From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 18:16:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E3C51065670 for ; Fri, 7 Mar 2008 18:16:14 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53701.mail.re2.yahoo.com (web53701.mail.re2.yahoo.com [206.190.37.22]) by mx1.freebsd.org (Postfix) with SMTP id 49D898FC18 for ; Fri, 7 Mar 2008 18:16:14 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 4873 invoked by uid 60001); 7 Mar 2008 18:16:13 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=rDTM8atMu64Au1mZKlDVnH+x1vra1HnJnKFrJpv/eIP3pgPVIx+afooMkcUycL0USZPiiFOdkXgOPrbHMgftyK2SadpuW/nnvMwOxVDyTGXBPeNCezNJQITu1JMW0YxU/698PYIn2ESeC/7y2x8LY+5ZWorkXaHs8EtfQMsMZAE=; X-YMail-OSG: oq2euaoVM1lH8PbKFAJcz_cdFstufwlPjBRTGYL7.jFEoW1O4CyATsN8xyy5nA8CdS4KhATXGv5Qovmq0v5.ecd72AKk4bflr5zhWdS4ncN3YVDSYA7E.mbtzRr1IP.RtRpSeQbFy1oTCQ-- Received: from [200.201.112.31] by web53701.mail.re2.yahoo.com via HTTP; Fri, 07 Mar 2008 10:16:13 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Fri, 7 Mar 2008 10:16:13 -0800 (PST) From: Lorenz Helleis To: Max Laier , freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <523685.2819.qm@web53701.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Res: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 18:16:14 -0000 Max.. =0A=0Athe Current entry is not 5005. I got this value after "pfctl -= d"... =0Athe number of concurrent connections is 70.000=0A=0A=0AIn this mom= ent my firewall is disable until i find a solution to solve this problem. I= think i will try to increase the number of states and change the NIC. =0A= =0AI use a Gigabit card and the traffic is 300Mbs and the concurrent sessio= ns 70.000. =0A =0AAnd now i'm studing about tables entries, src-nodes .. = =0A=0A=0AProv=C3=A9rbios 1:27 =0A=0A Mas Deus escolheu as coisas loucas = deste mundo para confundir as=0As=C3=A1bias; e Deus escolheu as coisas frac= as deste mundo para confundir as=0Afortes;=0A=0A----- Mensagem original ---= -=0ADe: Max Laier =0APara: freebsd-pf@freebsd.org=0ACc:= Lorenz Helleis ; Chris Marlatt =0AEnviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 14:55:52=0AAssunto: = Re: Res: Dropped Packets=0A=0A[ please don't top-post ]=0A=0AOn Friday 07 M= arch 2008, Lorenz Helleis wrote:=0A> I don't think that is a hardware probl= em, sometimes the "congestion=0A> rate" increase to 1500,0/s and the "stat= e-mismatch" to 300.0/s.. I=0A> don't know if it is normal...=0A>=0A> I thin= k that the conections is being droped when increase a lot the=0A> number of= packets on the network.=0A>=0A>=0A>=0A> can you tell me about your firewal= l ? I will need to install a biggest=0A> one here, and I'm a little afraid= to do. Can you show me some=0A> configuration? the traffic of you netwo= rk?, hardware? conections ?=0A>=0A> look some configurations.... do i need = to increase something ?=0A>=0A>=0A> # pfctl -sm=0A> states hard limi= t 100000=0A> src-nodes hard limit 10000=0A> frags hard lim= it 5000=0A> tables hard limit 1000=0A> table-entries hard li= mit 200000=0A>=0A>=0A> # top=0A>=0A> load averages: 0.20, 0.12, 0.09 = =0A> 13:29:40 35 processes: 34 idle, 1 = on processor=0A> CPU0 states: 0.6% user, 0.0% nice, 0.7% system, 0.0% i= nterrupt,=0A> 98.7% idle CPU1 states: 0.1% user, 0.0% nice, 0.2% system,= 0.0%=0A> interrupt, 99.7% idle=0A>=0A> # vmstat -i=0A>=0A> interrupt = total rate=0A> irq0/clock 257506609 = 199=0A> irq0/ipi 183393879 142=0A> irq81/em0 = 8638587188 6706=0A> irq83/skc0 60116607= 68 4667=0A> irq80/fxp0 2292732543 1779=0A=0AThese i= nterrupt numbers don't seem to match up with the above load =0Anumbers. I'= d expect a higher interrupt load. You could also try to =0Areplace the sk(= 4) adapter with another em(4) or the like? I have had =0Atrouble with sk(4= ) in the past.