From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 1 00:44:58 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7C8D416A407 for ; Fri, 1 Dec 2006 00:44:58 +0000 (UTC) (envelope-from donald.teed@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id D650043CA2 for ; Fri, 1 Dec 2006 00:44:46 +0000 (GMT) (envelope-from donald.teed@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so2067540uge for ; Thu, 30 Nov 2006 16:44:56 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type; b=lCY+CcqgfdE1axT+7BMCS6SjhNLdsi5bDL3v8J5lzjS0clfszfzCucW2RyUPfYt4Ak+VJn+cOvgKs1NeML7wb9zrDWQBRCpUwDnGDyAQp9+6faDReBOLqYycOaCn6oK6jylWD0G2sOyjgHMUb2NevDrdPxT60UuHK72Cs2kT4XM= Received: by 10.78.127.3 with SMTP id z3mr4251947huc.1164933896210; Thu, 30 Nov 2006 16:44:56 -0800 (PST) Received: by 10.78.161.15 with HTTP; Thu, 30 Nov 2006 16:44:56 -0800 (PST) Message-ID: Date: Thu, 30 Nov 2006 20:44:56 -0400 From: "D G Teed" To: "Ian FREISLICH" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, AT Matik Subject: RESOLVED: how to go about diagnosing cause of packet loss X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2006 00:44:58 -0000 OK, today we resolved the problems with the freebsd firewall. First there was more packet loss than normal. I killed the running ipaudit which usually helped. Packet loss continued. Watching the bandwidth with nload comparing the in of em0 (70 Mbps) with the out of em1 (28Mbps), it was clear there were packets not getting processed. Then I did a 'ipfw disable firewall', and the bandwidth outbound doubled in nload. It exceeded our Internet pipe by 2x. For the first time packet loss was also noticed by the outside of the firewall. Then the network guys put a packet sniffer on our internal traffic and found one notebook which was shooting out the majority of our traffic - mostly mangled packets which did not even register in the bandwidth noted by ipaudit. Only about .5 Gbytes per 30 minutes on udp port 7000 was showing up in ipaudit from this notebook as legit traffic. We blocked that notebook in the router, and ran ipfw and ipaudit as normal. Bandwidth returned to normal levels, input on internal equalled output on external and packet loss went to .5% from 40 to 50%. The fire is out. Thanks for the help here... Regards, --Donald On 11/29/06, D G Teed wrote: > > Hi, > > With some further experimentation, I've concluded > that the real problem is ipaudit. It cannot keep up > with the bandwidth we have. When it is off, there > is next to no packet loss. Thanks for the reply... > > --Donald > > On 11/29/06, Ian FREISLICH wrote: > > > > "D G Teed" wrote: > > > Hi, > > > > > > OK, I think you've helped us prove that ipfw isn't the issue. > > > The packet loss remained with rule 01 of allow ip from any > > > to any. We'll need to measure our bandwidth > > > processed on the box. Thanks for the help. > > > > What version of FreeBSD are you running. I've been experiencing > > wierd packet loss recently, which I suspect is a result of arp > > wierdness or routing table largness. It's a CURRENT box, ~1000 > > hosts behind it, ~1900 routes - not large by any stretch of the > > imagination. Packet loss doesn't seem related to bandwidth. > > > > Ian > > > > -- > > Ian Freislich > > > >