core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

CRC-Offload on KVM-Host

Open JochenKorge opened this issue 2 years ago • 3 comments

Hi, TL;DR: you have to enable CRC-Checksum offload in new(er) versions of KVM-Virtualized OpnSenses.

Our setup consists of a 3 node Proxmox cluster hosting 2 OpnSense in HA. We do use the qemu-guest-agent plugin and virtio NICs for the OpnSense-VMs.

After updating from 21.xx to 22.xx we got strange connectivity issues. Connections that where routed by the OpnSense to and from the host and all VMs on that node that hosted the active opnsense where broken. All other nodes an VMs did work flawless. As did connections that wheren´t routed by the opnsense (e.g. connections within the same Subnet). Migrating the FW or "Carp-Failover" to the Backup did move the unreachable hosts/VMs to the other Node instantly. Wireshark told me that there where CRC-Checksum errors on TCP and UDP.

The following setting fixed it: grafik

This is contrary to the docs. (https://docs.opnsense.org/manual/virtuals.html)

Unfortunatly my Lab-Environment is out of order, so I dont want to post logs public (mail is ok though). If I can be of any assistant let me know.

Cheers Jochen

JochenKorge avatar May 11 '22 12:05 JochenKorge

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

OPNsense-bot avatar May 11 '22 13:05 OPNsense-bot

Un-checking that box (and various combinations of all 3) did not help matters on our end, nor did any of the vtnet-specific sysctl settings in various flavors: image 22.1 and 22.7 cannot ping or otherwise communicate with any hosts in their local subnet until running service of onestop at which point connectivity resumes... odd. Seems that there is some interaction between vtnet and pf which allows the device to route traffic but not communicate with hosts in its own local subnets.

sempervictus avatar Aug 04 '22 23:08 sempervictus

Sounds you have upstream gateway in interface set

mimugmail avatar Aug 05 '22 03:08 mimugmail

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Nov 07 '22 12:11 OPNsense-bot