Date: Fri, 7 Mar 2008 10:16:13 -0800 (PST) From: Lorenz Helleis <lorenzhelleis@yahoo.com.br> To: Max Laier <max@love2party.net>, freebsd-pf@freebsd.org Subject: Res: Res: Dropped Packets Message-ID: <523685.2819.qm@web53701.mail.re2.yahoo.com>
next in thread | raw e-mail | index | archive | help
Max.. =0A=0Athe Current entry is not 5005. I got this value after "pfctl -=
d"... =0Athe number of concurrent connections is 70.000=0A=0A=0AIn this mom=
ent my firewall is disable until i find a solution to solve this problem. I=
think i will try to increase the number of states and change the NIC. =0A=
=0AI use a Gigabit card and the traffic is 300Mbs and the concurrent sessio=
ns 70.000. =0A =0AAnd now i'm studing about tables entries, src-nodes .. =
=0A=0A=0AProv=C3=A9rbios 1:27 =0A=0A Mas Deus escolheu as coisas loucas =
deste mundo para confundir as=0As=C3=A1bias; e Deus escolheu as coisas frac=
as deste mundo para confundir as=0Afortes;=0A=0A----- Mensagem original ---=
-=0ADe: Max Laier <max@love2party.net>=0APara: freebsd-pf@freebsd.org=0ACc:=
Lorenz Helleis <lorenzhelleis@yahoo.com.br>; Chris Marlatt <cmarlatt@rxsec=
.com>=0AEnviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 14:55:52=0AAssunto: =
Re: Res: Dropped Packets=0A=0A[ please don't top-post ]=0A=0AOn Friday 07 M=
arch 2008, Lorenz Helleis wrote:=0A> I don't think that is a hardware probl=
em, sometimes the "congestion=0A> rate" increase to 1500,0/s and the "stat=
e-mismatch" to 300.0/s.. I=0A> don't know if it is normal...=0A>=0A> I thin=
k that the conections is being droped when increase a lot the=0A> number of=
packets on the network.=0A>=0A>=0A>=0A> can you tell me about your firewal=
l ? I will need to install a biggest=0A> one here, and I'm a little afraid=
to do. Can you show me some=0A> configuration? the traffic of you netwo=
rk?, hardware? conections ?=0A>=0A> look some configurations.... do i need =
to increase something ?=0A>=0A>=0A> # pfctl -sm=0A> states hard limi=
t 100000=0A> src-nodes hard limit 10000=0A> frags hard lim=
it 5000=0A> tables hard limit 1000=0A> table-entries hard li=
mit 200000=0A>=0A>=0A> # top=0A>=0A> load averages: 0.20, 0.12, 0.09 =
=0A> 13:29:40 35 processes: 34 idle, 1 =
on processor=0A> CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% i=
nterrupt,=0A> 98.7% idle CPU1 states: 0.1% user, 0.0% nice, 0.2% system,=
0.0%=0A> interrupt, 99.7% idle=0A>=0A> # vmstat -i=0A>=0A> interrupt =
total rate=0A> irq0/clock 257506609 =
199=0A> irq0/ipi 183393879 142=0A> irq81/em0 =
8638587188 6706=0A> irq83/skc0 60116607=
68 4667=0A> irq80/fxp0 2292732543 1779=0A=0AThese i=
nterrupt numbers don't seem to match up with the above load =0Anumbers. I'=
d expect a higher interrupt load. You could also try to =0Areplace the sk(=
4) adapter with another em(4) or the like? I have had =0Atrouble with sk(4=
) in the past.=0A=0A> irq64/ahc0 7012560 5=0A> ir=
q112/pckbc0 8 0=0A> Total =
17390893555 13501=0A>=0A> # pfctl -si=0A>=0A> State Table =
Total Rate=0A> current entries =
5005=0A> searches 30026832082 441000.4/s=0A=0A=
441kpps are quite a load! And this is with only 5000 connections. While =
=0AFreeBSD can forward 1Mpps and more on commodity hardware 500-700kpps is =
