Date: Thu, 26 Feb 2009 23:41:34 -0800 From: Shawn Everett <shawn@tandac.com> To: Adrian Penisoara <ady@freebsd.ady.ro> Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Router Problem Message-ID: <200902262341.35069.shawn@tandac.com> In-Reply-To: <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> References: <3650.206.108.16.89.1235691792.squirrel@alder.hosix.com> <3853.206.108.16.89.1235693214.squirrel@alder.hosix.com> <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Any error messages in dmesg output ?
> Significant changes in "netstat -m" output before and after ?
> The same for "pfctl -s all" output...
The box has been up for about 12 hours now. As a point of discussion here
is the output from netstat and pfctl in case anything obvious jumps out.
385/905/1290 mbufs in use (current/cache/total)
384/484/868/25600 mbuf clusters in use (current/cache/total/max)
256/384 mbuf+clusters out of packet secondary zone in use (current/cache)
0/44/44/12800 4k (page size) jumbo clusters in use
(current/cache/total/max)
0/0/0/6400 9k jumbo clusters in use (current/cache/total/max)
0/0/0/3200 16k jumbo clusters in use (current/cache/total/max)
864K/1370K/2234K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0/5/6656 sfbufs in use (current/peak/max)
0 requests for sfbufs denied
0 requests for sfbufs delayed
0 requests for I/O initiated by sendfile
0 calls to protocol drain routines
# pfctl -s all
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on ste0 inet from 172.16.3.0/24 to any -> (ste0) round-robin
nat on ste1 inet from 172.16.3.0/24 to any -> (ste1) round-robin
FILTER RULES:
pass out on em0 inet from any to 172.16.3.0/24 flags S/SA keep state
pass in quick on em0 inet from 172.16.3.0/24 to 172.16.3.253 flags S/SA
keep state
pass in on em0 route-to { (ste0 204.244.159.254), (ste1 204.244.159.254) }
round-robin inet proto tcp from 172.16.3.0/24 to any flags S/SA modulate
state
pass in on em0 route-to { (ste0 204.244.159.254), (ste1 204.244.159.254) }
round-robin inet proto udp from 172.16.3.0/24 to any keep state
pass in on em0 route-to { (ste0 204.244.159.254), (ste1 204.244.159.254) }
round-robin inet proto icmp from 172.16.3.0/24 to any keep state
pass out on ste0 proto tcp all flags S/SA modulate state
pass out on ste0 proto udp all keep state
pass out on ste0 proto icmp all keep state
pass out on ste1 proto tcp all flags S/SA modulate state
pass out on ste1 proto udp all keep state
pass out on ste1 proto icmp all keep state
pass out on ste0 route-to (ste1 204.244.159.254) inet from 204.244.159.55
to any flags S/SA keep state
pass out on ste1 route-to (ste0 204.244.159.254) inet from 204.244.159.68
to any flags S/SA keep state
STATES:
all udp 172.16.3.255:137 <- 172.16.3.17:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.17:137 -> 204.244.159.68:57827 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.71:3064 CLOSED:SYN_SENT
all tcp 172.16.3.71:3064 -> 204.244.159.55:56563 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.30:2021 CLOSED:SYN_SENT
all tcp 172.16.3.30:2021 -> 204.244.159.68:54557 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.72:1414 CLOSED:SYN_SENT
all tcp 172.16.3.72:1414 -> 204.244.159.55:52567 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.31:2865 CLOSED:SYN_SENT
all tcp 172.16.3.31:2865 -> 204.244.159.68:59429 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.72:1415 CLOSED:SYN_SENT
all tcp 172.16.3.72:1415 -> 204.244.159.55:61425 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.49:1914 CLOSED:SYN_SENT
all tcp 172.16.3.49:1914 -> 204.244.159.68:58532 -> 10.170.54.1:81
SYN_SENT:CLOSED
all udp 172.16.3.255:138 <- 172.16.3.39:138 NO_TRAFFIC:SINGLE
all udp 172.16.3.39:138 -> 204.244.159.68:62224 -> 172.16.3.255:138
SINGLE:NO_TRAFFIC
all tcp 64.56.145.72:110 <- 172.16.3.48:1494 FIN_WAIT_2:FIN_WAIT_2
all tcp 172.16.3.48:1494 -> 204.244.159.55:62928 -> 64.56.145.72:110
FIN_WAIT_2:FIN_WAIT_2
all udp 172.16.3.255:137 <- 172.16.3.49:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.49:137 -> 204.244.159.55:61053 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.37:1508 CLOSED:SYN_SENT
all tcp 172.16.3.37:1508 -> 204.244.159.68:54656 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.74:3126 CLOSED:SYN_SENT
all tcp 172.16.3.74:3126 -> 204.244.159.55:61282 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.18:2446 CLOSED:SYN_SENT
all tcp 172.16.3.18:2446 -> 204.244.159.68:58385 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.73:2057 CLOSED:SYN_SENT
all tcp 172.16.3.73:2057 -> 204.244.159.55:61692 -> 10.170.54.1:81
SYN_SENT:CLOSED
all udp 198.208.22.27:53 <- 172.16.3.74:58071 SINGLE:MULTIPLE
all udp 172.16.3.74:58071 -> 204.244.159.68:54669 -> 198.208.22.27:53
MULTIPLE:SINGLE
all udp 198.208.22.27:53 <- 172.16.3.74:57503 SINGLE:MULTIPLE
all udp 172.16.3.74:57503 -> 204.244.159.55:64923 -> 198.208.22.27:53
MULTIPLE:SINGLE
all udp 198.208.22.27:53 <- 172.16.3.74:51153 SINGLE:MULTIPLE
all udp 172.16.3.74:51153 -> 204.244.159.68:61637 -> 198.208.22.27:53
MULTIPLE:SINGLE
all udp 172.16.3.255:137 <- 172.16.3.74:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.74:137 -> 204.244.159.55:53474 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.71:3065 CLOSED:SYN_SENT
all tcp 172.16.3.71:3065 -> 204.244.159.68:63354 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.29:4434 CLOSED:SYN_SENT
all tcp 172.16.3.29:4434 -> 204.244.159.55:62977 -> 10.170.54.1:81
SYN_SENT:CLOSED
all udp 172.16.3.255:137 <- 172.16.3.30:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.30:137 -> 204.244.159.68:61298 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 63.241.234.60:443 <- 172.16.3.37:1509 ESTABLISHED:ESTABLISHED
all tcp 172.16.3.37:1509 -> 204.244.159.68:61873 -> 63.241.234.60:443
ESTABLISHED:ESTABLISHED
all udp 198.208.22.27:53 <- 172.16.3.72:59314 SINGLE:MULTIPLE
all udp 172.16.3.72:59314 -> 204.244.159.55:62186 -> 198.208.22.27:53
MULTIPLE:SINGLE
all udp 198.208.22.27:53 <- 172.16.3.72:55934 SINGLE:MULTIPLE
all udp 172.16.3.72:55934 -> 204.244.159.68:51479 -> 198.208.22.27:53
MULTIPLE:SINGLE
all udp 198.208.22.27:53 <- 172.16.3.72:52983 SINGLE:MULTIPLE
all udp 172.16.3.72:52983 -> 204.244.159.55:55523 -> 198.208.22.27:53
MULTIPLE:SINGLE
all udp 172.16.3.255:137 <- 172.16.3.72:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.72:137 -> 204.244.159.68:58218 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.31:2868 CLOSED:SYN_SENT
all tcp 172.16.3.31:2868 -> 204.244.159.55:60911 -> 10.170.54.1:81
SYN_SENT:CLOSED
all udp 172.16.3.255:137 <- 172.16.3.77:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.77:137 -> 204.244.159.55:59287 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.72:1416 CLOSED:SYN_SENT
all tcp 172.16.3.72:1416 -> 204.244.159.68:59828 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.49:1915 CLOSED:SYN_SENT
all tcp 172.16.3.49:1915 -> 204.244.159.55:64580 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.29:4435 CLOSED:SYN_SENT
all tcp 172.16.3.29:4435 -> 204.244.159.68:60089 -> 10.170.54.1:81
SYN_SENT:CLOSED
all udp 172.16.3.255:137 <- 172.16.3.8:137 NO_TRAFFIC:SINGLE
all udp 172.16.3.8:137 -> 204.244.159.68:60176 -> 172.16.3.255:137
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.51:3433 CLOSED:SYN_SENT
all tcp 172.16.3.51:3433 -> 204.244.159.55:63158 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.37:1510 CLOSED:SYN_SENT
all tcp 172.16.3.37:1510 -> 204.244.159.68:63197 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.74:3127 CLOSED:SYN_SENT
all tcp 172.16.3.74:3127 -> 204.244.159.55:61760 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.18:2447 CLOSED:SYN_SENT
all tcp 172.16.3.18:2447 -> 204.244.159.68:61951 -> 10.170.54.1:81
SYN_SENT:CLOSED
all tcp 10.170.54.1:81 <- 172.16.3.73:2058 CLOSED:SYN_SENT
all tcp 172.16.3.73:2058 -> 204.244.159.55:53396 -> 10.170.54.1:81
SYN_SENT:CLOSED
all udp 198.208.22.27:53 <- 172.16.3.74:62024 SINGLE:MULTIPLE
all udp 172.16.3.74:62024 -> 204.244.159.55:63136 -> 198.208.22.27:53
MULTIPLE:SINGLE
all tcp 72.14.162.41:80 <- 172.16.3.74:3128 TIME_WAIT:TIME_WAIT
all tcp 172.16.3.74:3128 -> 204.244.159.68:58088 -> 72.14.162.41:80
TIME_WAIT:TIME_WAIT
all tcp 72.14.162.41:80 <- 172.16.3.74:3129 FIN_WAIT_2:FIN_WAIT_2
all tcp 172.16.3.74:3129 -> 204.244.159.55:62718 -> 72.14.162.41:80
FIN_WAIT_2:FIN_WAIT_2
all udp 172.16.3.255:138 <- 172.16.3.71:138 NO_TRAFFIC:SINGLE
all udp 172.16.3.71:138 -> 204.244.159.68:52993 -> 172.16.3.255:138
SINGLE:NO_TRAFFIC
all tcp 10.170.54.1:81 <- 172.16.3.71:3066 CLOSED:SYN_SENT
all tcp 172.16.3.71:3066 -> 204.244.159.68:50898 -> 10.170.54.1:81
SYN_SENT:CLOSED
INFO:
Status: Enabled for 0 days 11:42:09 Debug: Urgent
State Table Total Rate
current entries 84
searches 4907040 116.5/s
inserts 131271 3.1/s
removals 131187 3.1/s
Counters
match 157214 3.7/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 40 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 2 0.0/s
state-mismatch 215 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
TABLES:
OS FINGERPRINTS:
696 fingerprints loaded
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902262341.35069.shawn>