Strange behavoiur on vyos-2025.04.09-0018-rolling-generic-amd64 timeput

lepri13 · April 13, 2025, 12:30am

Hey Everyone.

Trying to get Vyos up and running as my main router to ISP. And having a strange issue. My connection comes up I get IP address. All is well, however shortly after I am starting to have a issues / timeouts.
Pings don’t interrupt and are continuos, pppoe stays connected, there are no errors, dropped packets or collisssions. Firewall looks ok as well. I have tried to play with MTU and there is no change that I can tell.
My ISP if optical fibre to premises with pppoe authentication. The same hardware works with OpnSense so I know at least the hardware is ok.
Any help would be appreciated.

Apachez · April 13, 2025, 12:50am

What does “shortly” mean?

Like a few minutes or a few hours?

Perhaps som DHCP-snooping at your ISP who is expecting your WAN-interface to reissue a DHCP-request which when not seen will block your traffic but at the same time you wrote that ping etc still works so what do you mean by timeouts?

lepri13 · April 13, 2025, 1:02am

Within a minute or so. I’ve been running my own firewall on that connection for last few years.

I would open a browser and it would render a page really fast or will time out/partially load the page.

Apachez · April 13, 2025, 1:12am

How is your settings?

Do you perhaps have some malware that is saturating the conntrack table?

tjh · April 13, 2025, 2:52am

Sounds like conntrack table exhaustion.

Also turn off all ethernet offload settings.

lepri13 · April 13, 2025, 7:13am

From the hardware sire it’s a Dell VEP 1445 with 24 Gigs of Ram. Lan is connected via SFP+ DAC and WAN is on copper going to ISP’s media converter.

set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 description 'Allow Return traffic through the router'
set firewall ipv4 forward filter rule 20 inbound-interface name 'pppoe0'
set firewall ipv4 forward filter rule 20 state 'established'
set firewall ipv4 forward filter rule 20 state 'related'
set firewall ipv4 forward filter rule 1000 action 'accept'
set firewall ipv4 forward filter rule 1000 description 'Allow All from LAN interface'
set firewall ipv4 forward filter rule 1000 inbound-interface name 'eth6'
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 description 'Allow Return traffic destined to the router'
set firewall ipv4 input filter rule 10 inbound-interface name 'pppoe0'
set firewall ipv4 input filter rule 10 state 'established'
set firewall ipv4 input filter rule 10 state 'related'
set firewall ipv4 input filter rule 1000 action 'accept'
set firewall ipv4 input filter rule 1000 description 'Allow All from LAN interface'
set firewall ipv4 input filter rule 1000 inbound-interface name 'eth6'
set firewall ipv4 output filter default-action 'accept'
set interfaces dummy dum0 address '192.168.1.1/32'
set interfaces ethernet eth0 hw-id '18:5a:58:08:8d:62'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 hw-id '18:5a:58:08:8d:63'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth2 hw-id '18:5a:58:08:8d:60'
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload sg
set interfaces ethernet eth2 offload tso
set interfaces ethernet eth3 hw-id '18:5a:58:08:8d:61'
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload sg
set interfaces ethernet eth3 offload tso
set interfaces ethernet eth4 description 'WAN'
set interfaces ethernet eth4 hw-id '18:5a:58:08:8d:67'
set interfaces ethernet eth4 offload gro
set interfaces ethernet eth4 offload gso
set interfaces ethernet eth4 offload sg
set interfaces ethernet eth4 offload tso
set interfaces ethernet eth5 hw-id '18:5a:58:08:8d:66'
set interfaces ethernet eth5 offload gro
set interfaces ethernet eth5 offload gso
set interfaces ethernet eth5 offload sg
set interfaces ethernet eth5 offload tso
set interfaces ethernet eth6 address '192.168.1.1/24'
set interfaces ethernet eth6 description 'LAN'
set interfaces ethernet eth6 hw-id '18:5a:58:08:8d:65'
set interfaces ethernet eth6 offload gro
set interfaces ethernet eth6 offload gso
set interfaces ethernet eth6 offload sg
set interfaces ethernet eth6 offload tso
set interfaces ethernet eth7 hw-id '18:5a:58:08:8d:64'
set interfaces ethernet eth7 offload gro
set interfaces ethernet eth7 offload gso
set interfaces ethernet eth7 offload sg
set interfaces ethernet eth7 offload tso
set interfaces loopback lo
set interfaces pppoe pppoe0 authentication password '*'
set interfaces pppoe pppoe0 authentication username '*'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 source-interface 'eth4'
set interfaces wireless wlan0 hw-id '04:f0:21:51:86:04'
set interfaces wireless wlan0 physical-device 'phy0'
set nat source rule 10 description 'NAT source address for all traffic leaving WAN'
set nat source rule 10 outbound-interface name 'pppoe0'
set nat source rule 10 translation address 'masquerade'
set service dhcp-server shared-network-name LAN option default-router '192.168.1.1'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 option name-server '8.8.8.8'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 start '192.168.1.50'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 range 0 stop '192.168.1.250'
set service dhcp-server shared-network-name LAN subnet 192.168.1.0/24 subnet-id '1'
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh listen-address '192.168.1.1'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name 'fw01'
set system login user 
set system name-server '8.8.8.8'
set system syslog local facility all level 'info'
set system syslog local facility local7 level 'debug'

pppoe interface
pppoe0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 90.x.x.x peer 90.x.x.x/32 scope global pppoe0
valid_lft forever preferred_lft forever
inet6 x:x:x:x/64 scope link
valid_lft forever preferred_lft forever
Description: Vodafone

RX:    bytes  packets  errors  dropped  overrun       mcast
     1475144     3418       0        0        0           0
TX:    bytes  packets  errors  dropped  carrier  collisions
     1154589     3356       0        0        0           0

lepri13 · April 13, 2025, 7:16am

marvin · April 14, 2025, 1:30pm

@lepri13 In the handful of times I’ve needed to use PPPoE on VyOS, it was necessary to set the following on the PPPoE interface for TCP traffic to work correctly:

set interfaces pppoe pppoe0 ip adjust-mss clamp-mss-to-pmtu

lepri13 · April 15, 2025, 6:24pm

@marvin you are a legend. Looks like it’s working. I will keep testing and see if there are any issues.

lepri13 · April 15, 2025, 7:46pm

Let’s call it closed, unless the issues comes back. Thank you @marvin.

system · April 17, 2025, 7:47pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.