=0Aprobably the limit with (sensible) firewalling. It'd be surprised if yo=
u =0Acould do significantly better with anything else. N.B. that this coul=
d =0Abe improved by using fine grained locking for pf - this is on my TODO =
=0Alist for quite some time, but I didn't yet get to it.=0A=0A> inserts =
406964726 5977.0/s=0A> removals =
406959721 5977.0/s=0A> Counters=0A> match =
417436387 6130.8/s=0A> bad-offset =
0 0.0/s=0A> fragment 1939=
0.0/s=0A> short 154 =
0.0/s=0A> normalize 34858 0.5/s=0A> =
memory 0 0.0/s=0A> bad-times=
tamp 0 0.0/s=0A> congestion =
834349 12.3/s=0A> ip-option =
24 0.0/s=0A> proto-cksum 5572 =
0.1/s=0A> state-mismatch 491286 7=
.2/s=0A>=0A>=0A>=0A>=0A>=0A> Prov=C3=A9rbios 1:27=0A>=0A> Mas Deus esco=
lheu as coisas loucas deste mundo para confundir as=0A> s=C3=A1bias; e Deus=
escolheu as coisas fracas deste mundo para confundir as=0A> fortes;=0A>=0A=
> ----- Mensagem original ----=0A> De: Chris Marlatt <cmarlatt@rxsec.com>=
=0A> Para: Lorenz Helleis <lorenzhelleis@yahoo.com.br>=0A> Cc: freebsd-pf@f=
reebsd.org=0A> Enviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03=0A> =
Assunto: Re: Dropped Packets=0A>=0A> Lorenz Helleis wrote:=0A> > hello.=0A>=
>=0A> > I have a firewall with 75.000 simultaneous conections, and i set t=
he=0A> > limit to 100.000.=0A> >=0A> > I think the hardware is OK, but when=
increase the traffic on the=0A> > network, some connections is dropped. =
I did not increase other=0A> > value, like table, src-nodes.... How do I kn=
ow if is everthing ok=0A> > with the other values ?=0A> >=0A> > what happen=
if the number of connections touch the limit of 100.000 ?=0A> > it will d=
rop the idle conections ? or what ?=0A>=0A> From my experience new connect=
ions will appear to timeout as PF has no=0A> more sessions available for ne=
w connections. As sessions die off=0A> organically new connections will be =
permitted but there is nothing=0A> actively killing old / idle connections =
to make way for new sessions if=0A> the limit is reached.=0A>=0A>=0A> Depen=
ding on how much memory you have you should be fine increasing the=0A> max =
session limit. I've had some of my firewalls over 1,000,000=0A> sessions wi=
thout a problem.=0A>=0A> You may want to check your switch for errors and w=
atch your interface=0A> (netstat -I IFACE -nd 1) to see when/where your dro=
ps are. What kind of=0A> cpu usage are you seeing when you start dropping t=
he packets?=0A>=0A> Regards,=0A>=0A> Chris=0A>=0A>=0A>=0A>=0A>=0A>=0A> =
Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3=A7o=
para=0A> armazenamento! http://br.mail.yahoo.com/=0A>; ____________________=
___________________________=0A> freebsd-pf@freebsd.org mailing list=0A> htt=
p://lists.freebsd.org/mailman/listinfo/freebsd-pf=0A> To unsubscribe, send =
any mail to "freebsd-pf-unsubscribe@freebsd.org"=0A=0A=0A=0A-- =0A/"\ Best=
regards, | mlaier@freebsd.org=0A\ / Max Laier =
| ICQ #67774661=0A X http://pf4freebsd.love2party.net/=
| mlaier@EFnet=0A/ \ ASCII Ribbon Campaign | Against HTML M=
ail and News=0A=0A=0A=0A=0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3=
=BAnico sem limite de espa=C3=A7o para armazenamento!=0Ahttp://br.mail.yaho=
o.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?523685.2819.qm>