NethServer Version: 7.9.2009

Hi all,

I am a former ClearOS user and started out with NS7 because that was the most familiar to me.
When I have it working like I want to, I plan to migrate to NS8.

I recently put my router in bridge mode, because it was adviced to me but I never had a problem with portforwarding the ports that I wanted from my router.
I use my NS7 box as a gateway for my clients.

I encountered interruptions when streaming video, sometimes every few minutes.
According to my ISP support they were the result of NAT problems, but after setting my router to bridge mode nothing improved.
Could the problem be my firewall rules … ?!?

On my Win10 clients I use AVG Antivirus Free, but I also have the default antivirus do regular scans.
The default Win 10 firewall cannot be disabled without creating all sorts of problems and additionally I use FreeFirewall because I need some control over what programs I allow access to the Internet.

I also lose the LAN connection to my webinterface every once in a while during those interruptions.

Please assist

At what time is scheduled backup?

Do you mean this … ?!?

Backup schedule941×594 61 KB

I exaclty meant that…
So backup is ruled out as resource drainer.

You have your IPS module installed… this might be another resourced drainer if configuration is not tweaked and optimized enough.

And might be CPU-dependant about efficacy.

Not sure what you mean with IPS not beeing tweaked and optimized enough and I doubt that efficacy is the problem.

efficacy1280×1024 110 KB

Did you check streaming video on different devices?
Maybe a WiFi issue?

Should have enough grunt for deliver server and firewall role without any issue.

You are aware that close to 23:00 (11:00PM for old fashioned people) the connection somehow goes “hiccup” You could verify if there’s any particulare resurce use at that time… being connected in reat time to Cockpit for some investigation.

I know, it’s not an “answer”, however i currently have only timing, 8 cores, 32gb of ram. More than nothing, but not a detailed enough picture of your environment.

Feel free to consider savvy and prudent do not overshare any specific details of your setup, in this community privacy and confidentiality are respected. On the other hand, on this side of the newtork i know close to nothing about your setup, hardware configuration, roles/applications, size of the network behind and such.

Any detail is useful to provide precise hints

I can try to stream on a different device, but I doubt that will make any difference.
I also mentioned that during these interruptions I sometimes lose my LAN connection to the web interface.
WiFi is not mentioned or used … I only use cabled network.

I have only a limited amount of clients behind my NS7 gateway, but currently I am only using my workstation with Win10.
My NS7 box and workstation have the same hardware specs and are newly installed (so for now only the basic services are running):
Dell Inc. OptiPlex 9020
Intel(R) Core™ i7-4770 CPU @ 3.40GHz x 8
32Gb RAM

My network is Gigabit, but my Internet connection is not.

speedtest.net728×345 44.2 KB

If there is any more specific info you require that would help in troubleshooting this issue, please ask.

PS.
I tested it with my additional firewall and antivirus on my workstation disabled, but the interruptions still happened.

Hi all,

I have confirmed that the problem is with my NS7 box, because I have the same disconnect and interrupt problems with my media center (HP Compaq dc7900 Ultra-slim Desktop) that also has a new installation of Win 10.
I also can report that from a 3rd client (my former workstation with 16Gb RAM) the same things happened.
With my ClearOS box as gateway and my former workstation I never had these problems.
It’s also not the network, because my UTP CAT 6 shielded cables and switches are new and installed by a specialist.

Disconnected1280×1024 43.3 KB

In the mean time I have experimented on my workstation with a non Dell NIC driver from Intel that is newer, but without success.

Please advice with your well thought through suggestions.

As a mere developer and complete ignorant suggestion, do you mind trying Nethsecurity 8?

Just to rule out any “older” driver issues (it might not be the case since ClearOS used the same CentOS base, but who knows )

Thanks for replying and your suggestion made me think, but NS8 (if that is what you mean) is too big of a leap for someone who is not a developer and new to NS7 like me.
I could just as well start over with a complete other distribution, because a.f.a.i.k. NS8 is not really an update of NS7.

Could a solution be to just find and update the NIC drivers of my NS7 box … ?!?

em1 (LAN)
Model: Intel Corporation Ethernet Connection I217-LM (rev 04) - (latest version: Release 29.2)
Speed: 1000
Driver: e1000e

ethtool -i em1

driver: e1000e
version: 3.2.6-k
firmware-version: 0.13-4
expansion-rom-version:
bus-info: 0000:00:19.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

modinfo e1000e

filename: /lib/modules/3.10.0-1160.119.1.el7.x86_64/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko.xz
version: 3.2.6-k
license: GPL v2
description: Intel(R) PRO/1000 Network Driver
author: Intel Corporation, linux.nics@intel.com
retpoline: Y
rhelversion: 7.9
srcversion: 098ECE9B1EBA1A3C30EA7ED
alias …
depends: ptp
intree: Y
vermagic: 3.10.0-1160.119.1.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: 68:EA:10:3F:2C:90:A8:DC:0B:B0:44:6C:06:D1:45:61:F2:9E:11:72
sig_hashalgo: sha256
parm: …

p4p1 (External)
Model: D-Link System Inc DGE-528T Gigabit Ethernet Adapter (rev 10) - (latest version: 8.33)
Speed: 1000
Driver: r8169

ethtool -i p4p1

driver: r8169
version:
firmware-version:
expansion-rom-version:
bus-info: 0000:03:02.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

modinfo r8169

filename: /lib/modules/3.10.0-1160.119.1.el7.x86_64/kernel/drivers/net/ethernet/realtek/r8169.ko.xz
firmware: …
license: GPL
softdep: pre: realtek
description: RealTek RTL-8169 Gigabit Ethernet driver
author: Realtek and the Linux r8169 crew netdev@vger.kernel.org
retpoline: Y
rhelversion: 7.9
srcversion: 886F7AAD6F5FCB3A32A400E
alias: …
depends:
intree: Y
vermagic: 3.10.0-1160.119.1.el7.x86_64 SMP mod_unload modversions
signer: CentOS Linux kernel signing key
sig_key: 68:EA:10:3F:2C:90:A8:DC:0B:B0:44:6C:06:D1:45:61:F2:9E:11:72
sig_hashalgo: sha256
parm: debug:Debug verbosity level (0=none, …, 16=all) (int)

I could use some assistance in doing this, because I never did it before and I am not so familiar with the CLI of NS7.
For me it’s sometimes already a challenge to implement changes with the web interface.

I still don’t know if and how I am supposed to find the driver version and -update it.

I think I solved it by adding the required domains and URL’s to a custom Whitelist.
This thread gave me the idea.

Create a custom template fragment:

mkdir -p /etc/e-smith/templates-custom/etc/c-icap/c-icap.conf

Create a custom fragment file:

nano /etc/e-smith/templates-custom/etc/c-icap/c-icap.conf/90custom_whitelist

Add your whitelist entries (without spaces):

####### Custom whitelist entries
WhitelistDomain \ .example\ .com

WhitelistURL http://100\ .0\ .0\ .1
WhitelistURL https://100\ .0\ .0\ .1

Expand the template:

signal-event nethserver-squidguard-update

Restart and enable the relevant services:

systemctl restart c-icap
systemctl enable c-icap
systemctl restart squid

Tomorrow I will test it some more.
Please advice and comment.

After some more testing I realized that it didn’t solve my problems.
Strangely enough the frequency of interruptions went down and they got less severe, but I still periodically lose my Internet- and sometimes LAN connection.
Since I am new to NS, can someone at least confirm or deny if I used the correct syntax please … ?!?

Thanks in advance.

Worry not, I’m talking about Nethsecurity the standalone firewall (since projects split up), you can just try it for now with a live install with the current configuration using the migration tool mentioned in the doc.

There’s no journalctl output during that downtime, yes? Checking just to make sure.

Got here after the new products, can’t help in this case I’m sorry, hope someone with the right knowledge can help you out

Although I think the card is supported by the kernel out of the box, I recall some negative comments about the card (users facing a plethora of problems, like disconnection, speed dropout and more: nethserver users, clearos users and general linux users), some of those users solved it by using drivers form manufacturer (or even from some github repo) or newer kernel versions, as far as I recall, or by changing the card, but don’t take my word for it. Not saying the card is useless or needs to be replaced (I think you told it was working right with clearos). I think @pike and possibly @ssabbath owned cards with the same chipset.

