Author Archives: Tim H

About Tim H

I am a Large Fluffy Chicken called Bob.

Vyos and the mystery conntrack counter


Router Go Fast!

For those that know me, it’s no secret I’m a huge Vyos fan.  I moved away from pfSense after they released a version that had issues with more than 1 vCPU, instead trying Vyos.  Once I’d seen how much better it performed under Proxmox I stayed on it and have never looked back.
I really feel the pfSense project lost its way when they fucked up Wireguard and then lashed out at everyone who was just trying to help get it into FreeBSD.  But I digress.

Flow Offload (Flowtable) Bug?

I recently upgraded from Vyos 1.3 to Vyos 1.4. 1.4 is a huge step forward for the project as it moves from iptables to nftables.  It also brings some great new features, like Flowtable (software/hardware flow offload).  This means that once a flow has created a conntrack entry, all future packets that match this flow are fastpath’d through the conntrack service, assuming you have a rule to allow this like so:

firewall {
    flowtable FastVyos {
        description "Vyos Fast Software Offload Table"
        interface eth1
        interface eth0
        offload software
    ipv4 {
        forward {
            filter {
                default-action accept
                description "Filter for packets being forwarded through the router"
                rule 10 {
                    action offload
                    description "Offload Established TCP and UDP Traffic"
                    offload-target FastVyos
                    protocol tcp_udp
                    state established
                    state related

This results in better performance and on older/slower hardware will increase the number of packets-per-second that a device can handle.  This is a very good thing!  You can see its working if you see [OFFLOAD] in your conntrack table:

conntrack -L -u offload
tcp      6 src=x.x.x.x dst=x.x.x.x sport=43392 dport=x packets=2317 bytes=192092 src= dst=x.x.x.x sport=x dport=43392 packets=2644 bytes=149748 [OFFLOAD] mark=0 use=2
tcp      6 src=x.x.x.x dst=x.x.x.x sport=55400 dport=x packets=1336 bytes=111233 src= dst=x.x.x.x sport=x dport=55400 packets=1535 bytes=88580 [OFFLOAD] mark=0 use=2
tcp      6 src=x.x.x.x dst=x.x.x.x sport=49836 dport=x packets=850 bytes=70559 src= dst=x.x.x.x sport=x dport=49836 packets=1060 bytes=58247 [OFFLOAD] mark=0 use=2
tcp      6 src=x.x.x.x dst=x.x.x.x sport=60797 dport=x packets=10014 bytes=827040 src= dst=x.x.x.x sport=x dport=60797 packets=10125 bytes=570347 [OFFLOAD] mark=0 use=2
conntrack v1.4.7 (conntrack-tools): 693 flow entries have been shown.


Once I’d turned on Flowtable though, I started to have issues with Firebase Cloud Messaging on my Android phones.  It’d keep timing out and I wouldn’t get push notifications until I woke up my phone.  I spent ages debugging, Wiresharking, testing with Flowtable on and off.  It always would work with Flowtable off, but would fail/disconnect with Flowtable enabled. In the end, convinced I had found a bunch in nftables (quite the accusation to make!) I logged a bug in the Netfilter BugTracker. Turns out I was actually correct, there was an issue with PPPoE encapsulation and Flowtable.  I’d actually switched ISPs to one that does DHCP (not because of the bug!) and I hadn’t noticed the problem with DHCP, it was good validation to see it was a PPPoE + Flowtable bug.
I should point out for any PPPoE users out there, the bug is fixed in Linux 6.6.30 onwards, which the latest Vyos 1.5 rolling images are using.

Conntrack Clashes?

So now my router was working perfectly, but for some reason at some stage I decided to look at the conntrack table statistics.  I just like to see how things work “under the hood” I guess.

Wait, what’s this? What the hell is clash_resolve in my conntrack statistics and why is it going up by ~300 a minute? That can’t be a good thing, can it?

tim@ferrari:~$ conntrack -S
cpu=0 found=13872 invalid=64978 insert=0 insert_failed=2130 drop=2130 early_drop=0 error=1966 search_restart=0 clash_resolve=1091611 chaintoolong=0 
cpu=1 found=13353 invalid=64876 insert=0 insert_failed=2164 drop=2164 early_drop=0 error=1760 search_restart=0 clash_resolve=1098408 chaintoolong=0

I spent a lot of time googling, but trying to find any real information about what it does was hard.  There were the main links I found that offered some insight.

