-
-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewall: Significang packet loss on WAN when using default rule "wan Forward reject", solution: "wan Forward drop" #13340
Comments
Please make tcpdump on 'wan' interface and examine with wireshark. |
Please try: This is limiting ICMP generation roughly guided by kernel defaults: EDIT: fix formatting to alow copypasta commands. |
Basically test: While at it you can have all linux bridges with virtio-net adapters, even trunking VLAN-s in physical adapters to stuff more isolated networks if switch can support it. |
Thank you for the fast response. I now suspect this to be routing issue at my provider. With logging enabled on the wan zone (with the default fw rules) I see a lot of random packages. The reject packages have DST not only of the IP range of my modems current network, but also of other ranges of my provider. OpenWrt default setting of reject do apparently just seem to reach the rate limit under this packet spam conditions. |
Does rate limiting your ICMP output rate solve the connection quality issue? (DROP in 2 places is also completely valid solution, im just assessing if "common case" can be stabilised) |
That looks like a IPv6 only rule, I use IPv4. |
If you look at that chain you see it does reset of tcp and default icmp4/icmp6 action for all other types.
|
Understand. I mixed it up with the already existing rule set that also uses the same limits. I used a fresh OpenWrt image to test this to prevent any other of my changes influencing it. Using this extra rule makes no difference. Also its counter stays at 0.
Edit: Same with this rules. With wan Forward reject I have package loss, with wan Forward drop it works fine. But this lower limits cause some package drop now.
|
burst 5 is default, one of 3 '1000' sysctl settings is millisecs between generated packets i.e 1/second burst 5 packets |
Ping @jow- |
@PixelOfDeath it will apply only to new clean installations, keep your DROP rule as you figured out to transfer it via config backups. |
I think I now have a working hypothesis what happens. A simple test where each 20 second one reject package causes my connection to drop:
Note that the default settings with wan Input reject + wan Forward drop work perfectly fine and my connection never stops working. Even when sending reject responses for the traditional port scanners/viruses/whatever that is hammering my IP. |
VM sends rejects on packets that switches leak to your connection wire and probably your provider has some punisher script for OOB resets sent... |
(leave at "DROP", the global limit on nft-generated packets is other discipline, ill do an independed try on that, some places have limit some none) |
Summary - when something enabled promiscuous mode (eg |
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Dropping packets with no clear forward destination is nicer than rejecting them. Especially when some providers punish users for spoofing caused by their noisy infra. Fixes: openwrt/openwrt#13340
Describe the bug
I hat issues with significant WAN package loss on my setup. It ranged from 10% to 40% pings not getting a reply.
First of all I found the solution/workaround to this:
Switching the default wan forward rule from reject to drop solves all my issues!
I also could stop the firewall under System > Startup and hat no more package loss when pinging.
So far I could exclude issues with
DCHP client v4 or v6 (Tested WAN on static IP)
my Cable Modem (Tested two different models)
the physical eth ports (Tested all 4 ports for wan)
My Setup:
Chinese Intel n5105 NUC with 4x I225-V (rev 03) as a Proxmox hypervisor
The OpenWrt VM network setup:
LAN = virtio bridge to the first I255-V
WAN = PCI pass-thru to a second I225-V
I also tested a setup with only PCI pass-thru, same issue.
I also tested OpenWrt 23.05.0-rc3/targets/x86/64/generic-squashfs-combined-efi.img.gz, same issue
OpenWrt version
r20134-5f15225c1e
OpenWrt target/subtarget
x86/64
Device
QEMU Standard PC (i440FX + PIIX, 1996)
Image kind
Official downloaded image
Steps to reproduce
Using the default image with default settings.
Actual behaviour
Significant package loss on WAN with the default firewall configuration
Expected behaviour
No package loss
Additional info
No response
Diffconfig
No response
Terms
The text was updated successfully, but these errors were encountered: