Traffic forwarding issue after upgrading from 1.4-rolling to 1.5-stream-2025-Q1

Hello everyone,

I’ve encountered a traffic forwarding issue after upgrading from 1.4-rolling-202312140922 to 1.5-stream-2025-Q1.

The issue appears to affect certain types of traffic — most likely asymmetric flows within my distributed VPN setup. Even ICMP traffic is impacted: I can see it arriving on the inbound interface via tcpdump, but it doesn’t leave through the outbound interface, despite being correctly routed according to the routing table.

I found a related discussion here: Have to delete firewall global-options state-policy invalid after upgrading to 1.5-stream-2025-Q1 - #8 by Viacheslav , but modifying line 89 didn’t resolve the issue. I also verified that rp_filter is set to 0 on all interfaces.

Could someone please advise what else I should check? What might have changed or broken during the migration to 1.5?

I also noticed that the counter in nftables for my icmp echo-reply rule did not increase, which suggests that the traffic is being dropped earlier:

icmp type echo-reply counter packets 1 bytes 84 accept comment “ipv4-NAM-main-900”

Thank you in advance!

You don’t state what hardware you’re using it on, or if you’re virtalised. If hardware, I would try turning OFF all ethernet offloads and see if that resolves your issue.

1 Like

I’m using virtualization on Proxmox with network interfaces based on the VirtIO driver. However, I don’t think this issue is hardware-related, because otherwise I wouldn’t see incoming packets on the inbound interface in tcpdump — or I would see outgoing packets on the outbound interface that never reach their destination.