It turns out what a clash_resolve is, at least to my understanding, is that when conntrack tries to create an entry, if there’s already an entry for that tuple [source IP, source port, dest port]:[destination ip, source port, dest port] that it will instead shift the source port of the incoming packet so that it’s unique, and create a conntrack entry based on that.  I haven’t explained that very well because I never could quite find exactly what was going on myself to a level I felt I understood.  Probably I’m too stupid really, so if you have a better plain english explanation I’d welcome it!

But I did find the cause of the problem.  My Vyos router runs a caching nameserver, it’s my home router so it makes sense for it to cache most DNS lookups.  I have a Zabbix Server at home too and it generates A LOT of DNS requests.  I found as soon as I turned off my Zabbix server that the clash_resolve stopped incrementing.  After looking at the conntrack table I realised there were hundreds of conntrack entries between the DNS Server on the router and my Zabbix server:

<snip snip>
udp      17 19 src= dst= sport=48288 dport=53 packets=2 bytes=124 src= dst= sport=53 dport=48288 packets=2 bytes=189 mark=0 use=1
udp      17 12 src= dst= sport=56102 dport=53 packets=1 bytes=68 src= dst= sport=53 dport=56102 packets=1 bytes=84 mark=0 use=1
udp      17 12 src= dst= sport=56240 dport=53 packets=2 bytes=136 src= dst= sport=53 dport=56240 packets=2 bytes=201 mark=0 use=1
udp      17 28 src= dst= sport=38695 dport=53 packets=2 bytes=124 src= dst= sport=53 dport=38695 packets=2 bytes=189 mark=0 use=1
udp      17 10 src= dst= sport=33689 dport=53 packets=2 bytes=128 src= dst= sport=53 dport=33689 packets=2 bytes=193 mark=0 use=1
udp      17 13 src= dst= sport=36236 dport=53 packets=2 bytes=128 src= dst= sport=53 dport=36236 packets=2 bytes=193 mark=0 use=1
udp      17 10 src= dst= sport=49932 dport=53 packets=2 bytes=116 src= dst= sport=53 dport=49932 packets=2 bytes=181 mark=0 use=1
udp      17 3 src= dst= sport=54581 dport=53 packets=2 bytes=126 src= dst= sport=53 dport=54581 packets=2 bytes=191 mark=0 use=1
udp      17 1 src= dst= sport=40209 dport=53 packets=2 bytes=126 src= dst= sport=53 dport=40209 packets=2 bytes=191 mark=0 use=2
udp      17 12 src= dst= sport=48388 dport=53 packets=2 bytes=136 src= dst= sport=53 dport=48388 packets=2 bytes=201 mark=0 use=1
udp      17 4 src= dst= sport=51367 dport=53 packets=2 bytes=128 src= dst= sport=53 dport=51367 packets=2 bytes=193 mark=0 use=1
conntrack v1.4.7 (conntrack-tools): 167 flow entries have been shown.

Fixing Conntrack

And here’s the fix: Those connections don’t need to be in conntrack! There’s no NAT going on and I’m not doing any firewalling.  It’s local LAN traffic.  So the fix is to put in an exception rule, so that all traffic from my LAN, talking to my DNS Server on the router, bypasses conntrack.  Meaning there’s no state at all, it’s just a normal routed packet.
Note that you have to create a rule in both directions, otherwise the router sending back replies generates a conntrack entry.

The configuration looks like this, placed under the “system conntrack” stanza:

show system conntrack
 ignore {
     ipv4 {
         rule 10 {
             description "Ignore Conntrack for LAN DNS Requests to Router"
             destination {
                 port 53
             inbound-interface eth1
             protocol udp
             source {
         rule 200 {
             description "Ignore Conntrack for LAN DNS Replies from Router"
             destination {
             protocol udp
             source {
                 port 53

With this in place, the conntrack table statistics for clash_resolve have stopped going up rapidly.  I still see some increasing, but that’s expected.  In fact clash_resolve isn’t even a problem as such, it’s just saying a clash was noticed and resolved.

I’ve also saved myself 650+ entries in the conntrack table that I didn’t need:

[Before the change above was made]
tim@ferrari# conntrack -L -s -d
conntrack v1.4.7 (conntrack-tools): 665 flow entries have been shown.

And my Vyos router is as performant as ever!


Spam This Post – It’s Protected By Cleantalk

Spam is one of those things on the web that no matter what, you can’t really escape from it.  I’ve been posting stuff on the web for years, helped moderate a number of forums etc and always Spam is a problem.

Chicken Spam

I have this WordPress site you’re reading this post on, and two Drupal sites that I maintain.  One of those Drupal sites I do my very best to keep it out of Google, it’s just a personal blog with information only I and maybe my family care about.  So it’s got a robots.txt on it and a number of HTTP Headers that are designed to stop it getting any traffic.

Still it gets Spam.  I’ve been writing and posting in that Diary for over 20 years now, so it’s been around a while.  For ages I just deleted Spam as it came in, there was only one or two posts a month if even that.  Then just as it started to get really bad, along came Mollom.  Mollom was a great web service that you just plugged in your Drupal instance and it would flag any new content as either Good, Bad or “Maybe”.  Anything Maybe you had to manually review to ensure you weren’t hiding good content.  Mollom was an excellent free service, but after many years Acquia decided that it wasn’t a Core Product and terminated it.  There’s a great blog post by Dries talking about it and its eventual demise.

The sad, dead Mollom Drupal Plugin

Once it died, neither of my Drupal sites were Spam protected anymore and of course the Spam rolled in.  I tried a few different things in that timeframe, mostly either “Anti-Bot” type plugins, or Captchas.  Captcha seemed like the best solution, but I hated that on this very wordpress blog, whenever I went to login to the Admin panel I would be greeted with a picture where I had to click traffic lights and all that nonsense.  And so I moved to hCaptcha and it seemd to be a bit better, but then once again the Spam started rolling in.  Not really a surprise when you realise there’s plenty of Captcha Solving Services available.  I guess it’s profitable to pay the small fee to be able to post Spam.

Ugh! So again I was back to square one, and even for a time turned off comments on the popular posts on this site that were getting spam.  Then I got annoyed and went hunting for a solution and that’s when I discovered Cleantalk.

The first thing I was impressed with is there’s a plugin for both WordPress AND Drupal.  With WordPress being the primary blogging platform a lot of people use, I was glad to see Drupal (Which I think is superior myself, but they serve different audiences) hadn’t been forgotten about.

The WordPress Plugin is super easy:

Cleantalk WordPress Plugin

You install it, paste in your key provided by the cleantalk website and off you go.  You’re protected from Spam.  You can click on “advanced settings” if really need to tweak some settings when you’re using a WordPress Caching plugin, or some of the e-Commerce modules.  The Cleantalk WordPress module has settings to make sure all different types of WordPress sites are supported out of the box.

Drupal is a similar story:

Drupal Cleantalk Plugin

Again it’s very easy to setup, you put in your API key and tweak a few settings to how you need them for your setup, and away you go.  Your site is protected against Spam!

As I said, I’ve got 3 sites.  2 Drupal and 1 WordPress.  To see the status of your Spam Protection you just log into the Cleantalk Portal and you get a nice simple overview of your sites:

Cleantalk Admin Panel

From there you can see how many Spams were blocked before they were even attempted (SpamFirewall), for those spammers lucky enough to get through the SpamFirewall, how many Approved or Spam comments were processed and dealt with.

The SpamFirewall Logs

The SpamFirewall Logs

I’ve only been using Cleantalk for a couple of weeks thus far, so I don’t have a lot of Approved comments (my blogs aren’t that popular I guess!) but I sure have a lot of blocked spam.  Handbag sales, do I want a video etc.  All blocked.  No longer do I have to keep comments disabled, no longer do I have to delete comments as soon as they’re posted etc.  You can see here the content that Spammers tried to post being denied:

Spam being blocked by Cleantalk

Overall I’m very happy with Cleantalk.  It’s fitted in where Mollom left off – automated, hassle free Spam prevention.  I think the cost of the service is reasonable, even for a hobbiest like me.  I’ve asked a few support questions and both times the support people were very quick to help and offer solutions, and that’s always a good thing.

One final note: I signed up before my trial period (7 days) was over.  In doing so, I was granted an extra 6 months free, on top of the 3 years I purchased.  In writing this review, I will submit it to Cleantalk and they’ll give me a bonus 12 months of Spam protection.  So this post is, in a way, sponsored.  But the reason I’d like a bonus 12 months is because I’m very happy with the service they’re providing!  So much so I wrote this post.

Thanks for reading.  Now go and protect your website from Spam the easy way with Cleantalk!

Cleantalk Logo


Why Don’t They Write Back?

Hi Tim,

You earlier showed interest in video creation for Muppetz. Haven’t heard back from you in a while.

Me and You can discuss and also plan more affordable + effective Video Strategies.

If there is a more suitable Budget, I can share examples that can be created within the same OR If there is a type of video you liked on our website, I can discuss similar ideas and budgets.


Be Awesome
Orko || Director & Producer
PH +18664483073

Is it ever the RIGHT time though?
Leaves fall from the sky this time of year, the hot air balloons come crashing down all around me while I scream internally “I NEED A VIDEO OF MY LIVER WEARING PYJAMAS”

Has anyone made a video of them eating a whole ream of A4 paper?

Now might be the time for us to shine!! I want to optimise my Search Engine Optimisation, are videos and sitemaps.xml meant to be deployed at the same time or should I work on my same origin policy?

Christ I love Videos,



Hi There!

I have some questions about Supermarket News, I am hoping someone there could answer them for me.

Firstly, the banner says “TRUSTED, RESPECTED, PREFERRED” – I have no issue with it being trusted, nor respected.  But preferred?  I mean I don’t think there’s anything else in the marketplace quite LIKE Supermarket News, is there?  I would say you can’t claim to be preferred if you’re the only game in town.  Or there is a RIVAL supermarket happenings publication I’m not aware of?

The content is important, no doubt.  But you don’t need to keep shouting at us, do you?  I mean it’s Supermarket News, not CoronaVirus updates.

Finally, your website isn’t https compatible.  It gives certificate errors.  You might want to contact your webhost about this.

Finally, my email is repeated in a format that the @NZSupermarket Twitter person will be able to understand, case they’re the person who gets this (HI!)






Fondest Regards,
Tim Harman

Thanks Tim.

I’ll look into the SHOUTING on twitter.

As regards magazines – there are two b2b in the market and about 45 overseas publications that are the same.

As for website ditto above, I’ll look into it.

Can I ask why you are getting in touch with us?

I haven’t heard of you, but then we’ve only been in business since 1923.


(Supermarket News Person)

Hi (Supermarket News Person)!

I only ask because I like to ask questions 😊

You wouldn’t have heard of me, I’ve only been in business since 1976 when I was born, but I didn’t even move to New Zealand until 2000.  Yes, I’m an annoying Australian. I work in computers and have nothing at all to do with supermarkets.  Well, I used to do nightfill at Purity (now Woolworths) in Sandy Bay, Tasmania back in ~1996 or so, but I don’t think that qualifies me to know much about supermarkets (except how dirty they are out the back, erk!)

I appreciate the reply, most people, strangely enough, never seem reply to my questions!

Much Love,


Not 2 hours after I sent this email, the Twitter feed stopped shouting at us:

Oppression at Goodman Fielder


Today I purchased a Tuckers Ridge Pie. Overall it was very tasty and I thoroughly enjoyed it, however I became alarmed when reading the back of the pie’s packaging.It states on the back of the pie packet that “We’re up before the sun perfecting our classic recipes” and I got a chill down my spine. Was this a thinly veiled cry for help? Is a product development team at Goodman Fielder being held against their will, forced to rise before the sun every morning, pressured to make what was, in my opinion, an already excellent pie even better?

It goes on to state that they are “continuing our worldwide search for new ingredients to storm the mouths of New Zealand pie-hards”. Wonderful prose indeed, but why do they have to get up so exhaustingly early to do this? Do they live a very long way away from the Goodman Fielder office and have an extensive commute time?

The more I think about it, the more questions I have!

1) Who’s the “We” in “We’re”. Is it the pastry chefs? The team making the fillings? The people who print the pie packets? Or is is ALL Goodman Fielder staff being forced awake pre-sunup? Did you, person who has to read (and unfortunately, probably respond to) this email, get up before the sun today? Was it of your own accord? Given it’s Summer at present, this means the sun is rising at approx 5:40am. Ouch.

2) Are they prised out of bed in the dark because they must catch the first plane of the day, made to scour distant locations for these prized exotic ingredients? (Are they given a decent travel budget if so?)

3) Finally and I think this is the most important question I have: Do they get to go to bed early?

Thank you for any reassurance you are able to give me.

Kind Regards,
Tim Harman

PS: If your emails are being monitored and you’re unable to respond in plain text about the oppressive conditions you’re working under, just capitalise every important letter in your reply and I’ll decode it and raise the alarm.

Jesus Water


I am writing to complain.

You have called your product “WaterDrops” when in fact you should have named them “JesusDrops” because they actually turn water into Wine.

Well OK maybe not Wine, but they give water some flavour and taste and that’s pretty much a miracle. The fact you have 12 flavours does, in my opinion, count as 12 different miracles and therefore I conclude that all of you should in fact be indoctrinated as Saints.

Writing to the Pope to express this opinion is in fact the next thing to do, after sending this email.

