Linux clients with static IP have limited connectivity
-
Thanks in advance for having a look at this issue, I’ve spent days trying to find out whats going wrong and I’m stumped. I’m having a strange connectivity issue for Linux clients connected via static IP using a pfsense firewall as a gateway.
I have set the linux system to use a static IP on the adsl routers subnet and it works flawlessly.
Windows systems, both static and DHCP have perfect connectivity.
Linux systems through DHCP work fine.The Setup is a Debian KVM host running several virtual machines, the KVM host is experiencing this issue but the virtual windows client is running without issue.
Static IP’s are assigned in the usual way through /etc/network/interfaces with the /etc/resolv.conf file pointing to the correct nameserver. They all use the following
Address 10.0.100.2
Netmask 255.255.255.0
Gateway 10.0.100.1The LAN has the default firewall rule,
IPv4 * LAN net * * * * none Default allow LAN to any ruleThe WAN firewall has
Block private networks
Block bogon networks
And a few port forwards.I have also tried changing the NAT reflection mode but it didn’t fix anything.
I also have an OpenVPN server running on the firewall which works fine except that I cant talk to any of the linux systems either. I can browse the shares on the virtual windows system, communicate with printers directly, use the PFsense webui to configure the system, but I’m unable to ssh to any system or browse the windows shares.
On the clients they ping without any problems to a remote host.
$ ping 216.58.220.100
PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
^C
–- 216.58.220.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 msAnd can use nslookup against the firewall
$ nslookup google.com
Server: 10.0.100.1
Address: 10.0.100.1#53Non-authoritative answer:
Name: google.com
Address: 216.58.220.110I can telnet on port 80
$ telnet google.com 80
Trying 216.58.220.110...
Connected to google.com.
Escape character is '^]'.
I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
I've tested connectivity with ping.
$ ping 216.58.220.100
PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
^C
--- 216.58.220.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
Nslookup works fine
$ nslookup google.com
Server: 10.0.100.1
Address: 10.0.100.1#53Non-authoritative answer:
Name: google.com
Address: 216.58.220.110
I can telnet on port 80
$ telnet google.com 80
Trying 216.58.220.110...
Connected to google.com.
Escape character is '^]'.
However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
1 0.000000 IntelCor_93:8f:4b Broadcast ARP 60 Who has IP.IP.IP.10? Tell IP.IP.IP.200
2 2.130120 IP.IP.IP.10 216.58.220.100 TCP 66 55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
3 3.816772 IP.IP.IP.10 IP.IP.IP.1 DNS 74 Standard query 0x13ec A www.google.com
4 3.816839 IP.IP.IP.10 IP.IP.IP.1 DNS 74 Standard query 0xf326 AAAA www.google.com
5 4.003369 IP.IP.IP.1 IP.IP.IP.10 DNS 102 Standard query response 0xf326 AAAA 2404:6800:4006:801::2004
6 4.035623 IP.IP.IP.1 IP.IP.IP.10 DNS 90 Standard query response 0x13ec A 216.58.220.100
7 4.036683 IP.IP.IP.10 216.58.220.100 TCP 74 55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
8 4.086164 216.58.220.100 IP.IP.IP.10 TCP 74 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
9 4.086474 IP.IP.IP.10 216.58.220.100 TCP 66 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
10 4.548559 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
11 4.548808 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
12 6.547488 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
13 6.547774 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
14 8.532081 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP segment of a reassembled PDU]
15 8.781690 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
16 9.033636 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
17 9.453382 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] [TCP segment of a reassembled PDU]
18 9.537284 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
19 10.544897 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
20 10.545286 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
21 10.545542 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
22 12.563760 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
23 16.601741 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
24 18.540457 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128
I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
I've tested connectivity with ping.
$ ping 216.58.220.100
PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
^C
–- 216.58.220.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
Nslookup works fine
$ nslookup google.com
Server: 10.0.100.1
Address: 10.0.100.1#53Non-authoritative answer:
Name: google.com
Address: 216.58.220.110
I can telnet on port 80
$ telnet google.com 80
Trying 216.58.220.110...
Connected to google.com.
Escape character is '^]'.
However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
1 0.000000 IntelCor_93:8f:4b Broadcast ARP 60 Who has IP.IP.IP.10? Tell IP.IP.IP.200
2 2.130120 IP.IP.IP.10 216.58.220.100 TCP 66 55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
3 3.816772 IP.IP.IP.10 IP.IP.IP.1 DNS 74 Standard query 0x13ec A www.google.com
4 3.816839 IP.IP.IP.10 IP.IP.IP.1 DNS 74 Standard query 0xf326 AAAA www.google.com
5 4.003369 IP.IP.IP.1 IP.IP.IP.10 DNS 102 Standard query response 0xf326 AAAA 2404:6800:4006:801::2004
6 4.035623 IP.IP.IP.1 IP.IP.IP.10 DNS 90 Standard query response 0x13ec A 216.58.220.100
7 4.036683 IP.IP.IP.10 216.58.220.100 TCP 74 55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
8 4.086164 216.58.220.100 IP.IP.IP.10 TCP 74 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
9 4.086474 IP.IP.IP.10 216.58.220.100 TCP 66 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
10 4.548559 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
11 4.548808 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
12 6.547488 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
13 6.547774 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
14 8.532081 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP segment of a reassembled PDU]
15 8.781690 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
16 9.033636 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
17 9.453382 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] [TCP segment of a reassembled PDU]
18 9.537284 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
19 10.544897 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
20 10.545286 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
21 10.545542 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
22 12.563760 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
23 16.601741 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
24 18.540457 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128
but whenever I try to use something like wget the request fails.
$ wget -T60 google.com
–2015-09-03 11:28:31-- http://google.com/
Resolving google.com (google.com)... 216.58.220.110, 2404:6800:4006:801::200e
Connecting to google.com (google.com)|216.58.220.110|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Retrying.
I'm also getting a strange traceroute response
$ traceroute to google.com (216.58.220.110), 30 hops max, 60 byte packets
1 Firewall.domain.lan (Removed) 1.002 ms 0.994 ms 0.973 ms
2 192.168.1.1 (192.168.1.1) 2.018 ms 2.010 ms 1.991 ms
3 * * *
4 te1-1-6.sydgscore1.wireline.com.au (103.19.172.61) 103.634 ms 107.541 ms 109.968 ms
5 ge1-1-2.sydgsbdr2.wireline.com.au (103.19.172.34) 111.886 ms 115.329 ms 1 17.046 ms
6 as15169.nsw.ix.asn.au (218.100.52.3) 120.206 ms 121.862 ms 123.631 ms
7 209.85.242.124 (209.85.242.124) 128.192 ms 147.385 ms 129.917 ms
8 * * *
9 * * *
...
29 * * *
30 * * *
But works fine from windows
$ tracert google.com
Tracing route to google.com [216.58.220.110] over a maximum of 30 hops:1 1 ms 2 ms 2 ms Firewall.domain.lan [Removed]
2 2 ms 2 ms 2 ms 192.168.1.1
3 63 ms 62 ms 67 ms 1.1.1.1
4 99 ms 74 ms 55 ms te1-1-6.sydgscore1.wireline.com.au [103.19.172.61]
5 63 ms 51 ms 51 ms ge1-1-2.sydgsbdr2.wireline.com.au [103.19.172.34]
6 50 ms 55 ms 52 ms as15169.nsw.ix.asn.au [218.100.52.3]
7 51 ms 52 ms 62 ms 209.85.242.124
8 51 ms 51 ms 52 ms 209.85.142.11
9 52 ms 52 ms 64 ms syd10s01-in-f14.1e100.net [216.58.220.110]Trace complete.
I have an internet connection issue with several computers on a KVM serer, which is also having the same issue. The internet connection on Windows guests works fine. This is happening on multiple machines. The gateway is a pfsense firewall with all LAN side traffic allowed as per its default configuration, the 192.168.1.1 router uses its DMZ to push all traffic to the firewall.
I've tested connectivity with ping.$ ping 216.58.220.100
PING 216.58.220.100 (216.58.220.100) 56(84) bytes of data.
64 bytes from 216.58.220.100: icmp_seq=1 ttl=56 time=49.3 ms
64 bytes from 216.58.220.100: icmp_seq=2 ttl=56 time=51.5 ms
64 bytes from 216.58.220.100: icmp_seq=3 ttl=56 time=49.8 ms
64 bytes from 216.58.220.100: icmp_seq=4 ttl=56 time=84.2 ms
64 bytes from 216.58.220.100: icmp_seq=5 ttl=56 time=49.1 ms
^C
–- 216.58.220.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 49.139/56.820/84.288/13.762 ms
Nslookup works fine
$ nslookup google.com
Server: 10.0.100.1
Address: 10.0.100.1#53Non-authoritative answer:
Name: google.com
Address: 216.58.220.110
I can telnet on port 80
$ telnet google.com 80
Trying 216.58.220.110...
Connected to google.com.
Escape character is '^]'.However if I try to send a command, such as GET / HTTP/1.0 to see if it would return the HTTP header, nothing happens.
I ran a packet capture on the firewall against the sevrers IP as I was trying the HTTP GET command and cam eup with this, but I'm not too sure what to make of it.
