pfSense: Ethernet Errors while running as KVM guest

Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!

Since pfSense version 2.3 I’ve experienced „Network In“ errors on three virtual NICs. The error counters went up fast when traffic greater than 600 MBit/s were flowing through it. This didn’t cause problems in the daily business but a known error isn’t nice.

Problem description

I extraced the error counters of each interface with the help of netstat:

[2.3.1-RELEASE][admin@firewall.veloc1ty.lan]/root: netstat -i
Name    Mtu Network       Address              Ipkts Ierrs Idrop    Opkts Oerrs  Coll
em0  1500 <Link#1>      52:54:00:22:c1:4e  6382653     0     0  3615536     0     0
em0     - fe80::5054:ff fe80::5054:ff:fe2        0     -     -        0     -     -
em0     - 192.168.0.0   192.168.0.2         130795     -     -   130793     -     -
em1  1500 <Link#2>      52:54:00:4b:db:65  3565098  1764     0  6262855     0     0
em1     - fe80::5054:ff fe80::5054:ff:fe4        0     -     -        0     -     -
em1     - 192.168.1.0   firewall             26136     -     -     5083     -     -
em2  1500 <Link#3>      52:54:00:0c:74:9a  1247489   866     0  1083952     0     0
em2     - fe80::5054:ff fe80::5054:ff:fe0        0     -     -        0     -     -
em2     - 192.168.2.4/3 gw-overwatch         32648     -     -    39455     -     -
em3  1500 <Link#4>      52:54:00:f3:52:7f        5     0     0       67     0     0
em3     - fe80::5054:ff fe80::5054:ff:fef        0     -     -        0     -     -
em3     - 192.168.2.0/3 gw-torrent               0     -     -        0     -     -
em4  1500 <Link#5>      52:54:00:3c:81:23   897703 14899     0  1025503     0     0
em4     - fe80::5054:ff fe80::5054:ff:fe3        0     -     -        0     -     -
em4     - 192.168.3.0/2 gw-servers            4408     -     -    14210     -     -

The „Ierrs“ value of em1, em2 and em4 are very hight.

Ethernet Errors can occure because of

A quick look on the physical network interface and the bridge on the host system showed no errors. My cables and network gear isn’t the cause of this. My prediction are the emulated e1000 NICs of pfSense. Every other guest in my network has virtio NICs. I decided to migrate the e1000 ones to virtio.

Breakdown

After changing NICs everything broke. I was able to ping other hosts (across NICs) but wasn’t able to connect with any other protocol. My first thought was that my rules would block traffic, but after a search nothing was revealed. I even disabled filtering and therefore turning pfSense in a routing only platform. I then did a trace on the firewall which reported the following:

pfsense_virtio_case

The TCP SYN packet from my laptop got to the server, which responded with an ACK. That ACK packet was never returned to my Laptop but got stuck on the LAN interface of my pfSense. Then both sides started to retransmit the packets.

The resolution is pretty easy. It’s a simple checkbox called „Hardware Checksum Offloading“ which is located unter System -> Advanced -> Networking -> Network Interfaces.

pfSense_hardware_checksum_offloading

After rebooting pfSense traffic was flowing again without any problems. I’m using virtio since yesterday and haven’t got any ethernet errors anymore.


Du hast einen Kommentar, einen Wunsch oder eine Verbeserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg)
Zurück