From owner-freebsd-net@FreeBSD.ORG Fri Feb 27 07:41:50 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B28911065678 for ; Fri, 27 Feb 2009 07:41:50 +0000 (UTC) (envelope-from shawn@tandac.com) Received: from alder.hosix.com (alder.hosix.com [207.58.168.98]) by mx1.freebsd.org (Postfix) with ESMTP id 6D99B8FC15 for ; Fri, 27 Feb 2009 07:41:50 +0000 (UTC) (envelope-from shawn@tandac.com) Received: from d207-6-117-202.bchsia.telus.net ([207.6.117.202] helo=[192.168.1.10]) by alder.hosix.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1LcxLw-0004d3-OU; Fri, 27 Feb 2009 02:41:49 -0500 From: Shawn Everett To: Adrian Penisoara Date: Thu, 26 Feb 2009 23:41:34 -0800 User-Agent: KMail/1.9.9 References: <3650.206.108.16.89.1235691792.squirrel@alder.hosix.com> <3853.206.108.16.89.1235693214.squirrel@alder.hosix.com> <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> In-Reply-To: <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200902262341.35069.shawn@tandac.com> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - alder.hosix.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - tandac.com X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Router Problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 07:41:51 -0000 > Any error messages in dmesg output ? > Significant changes in "netstat -m" output before and after ? > The same for "pfctl -s all" output... The box has been up for about 12 hours now. As a point of discussion here is the output from netstat and pfctl in case anything obvious jumps out. 385/905/1290 mbufs in use (current/cache/total) 384/484/868/25600 mbuf clusters in use (current/cache/total/max) 256/384 mbuf+clusters out of packet secondary zone in use (current/cache) 0/44/44/12800 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/6400 9k jumbo clusters in use (current/cache/total/max) 0/0/0/3200 16k jumbo clusters in use (current/cache/total/max) 864K/1370K/2234K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/5/6656 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines # pfctl -s all No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: nat on ste0 inet from 172.16.3.0/24 to any -> (ste0) round-robin nat on ste1 inet from 172.16.3.0/24 to any -> (ste1) round-robin FILTER RULES: pass out on em0 inet from any to 172.16.3.0/24 flags S/SA keep state pass in quick on em0 inet from 172.16.3.0/24 to 172.16.3.253 flags S/SA keep state pass in on em0 route-to { (ste0 204.244.159.254), (ste1 204.244.159.254) } round-robin inet proto tcp from 172.16.3.0/24 to any flags S/SA modulate state pass in on em0 route-to { (ste0 204.244.159.254), (ste1 204.244.159.254) } round-robin inet proto udp from 172.16.3.0/24 to any keep state pass in on em0 route-to { (ste0 204.244.159.254), (ste1 204.244.159.254) } round-robin inet proto icmp from 172.16.3.0/24 to any keep state pass out on ste0 proto tcp all flags S/SA modulate state pass out on ste0 proto udp all keep state pass out on ste0 proto icmp all keep state pass out on ste1 proto tcp all flags S/SA modulate state pass out on ste1 proto udp all keep state pass out on ste1 proto icmp all keep state pass out on ste0 route-to (ste1 204.244.159.254) inet from 