Please help: inter-qube networking has become unstable and I don't know why

User Support
1

I posted a thread earlier blaming fedora-42 for this but now I have realized the problem persists with fedora-41 as the base for my networking qubes.

This problem is very strange. I don’t know why it started happening because everything worked smoothly for months and I haven’t made any changes other than maybe updating my templates.

The problem is when I open a port in one qube to access from another qube, a connection is only made a small percentage of the time, the rest of the time I get either a timeout or a stuck connection attempt. What could possibly cause this behavior and how can I even begin to debug it? It’s not like I’m using the wrong commands because (a) these are the commands I’ve always used and (b) a connection does get established every 10 attempts or so.

I’m pretty sure this is a problem with either sys-firewall or sys-net because I have reproduced the problem with all kinds of qubes including fedoras and debians and even different types of server softwares including minecraft. I’m at a point where I’m considering reinstalling Qubes and setting everything up from scratch although I’m not convinced that will solve the problem… help me please :sob:

Here are the commands I use. For allowing the qubes to communicate I do this in sys-firewall:

sudo nft add rule ip qubes custom-forward ip saddr 10.137.0.48 daddr 10.137.0.29 ct state new,established,related counter accept

and to open the port I do this in the server qube:

sudo nft add rule qubes custom-input tcp dport 25500 ct state new,established,related counter accept
2

edit: no fxcking way I actually figured it out on my own :exploding_head: if anyone experiences this in the future, here’s the magic spell to fix it in sys-firewall:
sudo sysctl -w net.netfilter.nf_conntrack_max=1000000
the default was something puny like 3k pfft of course it was gonna fail… qubes devs think I only got 3k friends come on man :rofl:

—original message—

Ok I think I figured out what’s wrong but I have no idea how to fix it. journalctl on sys-firewall is being spammed with the following message:



nf_conntrack: nf_conntrack: table full, dropping packet

which sounds about right given the effects I’m experiencing. With a google search I found this command:

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
sysctl -w net.netfilter.nf_conntrack_generic_timeout=120
sysctl -w net.ipv4.netfilter.ip_conntrack_max=<more than currently set>

but /proc/sys/net/ipv4/netfilter doesn’t exist in sys-firewall so this potential fix doesn’t work. What else can I do? :sob:

3

wait a minute… the fact that I’m only experiencing this now after months of flawless operation probably means I’m getting ddosed doesn’t it :skull: :gun: