Getting disconnected from a VM after a while

[serverkim]

Hi

I hope you can help me figure out a network issue. To be honest, I don't need to fix it necessarily since almost all machines are running in a virtual HOME LAB (Proxmox) which I have been practicing with for a while to lean something new.

I installed OPNsense as a VM in Proxmox 8 to practice with this firewall. It gets an IP (its main WAN port) from my physical router which manages my home LAN. I set a WAN pass rule in OPNsense to allow my pc on my physical LAN to get access both to OPNSense GUI, VMs and physical machines on its internal LAN. Of course, I also set a route up on my Home router to reach the Opensense VM's LAN. From my physical PC on the HOME LAN. I can ping the laptop connected to a Proxmox NIC that is on the OPNSense LAN. So far so good.

However, when I connect to the laptop via Windows RDP a problem occurs that I can't still manage to get my head around, after I log in the connection gets closed after a while (from 10 to 20 secs), sometimes I can't even connect to the machine.




I get the same problem if I want to connect to the laptop via a SSH connection (putty).
So, I ran Wireshark on my Windows machine to try to figure out this issue. I don't know if the screenshot below can be of any help:




I also ran tcpdump on proxmox in the hope of catching something meaningful. Here is a couple of screenshots:







IP 192.168.9.10 is my laptop address on the OPNsense LAN. 192.168.3.100 is my physical PC IP. AFAIK, I don't think that the problem has anything to do with OPNsense. I have the same problem if I run a Mikrotik x86 VM with pretty much the same network setup in Proxmox.

Could you help me figure it out please? Thanks

 

[minimos]

Hi

I hope you can help me figure out a network issue. To be honest, I don't need to fix it necessarily since almost all machines are running in a virtual HOME LAB (Proxmox) which I have been practicing with for a while to lean something new.

I installed OPNsense as a VM in Proxmox 8 to practice with this firewall. It gets an IP (its main WAN port) from my physical router which manages my home LAN. I set a WAN pass rule in OPNsense to allow my pc on my physical LAN to get access both to OPNSense GUI, VMs and physical machines on its internal LAN. Of course, I also set a route up on my Home router to reach the Opensense VM's LAN. From my physical PC on the HOME LAN. I can ping the laptop connected to a Proxmox NIC that is on the OPNSense LAN. So far so good.

However, when I connect to the laptop via Windows RDP a problem occurs that I can't still manage to get my head around, after I log in the connection gets closed after a while (from 10 to 20 secs), sometimes I can't even connect to the machine.

View attachment 32805


I get the same problem if I want to connect to the laptop via a SSH connection (putty).
So, I ran Wireshark on my Windows machine to try to figure out this issue. I don't know if the screenshot below can be of any help:

View attachment 32806


I also ran tcpdump on proxmox in the hope of catching something meaningful. Here is a couple of screenshots:

View attachment 32807


View attachment 32808


IP 192.168.9.10 is my laptop address on the OPNsense LAN. 192.168.3.100 is my physical PC IP. AFAIK, I don't think that the problem has anything to do with OPNsense. I have the same problem if I run a Mikrotik x86 VM with pretty much the same network setup in Proxmox.

Could you help me figure it out please? Thanks

Hi,

I am in no way and expert in network stacks but it looks like you are losing packets at some point in your infrastructure that requires a resend of an TCP packet which has exceeded the RTO.

You probably need to start eliminating potential causes. I would start by plugging your laptop into your existing LAN equipment (router or switch) nearest to your box that hosts the windows VM you RDP into and see if you get the same issues (i.e remove OpnSense out of the equation for now and any additional pieces of hardware assuming you are not using OpnSense VM on your exisiting LAN), then add in extra layers until the problem returns.

I think a diagram of our setup may help others understand how you are configured physically so they can assist.

Here are some linked that may help you understand the Retransmission

TCP Retransmission Timeout (RTO): Causes & Performance (extrahop.com)

Wireshark Spurious Retransmissions - a Concern? (chappell-university.com)

Minimos

 

[serverkim]

You probably need to start eliminating potential causes. I would start by plugging your laptop into your existing LAN equipment (router or switch) nearest to your box that hosts the windows VM you RDP into and see if you get the same issues (i.e remove OpnSense out of the equation for now and any additional pieces of hardware assuming you are not using OpnSense VM on your exisiting LAN), then add in extra layers until the problem returns.

My second old laptop works perfectly on my HOME LAN (192.168.3.0/24), and of course I can connect to it via RDP and SSH. No problem whatsoever in this case.