1 0.000000 IntelCor_93:8f:4b Broadcast ARP 60 Who has IP.IP.IP.10? Tell IP.IP.IP.200
2 2.130120 IP.IP.IP.10 216.58.220.100 TCP 66 55642?80 [FIN, ACK] Seq=1 Ack=1 Win=229 Len=0 TSval=19535544 TSecr=1347772624
3 3.816772 IP.IP.IP.10 IP.IP.IP.1 DNS 74 Standard query 0x13ec A www.google.com
4 3.816839 IP.IP.IP.10 IP.IP.IP.1 DNS 74 Standard query 0xf326 AAAA www.google.com
5 4.003369 IP.IP.IP.1 IP.IP.IP.10 DNS 102 Standard query response 0xf326 AAAA 2404:6800:4006:801::2004
6 4.035623 IP.IP.IP.1 IP.IP.IP.10 DNS 90 Standard query response 0x13ec A 216.58.220.100
7 4.036683 IP.IP.IP.10 216.58.220.100 TCP 74 55643?80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=19536021 TSecr=0 WS=128
8 4.086164 216.58.220.100 IP.IP.IP.10 TCP 74 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347876636 TSecr=19536021 WS=128
9 4.086474 IP.IP.IP.10 216.58.220.100 TCP 66 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536033 TSecr=1347876636
10 4.548559 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347877098 TSecr=19536021 WS=128
11 4.548808 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 9#1] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536149 TSecr=1347876636
12 6.547488 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347879098 TSecr=19536021 WS=128
13 6.547774 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 9#2] 55643?80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=19536649 TSecr=1347876636
14 8.532081 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP segment of a reassembled PDU]
15 8.781690 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537208 TSecr=1347876636
16 9.033636 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537271 TSecr=1347876636
17 9.453382 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] [TCP segment of a reassembled PDU]
18 9.537284 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537397 TSecr=1347876636
19 10.544897 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19537649 TSecr=1347876636
20 10.545286 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347883098 TSecr=19536021 WS=128
21 10.545542 IP.IP.IP.10 216.58.220.100 TCP 66 [TCP Dup ACK 19#1] 55643?80 [ACK] Seq=17 Ack=1 Win=29312 Len=0 TSval=19537649 TSecr=1347876636
22 12.563760 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19538154 TSecr=1347876636
23 16.601741 IP.IP.IP.10 216.58.220.100 TCP 82 [TCP Retransmission] 55643?80 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=16 TSval=19539164 TSecr=1347876636
24 18.540457 216.58.220.100 IP.IP.IP.10 TCP 74 [TCP Spurious Retransmission] 80?55643 [SYN, ACK] Seq=0 Ack=1 Win=42540 Len=0 MSS=1402 SACK_PERM=1 TSval=1347891098 TSecr=19536021 WS=128but whenever I try to use something like wget the request fails.
$ wget -T60 google.com
–2015-09-03 11:28:31-- http://google.com/
Resolving google.com (google.com)... 216.58.220.110, 2404:6800:4006:801::200e
Connecting to google.com (google.com)|216.58.220.110|:80... connected.
HTTP request sent, awaiting response... Read error (Connection timed out) in headers.
Retrying.
I'm also getting a strange traceroute response
$ traceroute to google.com (216.58.220.110), 30 hops max, 60 byte packets
1 Firewall.domain.lan (Removed) 1.002 ms 0.994 ms 0.973 ms
2 192.168.1.1 (192.168.1.1) 2.018 ms 2.010 ms 1.991 ms
3 * * *
4 te1-1-6.sydgscore1.wireline.com.au (103.19.172.61) 103.634 ms 107.541 ms 109.968 ms
5 ge1-1-2.sydgsbdr2.wireline.com.au (103.19.172.34) 111.886 ms 115.329 ms 1 17.046 ms
6 as15169.nsw.ix.asn.au (218.100.52.3) 120.206 ms 121.862 ms 123.631 ms
7 209.85.242.124 (209.85.242.124) 128.192 ms 147.385 ms 129.917 ms
8 * * *
9 * * *
...
29 * * *
30 * * *But works fine from windows
$ tracert google.com
Tracing route to google.com [216.58.220.110] over a maximum of 30 hops:1 1 ms 2 ms 2 ms Firewall.domain.lan [Removed]
2 2 ms 2 ms 2 ms 192.168.1.1
3 63 ms 62 ms 67 ms 1.1.1.1
4 99 ms 74 ms 55 ms te1-1-6.sydgscore1.wireline.com.au [103.19.172.61]
5 63 ms 51 ms 51 ms ge1-1-2.sydgsbdr2.wireline.com.au [103.19.172.34]
6 50 ms 55 ms 52 ms as15169.nsw.ix.asn.au [218.100.52.3]
7 51 ms 52 ms 62 ms 209.85.242.124
8 51 ms 51 ms 52 ms 209.85.142.11
9 52 ms 52 ms 64 ms syd10s01-in-f14.1e100.net [216.58.220.110]Trace complete.
export | grep -i proxy returns nothing as I dont have a proxy configured
IPTables configuration on KVM host.
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination -
You have a problem with your kvm host if you ask me.. Your sniff on your lan inteface of pfsense and your seeing retrans..
There are lots of known issues with KVM.. its sticky all over the board
https://forum.pfsense.org/index.php?topic=88467.0
IMPORTANT: Xen/KVM networking will not work on 2.2 using default hypervisor settings! -
Do you also use Snort? If so, its worth checking the KVM guests/virtual machines havent been blocked by Snort.
Do you log your firewall rules and if so what do you see going on in there, can you also post your fw rules?
-
Thankyou for that! It fixed the problem instantly. It was the TX offloading from the virtIO interface.