204.244.159.55 to any flags S/SA keep state pass out on ste1 route-to (ste0 204.244.159.254) inet from 204.244.159.68 to any flags S/SA keep state STATES: all udp 172.16.3.255:137 <- 172.16.3.17:137 NO_TRAFFIC:SINGLE all udp 172.16.3.17:137 -> 204.244.159.68:57827 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.71:3064 CLOSED:SYN_SENT all tcp 172.16.3.71:3064 -> 204.244.159.55:56563 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.30:2021 CLOSED:SYN_SENT all tcp 172.16.3.30:2021 -> 204.244.159.68:54557 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.72:1414 CLOSED:SYN_SENT all tcp 172.16.3.72:1414 -> 204.244.159.55:52567 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.31:2865 CLOSED:SYN_SENT all tcp 172.16.3.31:2865 -> 204.244.159.68:59429 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.72:1415 CLOSED:SYN_SENT all tcp 172.16.3.72:1415 -> 204.244.159.55:61425 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.49:1914 CLOSED:SYN_SENT all tcp 172.16.3.49:1914 -> 204.244.159.68:58532 -> 10.170.54.1:81 SYN_SENT:CLOSED all udp 172.16.3.255:138 <- 172.16.3.39:138 NO_TRAFFIC:SINGLE all udp 172.16.3.39:138 -> 204.244.159.68:62224 -> 172.16.3.255:138 SINGLE:NO_TRAFFIC all tcp 64.56.145.72:110 <- 172.16.3.48:1494 FIN_WAIT_2:FIN_WAIT_2 all tcp 172.16.3.48:1494 -> 204.244.159.55:62928 -> 64.56.145.72:110 FIN_WAIT_2:FIN_WAIT_2 all udp 172.16.3.255:137 <- 172.16.3.49:137 NO_TRAFFIC:SINGLE all udp 172.16.3.49:137 -> 204.244.159.55:61053 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.37:1508 CLOSED:SYN_SENT all tcp 172.16.3.37:1508 -> 204.244.159.68:54656 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.74:3126 CLOSED:SYN_SENT all tcp 172.16.3.74:3126 -> 204.244.159.55:61282 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.18:2446 CLOSED:SYN_SENT all tcp 172.16.3.18:2446 -> 204.244.159.68:58385 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.73:2057 CLOSED:SYN_SENT all tcp 172.16.3.73:2057 -> 204.244.159.55:61692 -> 10.170.54.1:81 SYN_SENT:CLOSED all udp 198.208.22.27:53 <- 172.16.3.74:58071 SINGLE:MULTIPLE all udp 172.16.3.74:58071 -> 204.244.159.68:54669 -> 198.208.22.27:53 MULTIPLE:SINGLE all udp 198.208.22.27:53 <- 172.16.3.74:57503 SINGLE:MULTIPLE all udp 172.16.3.74:57503 -> 204.244.159.55:64923 -> 198.208.22.27:53 MULTIPLE:SINGLE all udp 198.208.22.27:53 <- 172.16.3.74:51153 SINGLE:MULTIPLE all udp 172.16.3.74:51153 -> 204.244.159.68:61637 -> 198.208.22.27:53 MULTIPLE:SINGLE all udp 172.16.3.255:137 <- 172.16.3.74:137 NO_TRAFFIC:SINGLE all udp 172.16.3.74:137 -> 204.244.159.55:53474 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.71:3065 CLOSED:SYN_SENT all tcp 172.16.3.71:3065 -> 204.244.159.68:63354 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.29:4434 CLOSED:SYN_SENT all tcp 172.16.3.29:4434 -> 204.244.159.55:62977 -> 10.170.54.1:81 SYN_SENT:CLOSED all udp 172.16.3.255:137 <- 172.16.3.30:137 NO_TRAFFIC:SINGLE all udp 172.16.3.30:137 -> 204.244.159.68:61298 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 63.241.234.60:443 <- 172.16.3.37:1509 ESTABLISHED:ESTABLISHED all tcp 172.16.3.37:1509 -> 204.244.159.68:61873 -> 63.241.234.60:443 ESTABLISHED:ESTABLISHED all udp 198.208.22.27:53 <- 172.16.3.72:59314 SINGLE:MULTIPLE all udp 172.16.3.72:59314 -> 204.244.159.55:62186 -> 198.208.22.27:53 MULTIPLE:SINGLE all udp 198.208.22.27:53 <- 172.16.3.72:55934 SINGLE:MULTIPLE all udp 172.16.3.72:55934 -> 204.244.159.68:51479 -> 198.208.22.27:53 MULTIPLE:SINGLE all udp 198.208.22.27:53 <- 172.16.3.72:52983 SINGLE:MULTIPLE all udp 172.16.3.72:52983 -> 204.244.159.55:55523 -> 198.208.22.27:53 MULTIPLE:SINGLE all udp 172.16.3.255:137 <- 172.16.3.72:137 NO_TRAFFIC:SINGLE all udp 172.16.3.72:137 -> 204.244.159.68:58218 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.31:2868 CLOSED:SYN_SENT all tcp 172.16.3.31:2868 -> 204.244.159.55:60911 -> 10.170.54.1:81 SYN_SENT:CLOSED all udp 172.16.3.255:137 <- 172.16.3.77:137 NO_TRAFFIC:SINGLE all udp 172.16.3.77:137 -> 204.244.159.55:59287 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.72:1416 CLOSED:SYN_SENT all tcp 172.16.3.72:1416 -> 204.244.159.68:59828 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.49:1915 CLOSED:SYN_SENT all tcp 172.16.3.49:1915 -> 204.244.159.55:64580 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.29:4435 CLOSED:SYN_SENT all tcp 172.16.3.29:4435 -> 204.244.159.68:60089 -> 10.170.54.1:81 SYN_SENT:CLOSED all udp 172.16.3.255:137 <- 172.16.3.8:137 NO_TRAFFIC:SINGLE all udp 172.16.3.8:137 -> 204.244.159.68:60176 -> 172.16.3.255:137 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.51:3433 CLOSED:SYN_SENT all tcp 172.16.3.51:3433 -> 204.244.159.55:63158 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.37:1510 CLOSED:SYN_SENT all tcp 172.16.3.37:1510 -> 204.244.159.68:63197 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.74:3127 CLOSED:SYN_SENT all tcp 172.16.3.74:3127 -> 204.244.159.55:61760 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.18:2447 CLOSED:SYN_SENT all tcp 172.16.3.18:2447 -> 204.244.159.68:61951 -> 10.170.54.1:81 SYN_SENT:CLOSED all tcp 10.170.54.1:81 <- 172.16.3.73:2058 CLOSED:SYN_SENT all tcp 172.16.3.73:2058 -> 204.244.159.55:53396 -> 10.170.54.1:81 SYN_SENT:CLOSED all udp 198.208.22.27:53 <- 172.16.3.74:62024 SINGLE:MULTIPLE all udp 172.16.3.74:62024 -> 204.244.159.55:63136 -> 198.208.22.27:53 MULTIPLE:SINGLE all tcp 72.14.162.41:80 <- 172.16.3.74:3128 TIME_WAIT:TIME_WAIT all tcp 172.16.3.74:3128 -> 204.244.159.68:58088 -> 72.14.162.41:80 TIME_WAIT:TIME_WAIT all tcp 72.14.162.41:80 <- 172.16.3.74:3129 FIN_WAIT_2:FIN_WAIT_2 all tcp 172.16.3.74:3129 -> 204.244.159.55:62718 -> 72.14.162.41:80 FIN_WAIT_2:FIN_WAIT_2 all udp 172.16.3.255:138 <- 172.16.3.71:138 NO_TRAFFIC:SINGLE all udp 172.16.3.71:138 -> 204.244.159.68:52993 -> 172.16.3.255:138 SINGLE:NO_TRAFFIC all tcp 10.170.54.1:81 <- 172.16.3.71:3066 CLOSED:SYN_SENT all tcp 172.16.3.71:3066 -> 204.244.159.68:50898 -> 10.170.54.1:81 SYN_SENT:CLOSED INFO: Status: Enabled for 0 days 11:42:09 Debug: Urgent State Table Total Rate current entries 84 searches 4907040 116.5/s inserts 131271 3.1/s removals 131187 3.1/s Counters match 157214 3.7/s bad-offset 0 0.0/s fragment 0 0.0/s short 40 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 2 0.0/s state-mismatch 215 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000 TABLES: OS FINGERPRINTS: 696 fingerprints loaded