IPS (Intrusion Prevention System) and the proxy with antivirus also can have some penalty on the connection (mainly the IPS depending on enabled rules; the antivirus on the proxy had some problems with official signatures IIRC).

The steps are OK (I think the manual restart/enable with systemctl weren’t necessary as usually they are also run by signal-event xxxxxxxx-update event).

About the whitelist syntax, cannot say for sure for the specific icap conf file but you can check the resulting file (/etc/c-icap/c-icap.conf) . Maybe not needed but I think the \ doesn’t hurt.

Take a read on that

Before apply, consider a full backup.

Thank you all for taking the time to reflect on my issues.
I’m sorry I didn’t have time earlier to respond and after this I’ll probably only have time again next Sunday at the earliest.

In the mean time I have been testing different browsers (a new install of Chrome & -Tor).
I copied the profile folder of Firefox from my old workstation to the new one, because I have a lot of tabs that I need. With these other browsers I encounter the same issues, but everything else seems to work just fine.
And I still get interrupts simultaneous sometimes by the way, so that must point to the fact that it’s not simply a browser issue.

@Tbaile
Nethsecurity looks promising so maybe I’ll test it next Sunday, but it will take some time if I need to make a backup of my NS7 box.
Because there’s at least 1Tb of data on it and I am lacking experience how to make a proper system backup.

Log files have never been my strong point so I will have to figure out how to get info from the journalctl output that makes sense to me.
Any tips would be welcome, because it’s inevitable to start using log files to find the cause of the problems I am experiencing.

@dnutan
Thanks for informing me about the known issues with the r8169 NIC.
Updating it’s driver could be a path worth investigating, but I could use some help using a github repo, because I didn’t anticipate compiling a driver from source code.
My ClearOS box was running on another machine, so maybe the r8169 could just as well be causing these network drops, because it’s really old and just PCI.
No wonder it was this cheap so maybe I should take my loss and get me a NIC that is up-2-date.
Would any PCI-Express NIC do the job, or what am I supposed to look for that’s not too expensive … ?!?

IPS and antivirus are indispensable for obvious security reasons but I must admit that I would not know which parts could be responsible for the problems I encounter.
I use transparent proxy, but it’s only because it improves browsing, so that’s something I can experiment with by disabling it when it’s known to cause related problems.

c-icap was started but not enabled afterwards, so that’s why I needed to enable it.

@pike
I didn’t understand everything in the post from 2021 you mentioned, because the English used is not too clear to me and he made jokes that I didn’t really understand.
But I understood that he was talking about a problematic system.
Luckily I don’t have all sorts of stability issues.

Please advice.

Ok, long story short: system was not “stable” as connectivity, I had issues on Realtek newtork adapters. Issued that i resolved with installing the “correct” kMod for 3.10 kernel that was available, at that time while CentOS 7/NS7 was supported.
Currently the system is a ESXi guest, so I’m not in the condition to show you rpm -qa kmod* output. More details about the NIC-kmod correlation was reported in some of the posts.

Thanks for sharing about my poor english, I’d try to be less stand-up comedian while posting and more comprehensible. English is not my native language.

@pike
Thanks for clearing that up and I didn’t mean to insult anyone.
English is also not my native language so maybe that played a role in it too.

After installing a new PCIe NIC (TP-Link TG-3468 V4) the problems only got worse.

Model: Realtek Semiconductor Co. Ltd. Device 8161 (rev 15)
Speed: 1000
Driver: r8169

ethtool -i p4p2

driver: r8169
version:
firmware-version: rtl8168h-2_0.0.2 02/26/15
expansion-rom-version:
bus-info: 0000:04:00.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

Online I could only find old info about V2.
The add said that it was made for Linux, but all the support I can find is for Windows.
So I suppose that I will have to return it and order me another one.
All I could find was instructions on how to compile a driver for kernel 2.4.

Which one is a better choice (both run on the same driver):

https://www.axagon.eu/en/produkty/pcee-grf

Any suggestions … ?!?