From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 16:39:34 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FC71106566C for ; Fri, 7 Mar 2008 16:39:34 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: from web53704.mail.re2.yahoo.com (web53704.mail.re2.yahoo.com [206.190.37.25]) by mx1.freebsd.org (Postfix) with SMTP id C182A8FC16 for ; Fri, 7 Mar 2008 16:39:33 +0000 (UTC) (envelope-from lorenzhelleis@yahoo.com.br) Received: (qmail 10075 invoked by uid 60001); 7 Mar 2008 16:39:32 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.br; h=Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Message-ID; b=KNwxxVtUGDnL/L/vqKY+itvIq1T+U/ZsJ2+baUxC+ec4fZL3KJIA9nXx/6uSpg3x1yOCEEjA/ZXY6DJlMNvUw0JPOZOSV9Svm0EGEGLL2jhpzfStoB4usZzOSNbF6rc24I+RIQLmEvVU+e3mvVrf9UbNd9MYxcufhOHVwoZkWQg=; Received: from [200.201.112.31] by web53704.mail.re2.yahoo.com via HTTP; Fri, 07 Mar 2008 08:39:32 PST X-Mailer: YahooMailRC/902.35 YahooMailWebService/0.7.162 Date: Fri, 7 Mar 2008 08:39:32 -0800 (PST) From: Lorenz Helleis To: Chris Marlatt MIME-Version: 1.0 Message-ID: <745345.9793.qm@web53704.mail.re2.yahoo.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Res: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 16:39:34 -0000 I don't think that is a hardware problem, sometimes the "congestion rate" = increase to 1500,0/s and the "state-mismatch" to 300.0/s.. I don't know if = it is normal... =0A=0AI think that the conections is being droped when incr= ease a lot the number of packets on the network. =0A=0A=0A=0Acan you tell m= e about your firewall ? I will need to install a biggest one here, and I'm= a little afraid to do. Can you show me some configuration? the traffic = of you network?, hardware? conections ?=0A=0Alook some configurations.... d= o i need to increase something ?=0A=0A=0A# pfctl -sm = = =0Astates hard limit 100000=0Asrc-nodes hard li= mit 10000=0Afrags hard limit 5000=0Atables hard limit= 1000=0Atable-entries hard limit 200000=0A=0A=0A# top=0A=0Aload avera= ges: 0.20, 0.12, 0.09 13:29:40=0A35= processes: 34 idle, 1 on processor=0ACPU0 states: 0.6% user, 0.0% nice,= 0.7% system, 0.0% interrupt, 98.7% idle=0ACPU1 states: 0.1% user, 0.0%= nice, 0.2% system, 0.0% interrupt, 99.7% idle=0A=0A# vmstat -i=0A=0Ainte= rrupt total rate=0Airq0/clock 25= 7506609 199=0Airq0/ipi 183393879 142=0Airq81/e= m0 8638587188 6706=0Airq83/skc0 601166= 0768 4667=0Airq80/fxp0 2292732543 1779=0Airq64/ahc0= 7012560 5=0Airq112/pckbc0 = 8 0=0ATotal 17390893555 13501=0A=0A# pfctl -s= i=0A=0AState Table Total Rate=0A curr= ent entries 5005 =0A searches = 30026832082 441000.4/s=0A inserts 4= 06964726 5977.0/s=0A removals 406959721 = 5977.0/s=0ACounters=0A match 417436387 = 6130.8/s=0A bad-offset 0 0.0/s=0A= fragment 1939 0.0/s=0A short = 154 0.0/s=0A normalize = 34858 0.5/s=0A memory = 0 0.0/s=0A bad-timestamp 0 = 0.0/s=0A congestion 834349 12.3/s=0A i= p-option 24 0.0/s=0A proto-cksum = 5572 0.1/s=0A state-mismatch = 491286 7.2/s=0A=0A=0A=0A=0A =0AProv=C3=A9rbios 1:27 =0A= =0A Mas Deus escolheu as coisas loucas deste mundo para confundir as=0As= =C3=A1bias; e Deus escolheu as coisas fracas deste mundo para confundir as= =0Afortes;=0A=0A----- Mensagem original ----=0ADe: Chris Marlatt =0APara: Lorenz Helleis =0ACc: freebs= d-pf@freebsd.org=0AEnviadas: Sexta-feira, 7 de Mar=C3=A7o de 2008 12:26:03= =0AAssunto: Re: Dropped Packets=0A=0ALorenz Helleis wrote:=0A> hello.=0A> = =0A> I have a firewall with 75.000 simultaneous conections, and i set the l= imit to 100.000.=0A> =0A> I think the hardware is OK, but when increase the= traffic on the network, some connections is dropped. I did not increase = other value, like table, src-nodes.... How do I know if is everthing ok wit= h the other values ?=0A> =0A> what happen if the number of connections touc= h the limit of 100.000 ? it will drop the idle conections ? or what ?=0A> = =0A=0A From my experience new connections will appear to timeout as PF has = no =0Amore sessions available for new connections. As sessions die off =0Ao= rganically new connections will be permitted but there is nothing =0Aactive= ly killing old / idle connections to make way for new sessions if =0Athe li= mit is reached.=0A=0A=0ADepending on how much memory you have you should be= fine increasing the =0Amax session limit. I've had some of my firewalls ov= er 1,000,000 sessions =0Awithout a problem.=0A=0AYou may want to check your= switch for errors and watch your interface =0A(netstat -I IFACE -nd 1) to = see when/where your drops are. What kind of =0Acpu usage are you seeing whe= n you start dropping the packets?=0A=0ARegards,=0A=0A Chris=0A=0A=0A=0A= =0A=0A=0A Abra sua conta no Yahoo! Mail, o =C3=BAnico sem limite de es= pa=C3=A7o para armazenamento!=0Ahttp://br.mail.yahoo.com/