55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
      3  3.816772    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0x13ec  A www.google.com
      4  3.816839    IP.IP.IP.10 IP.IP.IP.1  DNS 74  Standard query 0xf326  AAAA www.google.com
      5  4.003369    IP.IP.IP.1  IP.IP.IP.10 DNS 102 Standard query response 0xf326  AAAA 2404:6800:4006:801::2004
      6  4.035623    IP.IP.IP.1  IP.IP.IP.10 DNS 90  Standard query response 0x13ec  A 216.58.220.100
      7  4.036683    IP.IP.IP.10 216.58.220.100  TCP 74  55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
      8  4.086164    216.58.220.100  IP.IP.IP.10 TCP 74  80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
      9  4.086474    IP.IP.IP.10 216.58.220.100  TCP 66  55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
      10  4.548559    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
      11  4.548808    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
      12  6.547488    216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
      13  6.547774    IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
      14  8.532081    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP segment of a reassembled PDU]
      15  8.781690    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
      16  9.033636    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
      17  9.453382    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] [TCP segment of a reassembled PDU]
      18  9.537284    IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
      19  10.544897  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
      20  10.545286  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
      21  10.545542  IP.IP.IP.10 216.58.220.100  TCP 66  [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
      22  12.563760  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
      23  16.601741  IP.IP.IP.10 216.58.220.100  TCP 82  [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
      24  18.540457  216.58.220.100  IP.IP.IP.10 TCP 74  [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128

      but whenever I try to use something like wget the request fails.

      $ wget -T60 google.com

      –2015-09-03 11:28:31--  http://google.com/
      Resolving google.com (google.com)... 216.58.220.110, 2404:6800:4006:801::200e
      Connecting to google.com (google.com)|216.58.220.110|:80... connected.
      HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
      Retrying.
      I'm also getting a strange traceroute response
      $ traceroute to google.com (216.58.220.110), 30 hops max, 60 byte packets
      1  Firewall.domain.lan (Removed)  1.002 ms  0.994 ms  0.973 ms
      2  192.168.1.1 (192.168.1.1)  2.018 ms  2.010 ms  1.991 ms
      3  * * *
      4  te1-1-6.sydgscore1.wireline.com.au (103.19.172.61)  103.634 ms  107.541 ms                                    109.968 ms
      5  ge1-1-2.sydgsbdr2.wireline.com.au (103.19.172.34)  111.886 ms  115.329 ms  1                                  17.046 ms
      6  as15169.nsw.ix.asn.au (218.100.52.3)  120.206 ms  121.862 ms  123.631 ms
      7  209.85.242.124 (209.85.242.124)  128.192 ms  147.385 ms  129.917 ms
      8  * * *
      9  * * *
      ...
      29  * * *
      30  * * *

      But works fine from windows

      $ tracert google.com
      Tracing route to google.com [216.58.220.110] over a maximum of 30 hops:

      1    1 ms    2 ms    2 ms  Firewall.domain.lan [Removed]
        2    2 ms    2 ms    2 ms  192.168.1.1
        3    63 ms    62 ms    67 ms  1.1.1.1
        4    99 ms    74 ms    55 ms  te1-1-6.sydgscore1.wireline.com.au [103.19.172.61]
        5    63 ms    51 ms    51 ms  ge1-1-2.sydgsbdr2.wireline.com.au [103.19.172.34]
        6    50 ms    55 ms    52 ms  as15169.nsw.ix.asn.au [218.100.52.3]
        7    51 ms    52 ms    62 ms  209.85.242.124
        8    51 ms    51 ms    52 ms  209.85.142.11
        9    52 ms    52 ms    64 ms  syd10s01-in-f14.1e100.net [216.58.220.110]

      Trace complete.
      export | grep -i proxy returns nothing as I dont have a proxy configured
      IPTables configuration on KVM host.
      $ iptables -L -n
      Chain INPUT (policy ACCEPT)
      target    prot opt source              destination
      ACCEPT    all  –  0.0.0.0/0            0.0.0.0/0

      Chain FORWARD (policy ACCEPT)
      target    prot opt source              destination

      Chain OUTPUT (policy ACCEPT)
      target    prot opt source              destination

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        You have a problem with your kvm host if you ask me..  Your sniff on your lan inteface of pfsense and your seeing retrans..

        There are lots of known issues with KVM.. its sticky all over the board
        https://forum.pfsense.org/index.php?topic=88467.0
        IMPORTANT: Xen/KVM networking will not work on 2.2 using default hypervisor settings!

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F Offline
          firewalluser
          last edited by

          Do you also use Snort? If so, its worth checking the KVM guests/virtual machines havent been blocked by Snort.

          Do you log your firewall rules and if so what do you see going on in there, can you also post your fw rules?

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • S Offline
            smithjoe1
            last edited by

            Thankyou for that! It fixed the problem instantly. It was the TX offloading from the virtIO interface.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.