Summary: Water Drops are great, I love them. Bravo.


Dearest Tim,

It is true, in the beginning God made heaven and earth. And the earth was without flavour, and void; and darkness was upon the face of the drinks industry then the Spirit of God moved upon the face of the waters and God said, Let there be VitalZing WaterDrops: and there was VitalZing WaterDrops.

The true ingredients of VitalZing WaterDrops are forbidden fruits from the Garden of Eden, holy water (which can actually magically be turned into red wine by our man upstairs), and 3 hail Mary’s mixed by a Virgin Mary who is world renowned for creating something incredible from nothing

I’d like to leave you with this final thought.
John 3:16 (slightly altered) “For God so loved WaterDrops, that he gave them to his one and only Son, and whoever believes in them shall not perish but have eternal awesomeness.


PS Thank you so much for making my day with your email. It’s hilarious!

New ParkMate Options

From: ParkMate
Sent: Friday, 28 September 2018 12:20 PM
Subject: Host Park has launched and check out the newly added features in ParkMate. Be sure to update on 02/10/18

Have you ever paid for parking with the wrong rego….

perhaps selected the same product twice….

or had a transaction declined resulting in an invalid parking session?

If you’ve ever had to contact us for a refund request, we’ve felt your pain so have made some key changes to help reduce the need for refund requests.

Active Rego Change
If you have multiple vehicle registrations loaded to your ParkMate account and accidentally start a parking session with the wrong rego, you now have 15 minutes to change to the correct rego. You can change rego by selecting your current session and then adding your correct registration.

Duplicate Products
We have removed the possibility of purchasing duplicate parking sessions. No longer will you be able to accidentally purchase the same parking product, therefore only paying for the session you use!

Multiple Payment Options
You now have the ability to load multiple credit or debit cards against your ParkMate account. You can simply switch between payment options on the confirmation screen – just in case one of your cards is running a little low on funds.


Thank you for your email.

Some options I would like to see:

  1. The app hears when you get a parking ticket and automatically transcribes all the swear words into a nice email and sends it to the owner of the parking space.
  2. A sister app called “ParkEnemy” where you can buy someone else’s ticket off them in real time (at an inflated price to make it less likely to happen, and they don’t know it’s happened), thus ensuring that person gets a ticket.  Used when you see some idiot in their BMW taking up 2 spaces, or you just want to see your workmate crying at their desk.
  3. Upgrade of all parking metres to say things like “Hey you’re looking mighty fine today Tim” as you walk past them.  If you have just paid $20 or more for a park it’s even more complementary “Those glasses really suit you Tim, have you lost weight?” etc.
  4. The app detects when you’re riding a bicycle and sends abusive text messages to your friends “Look at me being all high and mighty riding a bike, I should be in a car like normal people, who am I, Lance Armstrong??”

I have more ideas if you’d like to hear them.

Kind Regards,

Tim Harman

ETA Thick Cut Peri-Peri Hot


I am just writing to express my appreciation for your Nandos Peri-Peri Hot Thick Cut chips.

As a 41 year old man, there are not many times I use the expression “These are bangin'” but I think in this case it is warranted that, upon tasting these chips I exclaimed to myself in the car “Damn, these are some bangin’ chips”

I don’t know what I enjoy more, the delicious spicy flavour they impart, or the fact that I know should my 3yo son try and sneak one of “Daddy’s Chips” when he knows I’m not looking, he’ll start screaming and never do it again.

Probably the flavour, now I think about it, but the “will-never-eat-my-chips-again” son is a close second.

Anyway I thought I should just write and let you know these chips are bangin’. Oh sorry there I go again.

Bang on,




Thank you for taking the time to contact us and providing us with feedback on our product.

We are delighted to hear that our products meet your expectations.

We will pass your comments on to our Quality and Marketing team for their review and we hope you continue to enjoy our fine products.

SubwayNZ’s Social Media Drought



Whilst I am aware the Freedom of Information Act does not apply to a corporate such as yourself, I feel this request is important enough to warrant an exception and I will ring up the Ombudsman if one isn’t granted.

My very reasonable request is as follows:

Why doesn’t the @subwaynz Twitter account tweet anymore?

I welcome a reply at your earliest convenience.

Yours in a love of random meat products slapped between two bits of bread then drowned in sauces and cheese,

Tim H


Hi Tim,

Thank you for getting in touch,

We are flattered to see you have missed us, we are currently reviewing all Social media platforms. We should be back soon.

Kind regards


Customer Service Team