Date: Tue, 27 Sep 2011 19:57:45 +0200 From: =?iso-8859-1?q?R=E9my_Sanchez?= <remy.sanchez@hyperthese.net> To: freebsd-ipfw@freebsd.org Subject: Random freezes Message-ID: <201109271958.29919.remy.sanchez@hyperthese.net>
next in thread | raw e-mail | index | archive | help
--nextPart2765392.YQ8WKpG6AD Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, Well, I'm not sure that it's the kind of message you'd expect on this maili= ng=20 list, but I couldn't really find a users mailing list, so here I am. In short, we (=3D http://maiznet.fr/) use ipfw for our network, mainly beca= use=20 of dummynet's capabilities, that clearly outperforms any other solution for= =20 our needs. The network in question is inside a dormitory, to provide Intern= et=20 to somewhat 150 people. We have : - 3 WAN (2 ADSL and 1 SDSL). I know, it is quite insufficient, but we can= 't=20 get more. [re1, re2, re3] - 1 students network [re0] - 1 DMZ [re4] - 1 office network [re5] Both are on different subnets, and NAT is used a bit everywhere, along with= =20 load-balancing. Here is a recent ipfw show : http://pastebin.com/ma3h9FUU Now everything works fine, excepted that sometimes, for no reason, it looks= =20 like there is a rule that just stops working : sometimes the DNS gets block= ed,=20 or some users complain about not having internet at all (including internal= =20 routing not working for them)... Take yesterday's example : packets that were routed through ADSL2 were NATe= d=20 correctly outgoing, were correctly reverse-NATed incoming, but were not rou= ted=20 to the client. If I added a custom "allow" just after the NAT, it went work= ing=20 again (but the allow should be automatic due to state checking). The only solution we have so far : we just reload the rules, and everything= =20 gets back to normal. Which is a bit unpleasant I must say... So, I've fallen short of ideas, does anyone see why some rules just block l= ike=20 that ? Maybe we should move to the in-kernel NAT ? Help is much appreciated, =2D-=20 R=E9my Sanchez http://hyperthese.net/ --nextPart2765392.YQ8WKpG6AD Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABECAAYFAk6CDpoACgkQpMMQ4XyIN1ZrxACffz6cpc1YgmGakdY9RWQhOeLF z34AoJ5koFoVFGwKwMglfZA7QNcV8nVn =UFBD -----END PGP SIGNATURE----- --nextPart2765392.YQ8WKpG6AD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109271958.29919.remy.sanchez>