From owner-freebsd-questions@FreeBSD.ORG Sat Oct 28 22:55:23 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F20F16A403 for ; Sat, 28 Oct 2006 22:55:23 +0000 (UTC) (envelope-from lane@joeandlane.com) Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD67E43D53 for ; Sat, 28 Oct 2006 22:55:17 +0000 (GMT) (envelope-from lane@joeandlane.com) Received: from [66.47.111.183] (helo=joeandlane.com) by elasmtp-spurfowl.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1Gdx5A-00060C-FJ for freebsd-questions@freebsd.org; Sat, 28 Oct 2006 18:55:16 -0400 Received: from joeandlane.com (localhost.localnet.local [127.0.0.1]) by joeandlane.com (8.13.8/8.13.1) with ESMTP id k9SMw6JC044878 for ; Sat, 28 Oct 2006 17:58:06 -0500 (CDT) (envelope-from lane@joeandlane.com) Received: from localhost (localhost [[UNIX: localhost]]) by joeandlane.com (8.13.8/8.13.1/Submit) id k9SMw6RV044877 for freebsd-questions@freebsd.org; Sat, 28 Oct 2006 17:58:06 -0500 (CDT) (envelope-from lane@joeandlane.com) From: Lane To: freebsd-questions@freebsd.org Date: Sat, 28 Oct 2006 17:58:05 -0500 User-Agent: KMail/1.9.3 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200610281758.06233.lane@joeandlane.com> X-CD-SOLUTIONS-MailScanner-Information: Please contact the ISP for more information X-CD-SOLUTIONS-MailScanner: Found to be clean X-CD-SOLUTIONS-MailScanner-From: lane@joeandlane.com X-ELNK-Trace: e56a4b6ca9bdfda11aa676d7e74259b7b3291a7d08dfec795895ede4930856b482ed243058db826b350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 66.47.111.183 Subject: Re: packet loss to firewall while Internet link is down X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Oct 2006 22:55:23 -0000 On Saturday 28 October 2006 17:41, D G Teed wrote: > Hi all, > > When the Internet link goes down, ssh refuses > to allow connection from within the LAN to our BSD > firewall/gateway. An existing ssh connection might stay > up, but be very sluggish. We run our own DNS, so that > can't be the reason for timeouts. > > When the Internet is down, the CPU load factor on the > FreeBSD firewall is low, but the number of TCP packets > that can't get past the first hop is likely high, which > might cause some sort of congestion on the machine. > > The console is very responsive. mtr to any point > on the local LAN from the firewall sees 50 to 80% > packet loss. However, there is no packet loss between > other machines on the lan and our network guy says > the router port and cable check out fine. > > There are no console error messages providing a clue. > netstat -m shows the mb_map is about 26% in use > while the Internet is down. The machine in question > is FreeBSD 4.11, running ipfw and acting as a gateway > (not NAT). > > Once the Internet comes back up, ssh in works, and > ssh sessions are very responsive again. > > Is there some kernel variable I can tweak, or some tests I > can try the next time the Internet goes down and the > gateway/firewall drop packets on connections to our LAN? > > Our operations manager is a Windows guy, and every time > he can't ssh in, he thinks the firewall needs a reboot, when > the real problem is that the Internet is down and > there is something we need to tweak to make it > better able to survive local LAN traffic. > > --Donald > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" I have the same problem, but I just thought it was nat somehow interfering. I've set up a local web server on my router/gateway that lets me do things like check the status of ppp, or view /var/log/messages, and even reboot the server. When I can't get in via ssh (i.e. when the "public" internet connection is down) the web server, samba server, DHCP server, DNS server, ftp server, and everything else still responds normally. It's no answer, but what I did was allow telnet connections via the internal nic, because even telnet is unaffected. Only ssh causes me a problem. I'm interested in the answer to this one. lane