|
List Info
Thread: Res: Res: Dropped Packets
|
|
| Res: Res: Dropped Packets |
 
Brazil |
2008-03-07 12:16:13 |
MAX..
THE CURRENT ENTRY IS NOT 5005. I GOT THIS VALUE AFTER
"PFCTL -D"...
THE NUMBER OF CONCURRENT CONNECTIONS IS 70.000
IN THIS MOMENT MY FIREWALL IS DISABLE UNTIL I FIND A
SOLUTION TO SOLVE THIS PROBLEM. I THINK I WILL TRY TO
INCREASE THE NUMBER OF STATES AND CHANGE THE NIC.
I USE A GIGABIT CARD AND THE TRAFFIC IS 300MBS AND THE
CONCURRENT SESSIONS 70.000.
AND NOW I'M STUDING ABOUT TABLES ENTRIES, SRC-NODES ..
PROVéRBIOS 1:27
MAS DEUS ESCOLHEU AS COISAS LOUCAS DESTE MUNDO PARA
CONFUNDIR AS
SáBIAS; E DEUS ESCOLHEU AS COISAS FRACAS DESTE MUNDO PARA
CONFUNDIR AS
FORTES;
----- MENSAGEM ORIGINAL ----
DE: MAX LAIER <MAX LOVE2PARTY.NET>
PARA: FREEBSD-PFFREEBSD.ORG
CC: LORENZ HELLEIS <LORENZHELLEISYAHOO.COM.BR>; CHRIS
MARLATT <CMARLATTRXSEC.COM>
ENVIADAS: SEXTA-FEIRA, 7 DE MARçO DE 2008 14:55:52
ASSUNTO: RE: RES: DROPPED PACKETS
[ PLEASE DON'T TOP-POST ]
ON FRIDAY 07 MARCH 2008, LORENZ HELLEIS WROTE:
> I DON'T THINK THAT IS A HARDWARE PROBLEM, SOMETIMES
THE "CONGESTION
> RATE" INCREASE TO 1500,0/S AND THE
"STATE-MISMATCH" TO 300.0/S.. I
> DON'T KNOW IF IT IS NORMAL...
>
> I THINK THAT THE CONECTIONS IS BEING DROPED WHEN
INCREASE A LOT THE
> NUMBER OF PACKETS ON THE NETWORK.
>
>
>
> CAN YOU TELL ME ABOUT YOUR FIREWALL ? I WILL NEED TO
INSTALL A BIGGEST
> ONE HERE, AND I'M A LITTLE AFRAID TO DO. CAN YOU SHOW
ME SOME
> CONFIGURATION? THE TRAFFIC OF YOU NETWORK?, HARDWARE?
CONECTIONS ?
>
> LOOK SOME CONFIGURATIONS.... DO I NEED TO INCREASE
SOMETHING ?
>
>
> # PFCTL -SM
> STATES HARD LIMIT 100000
> SRC-NODES HARD LIMIT 10000
> FRAGS HARD LIMIT 5000
> TABLES HARD LIMIT 1000
> TABLE-ENTRIES HARD LIMIT 200000
>
>
> # TOP
>
> LOAD AVERAGES: 0.20, 0.12, 0.09
> 13:29:40 35 PROCESSES: 34 IDLE, 1 ON PROCESSOR
> CPU0 STATES: 0.6% USER, 0.0% NICE, 0.7% SYSTEM,
0.0% INTERRUPT,
> 98.7% IDLE CPU1 STATES: 0.1% USER, 0.0% NICE, 0.2%
SYSTEM, 0.0%
> INTERRUPT, 99.7% IDLE
>
> # VMSTAT -I
>
> INTERRUPT TOTAL RATE
> IRQ0/CLOCK 257506609 199
> IRQ0/IPI 183393879 142
> IRQ81/EM0 8638587188 6706
> IRQ83/SKC0 6011660768 4667
> IRQ80/FXP0 2292732543 1779
THESE INTERRUPT NUMBERS DON'T SEEM TO MATCH UP WITH THE
ABOVE LOAD
NUMBERS. I'D EXPECT A HIGHER INTERRUPT LOAD. YOU COULD
ALSO TRY TO
REPLACE THE SK(4) ADAPTER WITH ANOTHER EM(4) OR THE LIKE? I
HAVE HAD
TROUBLE WITH SK(4) IN THE PAST.
> IRQ64/AHC0 7012560 5
> IRQ112/PCKBC0 8 0
> TOTAL 17390893555 13501
>
> # PFCTL -SI
>
> STATE TABLE TOTAL
RATE
> CURRENT ENTRIES 5005
> SEARCHES 30026832082
441000.4/S
441KPPS ARE QUITE A LOAD! AND THIS IS WITH ONLY 5000
CONNECTIONS. WHILE
FREEBSD CAN FORWARD 1MPPS AND MORE ON COMMODITY HARDWARE
500-700KPPS IS
PROBABLY THE LIMIT WITH (SENSIBLE) FIREWALLING. IT'D BE
SURPRISED IF YOU
COULD DO SIGNIFICANTLY BETTER WITH ANYTHING ELSE. N.B. THAT
THIS COULD
BE IMPROVED BY USING FINE GRAINED LOCKING FOR PF - THIS IS
ON MY TODO
LIST FOR QUITE SOME TIME, BUT I DIDN'T YET GET TO IT.
> INSERTS 406964726
5977.0/S
> REMOVALS 406959721
5977.0/S
> COUNTERS
> MATCH 417436387
6130.8/S
> BAD-OFFSET 0
0.0/S
> FRAGMENT 1939
0.0/S
> SHORT 154
0.0/S
> NORMALIZE 34858
0.5/S
> MEMORY 0
0.0/S
> BAD-TIMESTAMP 0
0.0/S
> CONGESTION 834349
12.3/S
> IP-OPTION 24
0.0/S
> PROTO-CKSUM 5572
0.1/S
> STATE-MISMATCH 491286
7.2/S
>
>
>
>
>
> PROVéRBIOS 1:27
>
> MAS DEUS ESCOLHEU AS COISAS LOUCAS DESTE MUNDO PARA
CONFUNDIR AS
> SáBIAS; E DEUS ESCOLHEU AS COISAS FRACAS DESTE MUNDO
PARA CONFUNDIR AS
> FORTES;
>
> ----- MENSAGEM ORIGINAL ----
> DE: CHRIS MARLATT <CMARLATTRXSEC.COM>
> PARA: LORENZ HELLEIS <LORENZHELLEISYAHOO.COM.BR>
> CC: FREEBSD-PFFREEBSD.ORG
> ENVIADAS: SEXTA-FEIRA, 7 DE MARçO DE 2008 12:26:03
> ASSUNTO: RE: DROPPED PACKETS
>
> LORENZ HELLEIS WROTE:
> > HELLO.
> >
> > I HAVE A FIREWALL WITH 75.000 SIMULTANEOUS
CONECTIONS, AND I SET THE
> > LIMIT TO 100.000.
> >
> > I THINK THE HARDWARE IS OK, BUT WHEN INCREASE THE
TRAFFIC ON THE
> > NETWORK, SOME CONNECTIONS IS DROPPED. I DID NOT
INCREASE OTHER
> > VALUE, LIKE TABLE, SRC-NODES.... HOW DO I KNOW IF
IS EVERTHING OK
> > WITH THE OTHER VALUES ?
> >
> > WHAT HAPPEN IF THE NUMBER OF CONNECTIONS TOUCH THE
LIMIT OF 100.000 ?
> > IT WILL DROP THE IDLE CONECTIONS ? OR WHAT ?
>
> FROM MY EXPERIENCE NEW CONNECTIONS WILL APPEAR TO
TIMEOUT AS PF HAS NO
> MORE SESSIONS AVAILABLE FOR NEW CONNECTIONS. AS
SESSIONS DIE OFF
> ORGANICALLY NEW CONNECTIONS WILL BE PERMITTED BUT THERE
IS NOTHING
> ACTIVELY KILLING OLD / IDLE CONNECTIONS TO MAKE WAY FOR
NEW SESSIONS IF
> THE LIMIT IS REACHED.
>
>
> DEPENDING ON HOW MUCH MEMORY YOU HAVE YOU SHOULD BE
FINE INCREASING THE
> MAX SESSION LIMIT. I'VE HAD SOME OF MY FIREWALLS OVER
1,000,000
> SESSIONS WITHOUT A PROBLEM.
