So I am currently first time testing Ipfire with a self-build firewall pc (x86_64 with a 4 port gbit Intel NIC on pcie port). I previously installed OPNsense on the exact same hardware and that was working fine in the exact same setup (but the UI felt too cluttered and FreeBSD was a pain to work with).
So I downloaded the latest iso image (IPFire 2.29 (x86_64) - Core-Update 184) and installed it on what seemed like very standard settings (Ext4, Red-Green, one port of the NIC used for red another one for green).
That a all seems to have gone well and I can log into the Webui fine. But that is where the issue start. Both from the firewall itself as well as PCs connected to it have an extremely flaky connection. Even the DNS servers seems to randomly time out and it is nearly impossible to install any addons on the firewall as there are download errors most of the time, but not always.
On the side of the PC connected directly to the green-zone port the internet works, but it is very slow and seems to have to retry connections a lot. The SSH connection to the firewall seems to work though.
On the firewall logs in the Webui I see a lot of “DROP_CTINVALID” errors and some “DROP_NEWNOTSYN”. But no idea what that means. Otherwise there are no easy to see errors in the logs.
The only thing that I can think of that might be uncommon on my current setup is that for testing purposes I have connected the WAN red zone to my ISP router as any normal PC would, but it gets an IP from the ISP router via DHCP etc fine. So there is some double NAT ongoing, but that didn’t seem to be any issue for OPNsense before (and I previously ran OpenWRT on different hardware but similar setup without problems like that).
Anyone has an idea what might be the problem here?
I like IPfire so far otherwise, so it would be really nice if I could fix this somehow. Thanks!
Yes that was also what I thought might be the issue, I tried disabling the ISP one, also switched between UDP and TCP. Also added some external DNS servers.
The odd thing is when I do the dns check these external DNS servers sometimes work and sometimes fail with a timeout, which lets me assume the issue is upstream of the DNS config as seems similar to the timeout issues of other connections.
Yes, with the check DNS providers it shows it randomly as working and sometimes as broken as I wrote above. And when it is broken the error message for the DNS servers is an timeout.
The hardware is a normal Intel CPU and Intel NIC I have in use with Linux for many years already.
When I try to download addons I get errors like this (but not always):
DOWNLOAD ERROR: The downloaded file (pub/ipfire/pakfire2/2.27-x86_64/meta/meta-apcupsd) wasn't verified by IPFire.org. Sorry - Exiting...
TIME INFO: Time Server 193.136.164.4 has +0.106725 sec offset to localtime.
(I tried down-grading to an older version, which is why it says 2.27. But the issue is exactly the same)
Or sometimes:
Mar 28 00:13:53 ipfire pakfire: DOWNLOAD INFO: HTTP-Status-Code: 500 - 500 Can't connect to mirror.vtti.vt.edu:443 (Connection timed out)
Mar 28 00:13:53 ipfire pakfire: DOWNLOAD ERROR: 500 Can't connect to mirror.vtti.vt.edu:443 (Connection timed out)
Maybe that is a hint somehow? During installation the NTP connection also made an error, but if I go to the time server setting it says that it recently syncronized ok.