I recently upgraded my VyOS router to VyOS 1.5-rolling-202403120022 (from a build around mid December) and started experiencing problems with what appeared to be DNS. I had a look at the logs and I’m seeing a lot of
Mar 17 18:18:29 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= PHYSIN=eth3 SRC=192.168.1.20 DST=192.168.1.1 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=38518 DF PROTO=UDP SPT=49621 DPT=53 LEN=61
Mar 17 18:18:31 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= PHYSIN=eth3 SRC=192.168.1.20 DST=192.168.1.1 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=38520 DF PROTO=UDP SPT=49621 DPT=53 LEN=61
Mar 17 18:18:43 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= PHYSIN=eth1 SRC=192.168.1.100 DST=192.168.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=16148 DF PROTO=UDP SPT=48317 DPT=53 LEN=39
Mar 17 18:18:48 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= PHYSIN=eth1 SRC=192.168.1.100 DST=192.168.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=16150 DF PROTO=UDP SPT=48317 DPT=53 LEN=39
Mar 17 18:18:53 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= PHYSIN=eth1 SRC=192.168.1.100 DST=192.168.1.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=16151 DF PROTO=UDP SPT=48317 DPT=53 LEN=39
Mar 17 18:18:54 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= PHYSIN=eth3 SRC=192.168.1.20 DST=192.168.1.1 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=38521 DF PROTO=UDP SPT=49621 DPT=53 LEN=61
and even some from the router itself:
Mar 17 19:42:15 kernel: nf_ct_RAS: dropping packet: cannot process RAS message IN= OUT= SRC=192.168.1.1 DST=192.168.1.100 LEN=126 TOS=0x00 PREC=0x00 TTL=64 ID=3622 PROTO=UDP SPT=53 DPT=51790 LEN=106 UID=112 GID=119
This issue affects regular web browsing, though it becomes very apparent when doing lots of lookups, e.g. downloading from registry.npmjs.org, crates.io etc.
The quick “solution” was to disable the h323 module:
delete system conntrack modules h323
Here’s my semi <SNIP>ped config:
firewall {
ipv4 {
name LAN-LOCAL {
default-action accept
}
name LAN-WAN {
default-action accept
}
name LOCAL-LAN {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
state established
state related
}
rule 10 {
action drop
log
state invalid
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
}
<SNIP>
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
state established
state related
}
rule 10 {
action drop
log
state invalid
}
rule 20 {
action accept
icmp {
type-name echo-request
}
protocol icmp
}
<SNIP>
}
}
ipv6 {
name LAN-LOCAL-6 {
default-action accept
}
name LAN-WAN-6 {
default-action accept
}
name LOCAL-LAN-6 {
default-action accept
}
name LOCAL-WAN-6 {
default-action accept
}
name WAN-LAN-6 {
default-action drop
rule 5 {
action accept
state established
state related
}
rule 10 {
action drop
log
state invalid
}
rule 20 {
action accept
icmpv6 {
type-name echo-request
}
protocol ipv6-icmp
}
}
name WAN-LOCAL-6 {
default-action drop
rule 5 {
action accept
state established
state related
}
rule 10 {
action drop
log
state invalid
}
rule 20 {
action accept
icmpv6 {
type-name echo-request
}
protocol ipv6-icmp
}
rule 21 {
action accept
hop-limit {
eq 255
}
icmpv6 {
type-name nd-router-advert
}
protocol ipv6-icmp
}
rule 22 {
action accept
icmpv6 {
type-name nd-neighbor-advert
}
log
protocol ipv6-icmp
}
rule 30 {
action accept
description "dhcpv6 agent messages"
destination {
port 546
}
protocol udp
source {
port 547
}
}
}
}
zone LAN {
default-action drop
from LOCAL {
firewall {
ipv6-name LOCAL-LAN-6
name LOCAL-LAN
}
}
from WAN {
firewall {
ipv6-name WAN-LAN-6
name WAN-LAN
}
}
interface br0
}
zone LOCAL {
default-action drop
from LAN {
firewall {
ipv6-name LAN-LOCAL-6
name LAN-LOCAL
}
}
from WAN {
firewall {
ipv6-name WAN-LOCAL-6
name WAN-LOCAL
}
}
local-zone
}
zone WAN {
default-action drop
from LAN {
firewall {
ipv6-name LAN-WAN-6
name LAN-WAN
}
}
from LOCAL {
firewall {
ipv6-name LOCAL-WAN-6
name LOCAL-WAN
}
}
interface eth0.10
}
}
interfaces {
bridge br0 {
address 192.168.1.1/24
description LAN
member {
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
interface eth5 {
}
}
}
ethernet eth0 {
hw-id 3c:ec:ef:46:91:d0
vif 10 {
address dhcp
address dhcpv6
description "<SNIP> VLAN"
dhcpv6-options {
pd 0 {
interface br0 {
address 1
sla-id 0
}
length 56
}
}
mtu 1500
}
}
ethernet eth1 {
hw-id 3c:ec:ef:46:91:d1
}
ethernet eth2 {
hw-id 3c:ec:ef:46:91:d2
}
ethernet eth3 {
hw-id 3c:ec:ef:46:91:d3
}
ethernet eth4 {
hw-id 3c:ec:ef:46:91:d4
}
ethernet eth5 {
hw-id 3c:ec:ef:46:91:d5
}
ethernet eth6 {
hw-id 3c:ec:ef:46:97:c2
}
ethernet eth7 {
hw-id 3c:ec:ef:46:97:c3
}
loopback lo {
}
}
nat {
destination {
<SNIP>
}
source {
rule 10 {
outbound-interface {
name eth0.10
}
source {
address 192.168.0.0/16
}
translation {
address masquerade
}
}
<SNIP>
}
}
service {
dhcp-server {
hostfile-update
shared-network-name LAN {
subnet 192.168.1.0/24 {
lease 86400
option {
default-router 192.168.1.1
domain-name localdomain
name-server 192.168.1.1
}
range 0 {
start 192.168.1.100
stop 192.168.1.254
}
<SNIP>
subnet-id 1
}
}
}
dns {
forwarding {
allow-from 192.168.1.0/24
cache-size 1000000
dnssec validate
listen-address 192.168.1.1
}
}
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
router-advert {
interface br0 {
link-mtu 1500
prefix ::/64 {
}
}
}
snmp {
listen-address 192.168.1.1 {
}
location <SNIP>
v3 {
<SNIP>
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
domain-name localdomain
host-name vyos
login {
user vyos {
authentication {
encrypted-password <SNIP>
plaintext-password ""
}
}
}
name-server 192.168.1.1
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
time-zone Pacific/Auckland
}