From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 27 18:19:52 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA6F51065670 for ; Tue, 27 Sep 2011 18:19:52 +0000 (UTC) (envelope-from remy.sanchez@hyperthese.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id 3B3BA8FC0C for ; Tue, 27 Sep 2011 18:19:52 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id 2A6A070376 for ; Tue, 27 Sep 2011 19:58:51 +0200 (CEST) X-Originating-IP: 217.70.178.144 Received: from mfilter16-d.gandi.net (mfilter16-d.gandi.net [217.70.178.144]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id 069F8A8077 for ; Tue, 27 Sep 2011 19:58:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter16-d.gandi.net Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter16-d.gandi.net (mfilter16-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id 2CpGwHZdPmd3 for ; Tue, 27 Sep 2011 19:58:38 +0200 (CEST) X-Originating-IP: 82.227.216.130 Received: from magi.localnet (beato.hyperthese.net [82.227.216.130]) (Authenticated sender: remy.sanchez@hyperthese.net) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 865D7A8088 for ; Tue, 27 Sep 2011 19:58:38 +0200 (CEST) From: =?iso-8859-1?q?R=E9my_Sanchez?= To: freebsd-ipfw@freebsd.org Date: Tue, 27 Sep 2011 19:57:45 +0200 User-Agent: KMail/1.13.7 (Linux/3.0.0-1-amd64; KDE/4.6.5; x86_64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2765392.YQ8WKpG6AD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201109271958.29919.remy.sanchez@hyperthese.net> Subject: Random freezes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 18:19:52 -0000 --nextPart2765392.YQ8WKpG6AD Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, Well, I'm not sure that it's the kind of message you'd expect on this maili= ng=20 list, but I couldn't really find a users mailing list, so here I am. In short, we (=3D http://maiznet.fr/) use ipfw for our network, mainly beca= use=20 of dummynet's capabilities, that clearly outperforms any other solution for= =20 our needs. The network in question is inside a dormitory, to provide Intern= et=20 to somewhat 150 people. We have : - 3 WAN (2 ADSL and 1 SDSL). I know, it is quite insufficient, but we can= 't=20 get more. [re1, re2, re3] - 1 students network [re0] - 1 DMZ [re4] - 1 office network [re5] Both are on different subnets, and NAT is used a bit everywhere, along with= =20 load-balancing. Here is a recent ipfw show : http://pastebin.com/ma3h9FUU Now everything works fine, excepted that sometimes, for no reason, it looks= =20 like there is a rule that just stops working : sometimes the DNS gets block= ed,=20 or some users complain about not having internet at all (including internal= =20 routing not working for them)... Take yesterday's example : packets that were routed through ADSL2 were NATe= d=20 correctly outgoing, were correctly reverse-NATed incoming, but were not rou= ted=20 to the client. If I added a custom "allow" just after the NAT, it went work= ing=20 again (but the allow should be automatic due to state checking). The only solution we have so far : we just reload the rules, and everything= =20 gets back to normal. Which is a bit unpleasant I must say... So, I've fallen short of ideas, does anyone see why some rules just block l= ike=20 that ? Maybe we should move to the in-kernel NAT ? Help is much appreciated, =2D-=20 R=E9my Sanchez http://hyperthese.net/ --nextPart2765392.YQ8WKpG6AD Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABECAAYFAk6CDpoACgkQpMMQ4XyIN1ZrxACffz6cpc1YgmGakdY9RWQhOeLF z34AoJ5koFoVFGwKwMglfZA7QNcV8nVn =UFBD -----END PGP SIGNATURE----- --nextPart2765392.YQ8WKpG6AD--