>
> YOU MAY WANT TO CHECK YOUR SWITCH FOR ERRORS AND WATCH
YOUR INTERFACE
> (NETSTAT -I IFACE -ND 1) TO SEE WHEN/WHERE YOUR DROPS
ARE. WHAT KIND OF
> CPU USAGE ARE YOU SEEING WHEN YOU START DROPPING THE
PACKETS?
>
> REGARDS,
>
> CHRIS
>
>
>
>
>
>
> ABRA SUA CONTA NO YAHOO! MAIL, O úNICO SEM LIMITE
DE ESPAçO PARA
> ARMAZENAMENTO! HTTP://BR.MAIL.YAHOO.COM/
> _______________________________________________
> FREEBSD-PFFREEBSD.ORG MAILING LIST
> HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-PF
> TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-PF-UNSUBSCRIBEFREEBSD.ORG"
--
/" BEST REGARDS, | MLAIERFREEBSD.ORG
/ MAX LAIER | ICQ #67774661
X HTTP://PF4FREEBSD.LOVE2PARTY.NET/ | MLAIEREFNET
/ ASCII RIBBON CAMPAIGN | AGAINST HTML MAIL
AND NEWS
ABRA SUA CONTA NO YAHOO! MAIL, O úNICO SEM LIMITE DE
ESPAçO PARA ARMAZENAMENTO!
HTTP://BR.MAIL.YAHOO.COM/
_______________________________________________
FREEBSD-PFFREEBSD.ORG MAILING LIST
HTTP://LISTS.FREEBSD.ORG/MAILMAN/LISTINFO/FREEBSD-PF
TO UNSUBSCRIBE, SEND ANY MAIL TO
"FREEBSD-PF-UNSUBSCRIBEFREEBSD.ORG"
|
|
| Re: Res: Res: Dropped Packets |
|
2008-03-07 14:56:22 |
AGAIN: PLEASE DON'T TOP-POST!
Am Fr, 7.03.2008, 19:16, schrieb Lorenz Helleis:
> Max..
>
> the Current entry is not 5005. I got this value after
"pfctl -d"...
then these numbers are completely useless!
> the number of concurrent connections is 70.000
Okay, so let's say every connection just passes ~10pps
(that's not even
7kB/s with standard TCP) then you have to forward 700kpps.
This is a
*huge* load, even without firewalling. If you count in
scrubbing and
"just" statefull lookups, this is about the
maximum that you can hope to
push with commodity hardware. Sure, PCIe has removed one of
the worst
bottlenecks, but as I pointed out in my other reply - pf is
still
"giant"-locked and thus poses a bottleneck of it's
own, but there are few
(if any) alternatives. If you are serious about wanting a
*firewall* for
security. Otherwise you can use IPFW w/o states! Which
will give some
concurrency and less per-packet overhead due to fewer sanity
checks.
>
> In this moment my firewall is disable until i find a
solution to solve
> this problem. I think i will try to increase the number
of states and
> change the NIC.
>
> I use a Gigabit card and the traffic is 300Mbs and the
concurrent sessions
> 70.000.
>
> And now i'm studing about tables entries, src-nodes ..
>
>
> Provérbios 1:27
>
> Mas Deus escolheu as coisas loucas deste mundo para
confundir as
> sábias; e Deus escolheu as coisas fracas deste mundo
para confundir as
> fortes;
>
> ----- Mensagem original ----
> De: Max Laier <maxlove2party.net>
> Para: freebsd-pffreebsd.org
> Cc: Lorenz Helleis <lorenzhelleisyahoo.com.br>; Chris Marlatt
> <cmarlattrxsec.com>
> Enviadas: Sexta-feira, 7 de Março de 2008 14:55:52
> Assunto: Re: Res: Dropped Packets
>
> [ please don't top-post ]
>
> On Friday 07 March 2008, Lorenz Helleis wrote:
>> I don't think that is a hardware problem,
sometimes the "congestion
>> rate" increase to 1500,0/s and the
"state-mismatch" to 300.0/s.. I
>> don't know if it is normal...
>>
>> I think that the conections is being droped when
increase a lot the
>> number of packets on the network.
