pfSense: Ethernet Errors while running as KVM guest

Wednesday, May 25 2016 · Lesezeit: 2 Minuten · 303 Wörter · Tags: pfSense Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!

Since pfSense version 2.3 I’ve experienced „Network In“ errors on three virtual NICs. The error counters went up fast when traffic greater than 600 MBit/s were flowing through it. This didn’t cause problems in the daily business but a known error isn’t nice.

Problem description

I extraced the error counters of each interface with the help of netstat:

The „Ierrs“ value of em1, em2 and em4 are very hight.

Ethernet Errors can occure because of

• broken cables
• damaged network equipment
• collissions on bridges (if present)
• Out of available buffers of the NIC

A quick look on the physical network interface and the bridge on the host system showed no errors. My cables and network gear isn’t the cause of this. My prediction are the emulated e1000 NICs of pfSense. Every other guest in my network has virtio NICs. I decided to migrate the e1000 ones to virtio.

Breakdown

After changing NICs everything broke. I was able to ping other hosts (across NICs) but wasn’t able to connect with any other protocol. My first thought was that my rules would block traffic, but after a search nothing was revealed. I even disabled filtering and therefore turning pfSense in a routing only platform. I then did a trace on the firewall which reported the following:

The TCP SYN packet from my laptop got to the server, which responded with an ACK. That ACK packet was never returned to my Laptop but got stuck on the LAN interface of my pfSense. Then both sides started to retransmit the packets.

The resolution is pretty easy. It’s a simple checkbox called „Hardware Checksum Offloading“ which is located unter System -> Advanced -> Networking -> Network Interfaces.

After rebooting pfSense traffic was flowing again without any problems. I’m using virtio since yesterday and haven’t got any ethernet errors anymore.

Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück