[SOLVED] Strange issues with Proxmox and OPNsense on Hetzner root-server

Jul 7, 2021
49
8
13
46
We have quite a few installation running OPNsense on Proxmox and they all run fine. Since a couple of months we also have one instance on a Hetzner root-server (EX101, Intel Core i9-13900) that causes me a lot of headaches and I still cannot figure out the cause for these issues:

- getting the current system information on the firmware status page takes ages
- updating the system takes ages
- in general it seems that connections take very long to get established, e.g. running speedtest.net it takes very very long to find a suitable server and the speedtest to start, however, once it runs the speeds are good. This leads to quite some problems with impatient software with short timeouts.

At first I was spending hours trying to troubleshoot OPNsense but even a re-install, installation in a new vm, testing from iso-image all showed the same issues. I then tried pfsense and again the same issue. So my conclusion by now it that it might be something related to Proxmox, FreeBSD (as basis of the above mentioned systems) and the server architecture. In Proxmox I tried the following adjustments:

- changed network cards from virtio to Intel E1000 but with, no change
- changed OS type from Other to Linux, no change
- changed hardware machine type between q35 and i440fx, no change
- changed cpu type between host and kvm64, no change

The weirdest thing is, that all seems to work fine for about 30 seconds after a restart of the VM. There are no firewall rules blocking external connections or IDS/IPS. There is nothing in the firewall logs and there is nothing in a network capture that indicate any problems. All other VMs seem to run fine.

I was wondering if anyone else had similar problems and if so if they could solve them. Maybe any other ideas what I could try and test? Thanks a lot.
 
Problem was caused by the wrong assumption that OPNsense uses the same ephemeral port range as FreeBSD. I should have detected that straight away with a package capture and I really wonder why I didn't.

For anyone running into the same you have the following options:
- change ephemeral port range in Hetzner stateless firewall to 1024-65535
- change the settings in OPNsense for the port range on the outbound nat ("Translation / port")
- change the settings in OPNsense globally by changing System > Settings > Tunables: net.inet.ip.portrange.first
 
the same i've been struggling for like a month now, without a clue.
my issuewa here --> ephemeral port range in Hetzner stateless firewall .

can you please provide more detail on the investigation and how idi you discover the issue ?
 
the same i've been struggling for like a month now, without a clue.
my issuewa here --> ephemeral port range in Hetzner stateless firewall .

can you please provide more detail on the investigation and how idi you discover the issue ?
as written in my post... i simply ran a packet capture on the interface and noticed the source ports below the typical ephemeral port range of the linux kernel: 32768–60999 which is the default Hetzner suggests. The port range however differs depending on OS and version: https://en.wikipedia.org/wiki/Ephemeral_port
 
  • Like
Reactions: drigolin