I think a diagram of our setup may help others understand how you are configured physically so they can assist.

For the time being, I only use Proxmox as a home LAB to experiment something new and learn new things about computer networking.
So, as a recap, I have that problem when I want to connect via RDP or SSH from PC 192.168.3.100 on my physical LAN to laptop 192.168.9.10 running on the network managed by OPNsense, as you can see in the image above.

Here are some linked that may help you understand the Retransmission

TCP Retransmission Timeout (RTO): Causes & Performance (extrahop.com)

Wireshark Spurious Retransmissions - a Concern? (chappell-university.com)

Minimos

Thanks

 

[minimos]

OK the picture helps understand your setup a little.

When you say your old laptop can connect I assume this is either using wireless via the home router or connected wired to that device?

How have you configured the interfaces in ProxMox? You mention using it as a home lab so I assume you are using VMBR0 as the management interface?

How are you assigning the WAN address in OpnSense is it static or leased from the router?

A view of your current firewall rules in OpnSense for both WAN and LAN would also be helpful.

One final thing for now, do you have the firewall enabled on your virtual bridges in Proxmox?

 

[serverkim]

When you say your old laptop can connect I assume this is either using wireless via the home router or connected wired to that device?

Both pc/laptop you see in the image above can connect to internet and each other (via RDP, etc) when are on the HOME LAN (192.168.3.0/24)

How have you configured the interfaces in ProxMox? You mention using it as a home lab so I assume you are using VMBR0 as the management interface?

How are you assigning the WAN address in OpnSense is it static or leased from the router?

it gets the same IP leased from the Home router every time I start it.

A view of your current firewall rules in OpnSense for both WAN and LAN would also be helpful.

I don't think OPNsense has anything to do with the issue since another VM in which runs a Mikrotik virtual router goes through the same problem.
I think the issue is somewhere on the Proxmox side, WAN or LAN.

One final thing for now, do you have the firewall enabled on your virtual bridges in Proxmox?

Disabled.

Thank you very much.

 

[minimos]

Looking at the config above in relation to your first diagram, your management interface appears to be the same as your OpnSense WAN address unless your OpnSense WAN is pulling a different IP from the router and your first diagram does not show this? When testing my own config with different router VM's I always keep the IP's different i.e set OpnSense on the WAN interface to DHCP so it pulls its own address and never had any issues (you would also need to check the option to not block private network addresses in such a scenario but I imagine you already have this option set as you can ping)

Also, have you reserved the Management Interface in OpnSense (or assigned it outside of your DHCP leases) so that it cannot be assigned to another device?

I don't think OPNsense has anything to do with the issue since another VM in which runs a Mikrotik virtual router goes through the same problem.
I think the issue is somewhere on the Proxmox side, WAN or LAN.

As you are making your HOMELAN 192.168.3.0/24 in effect to OpnSense or Mikrotik appear as another network and the firewalls block by default incoming traffic. If you have a spare port on your ProxMox host add it to VMBR0 and plug your laptop with ethernet cable into the physical port and see if you still have the same issues. (If you have DHCP enabled on your laptop it should get a lease from your Home Router and be seen as essentially on the same network) It will be a way of understanding if there is an issue with your ProxMox setup. However I would look into the IP suggestion above first.

 

[serverkim]

The OPNsense WAN is on vmrb0 too, but it gets another IP from my physical Home router. Never had problems with that before.
As for OPNsense firewall (or MK), I had already set an incoming pass rule from WAN for my pc (192.168.3.100).

 

[minimos]

The OPNsense WAN is on vmr0 too, but it gets another IP from my physical Home router. Never had problems with that before.
As for OPNsense firewall (or MK), I had already set an incoming pass rule from WAN for my pc (192.168.3.100).

Your initial diagram showed the Opnsense WAN address as .29, hence my point above which you have now confirmed is not the case.

The basic troubleshooting suggested so far you have dismissed quickly, so it indicates you are well versed in these matters.

Perhaps you could outline what you have done to troubleshoot other than ping to date and the results as well as providing as many logs / configs you feel may be relevant based on those steps.

 

[serverkim]

Your initial diagram showed the Opnsense WAN address as .29, hence my point above which you have now confirmed is not the case.

The basic troubleshooting suggested so far you have dismissed quickly, so it indicates you are well versed in these matters.

Perhaps you could outline what you have done to troubleshoot other than ping to date and the results as well as providing as many logs / configs you feel may be relevant based on those steps.

Anything but a well versed in these matters here. I have just narrowed it down to Proxmox but I can't see what is wrong with it precisely