=0A=0A> irq64/ahc0 7012560 5=0A> ir= q112/pckbc0 8 0=0A> Total = 17390893555 13501=0A>=0A> # pfctl -si=0A>=0A> State Table = Total Rate=0A> current entries = 5005=0A> searches 30026832082 441000.4/s=0A=0A= 441kpps are quite a load! And this is with only 5000 connections. While = =0AFreeBSD can forward 1Mpps and more on commodity hardware 500-700kpps is = =0Aprobably the limit with (sensible) firewalling. It'd be surprised if yo= u =0Acould do significantly better with anything else. N.B. that this coul= d =0Abe improved by using fine grained locking for pf - this is on my TODO = =0Alist for quite some time, but I didn't yet get to it.=0A=0A> inserts = 406964726 5977.0/s=0A> removals = 406959721 5977.0/s=0A> Counters=0A> match = 417436387 6130.8/s=0A> bad-offset = 0 0.0/s=0A> fragment 1939= 0.0/s=0A> short 154 = 0.0/s=0A> normalize 34858 0.5/s=0A> = memory 0 0.0/s=0A> bad-times= tamp 0 0.0/s=0A> congestion = 834349 12.3/s=0A> ip-option = 24 0.0/s=0A> proto-cksum 5572 = 0.1/s=0A> state-mismatch 491286 7= .2/s=0A>=0A>=0A>=0A>=0A>=0A> Prov=C3=A9rbios 1:27=0A>=0A> Mas Deus esco= lheu as coisas loucas deste mundo para confundir as=0A> s=C3=A1bias; e Deus= escolheu as coisas fracas deste mundo para confundir as=0A> fortes;=0A>=0A= > ----- Mensagem original ----=0A> De: Chris Marlatt = =0A> Para: Lorenz Helleis =0A> Cc: freebsd-pf@f= reebsd.org=0A> Enviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03=0A> = Assunto: Re: Dropped Packets=0A>=0A> Lorenz Helleis wrote:=0A> > hello.=0A>= >=0A> > I have a firewall with 75.000 simultaneous conections, and i set t= he=0A> > limit to 100.000.=0A> >=0A> > I think the hardware is OK, but when= increase the traffic on the=0A> > network, some connections is dropped. = I did not increase other=0A> > value, like table, src-nodes.... How do I kn= ow if is everthing ok=0A> > with the other values ?=0A> >=0A> > what happen= if the number of connections touch the limit of 100.000 ?=0A> > it will d= rop the idle conections ? or what ?=0A>=0A> From my experience new connect= ions will appear to timeout as PF has no=0A> more sessions available for ne= w connections. As sessions die off=0A> organically new connections will be = permitted but there is nothing=0A> actively killing old / idle connections = to make way for new sessions if=0A> the limit is reached.=0A>=0A>=0A> Depen= ding on how much memory you have you should be fine increasing the=0A> max = session limit. I've had some of my firewalls over 1,000,000=0A> sessions wi= thout a problem.=0A>=0A> You may want to check your switch for errors and w= atch your interface=0A> (netstat -I IFACE -nd 1) to see when/where your dro= ps are. What kind of=0A> cpu usage are you seeing when you start dropping t= he packets?=0A>=0A> Regards,=0A>=0A> Chris=0A>=0A>=0A>=0A>=0A>=0A>=0A> = Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de espa=C3=A7o= para=0A> armazenamento! http://br.mail.yahoo.com/=0A> ____________________= ___________________________=0A> freebsd-pf@freebsd.org mailing list=0A> htt= p://lists.freebsd.org/mailman/listinfo/freebsd-pf=0A> To unsubscribe, send = any mail to "freebsd-pf-unsubscribe@freebsd.org"=0A=0A=0A=0A-- =0A/"\ Best= regards, | mlaier@freebsd.org=0A\ / Max Laier = | ICQ #67774661=0A X http://pf4freebsd.love2party.net/= | mlaier@EFnet=0A/ \ ASCII Ribbon Campaign | Against HTML M= ail and News=0A=0A=0A=0A=0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3= =BAnico sem limite de espa=C3=A7o para armazenamento!=0Ahttp://br.mail.yaho= o.com/