>>
>>
>>
>> can you tell me about your firewall ? I will need
to install a biggest
>> one here, and I'm a little afraid to do. Can you
show me some
>> configuration? the traffic of you network?,
hardware? conections ?
>>
>> look some configurations.... do i need to increase
something ?
>>
>>
>> # pfctl -sm
>> states hard limit 100000
>> src-nodes hard limit 10000
>> frags hard limit 5000
>> tables hard limit 1000
>> table-entries hard limit 200000
>>
>>
>> # top
>>
>> load averages: 0.20, 0.12, 0.09
>> 13:29:40 35 processes: 34 idle, 1 on processor
>> CPU0 states: 0.6% user, 0.0% nice, 0.7% system,
0.0% interrupt,
>> 98.7% idle CPU1 states: 0.1% user, 0.0% nice,
0.2% system, 0.0%
>> interrupt, 99.7% idle
>>
>> # vmstat -i
>>
>> interrupt total rate
>> irq0/clock 257506609 199
>> irq0/ipi 183393879 142
>> irq81/em0 8638587188 6706
>> irq83/skc0 6011660768 4667
>> irq80/fxp0 2292732543 1779
>
> These interrupt numbers don't seem to match up with the
above load
> numbers. I'd expect a higher interrupt load. You
could also try to
> replace the sk(4) adapter with another em(4) or the
like? I have had
> trouble with sk(4) in the past.
>
>> irq64/ahc0 7012560 5
>> irq112/pckbc0 8 0
>> Total 17390893555 13501
>>
>> # pfctl -si
>>
>> State Table Total
Rate
>> current entries 5005
>> searches 30026832082
441000.4/s
>
> 441kpps are quite a load! And this is with only 5000
connections. While
> FreeBSD can forward 1Mpps and more on commodity
hardware 500-700kpps is
> probably the limit with (sensible) firewalling. It'd
be surprised if you
> could do significantly better with anything else. N.B.
that this could
> be improved by using fine grained locking for pf - this
is on my TODO
> list for quite some time, but I didn't yet get to it.
>
>> inserts 406964726
5977.0/s
>> removals 406959721
5977.0/s
>> Counters
>> match 417436387
6130.8/s
>> bad-offset 0
0.0/s
>> fragment 1939
0.0/s
>> short 154
0.0/s
>> normalize 34858
0.5/s
>> memory 0
0.0/s
>> bad-timestamp 0
0.0/s
>> congestion 834349
12.3/s
>> ip-option 24
0.0/s
>> proto-cksum 5572
0.1/s
>> state-mismatch 491286
7.2/s
>>
>>
>>
>>
>>
>> Provérbios 1:27
>>
>> Mas Deus escolheu as coisas loucas deste mundo
para confundir as
>> sábias; e Deus escolheu as coisas fracas deste
mundo para confundir as
>> fortes;
>>
>> ----- Mensagem original ----
>> De: Chris Marlatt <cmarlattrxsec.com>
>> Para: Lorenz Helleis <lorenzhelleisyahoo.com.br>
>> Cc: freebsd-pffreebsd.org
>> Enviadas: Sexta-feira, 7 de Março de 2008
12:26:03
>> Assunto: Re: Dropped Packets
>>
>> Lorenz Helleis wrote:
>> > hello.
>> >
>> > I have a firewall with 75.000 simultaneous
conections, and i set the
>> > limit to 100.000.
>> >
>> > I think the hardware is OK, but when increase
the traffic on the
>> > network, some connections is dropped. I did
not increase other
>> > value, like table, src-nodes.... How do I know
if is everthing ok
>> > with the other values ?
>> >
>> > what happen if the number of connections touch
the limit of 100.000 ?
>> > it will drop the idle conections ? or what ?
>>
>> From my experience new connections will appear to
timeout as PF has no
>> more sessions available for new connections. As
sessions die off
>> organically new connections will be permitted but
there is nothing
>> actively killing old / idle connections to make way
for new sessions if
>> the limit is reached.
>>
>>
>> Depending on how much memory you have you should be
fine increasing the
>> max session limit. I've had some of my firewalls
over 1,000,000
>> sessions without a problem.
>>
>> You may want to check your switch for errors and
watch your interface
>> (netstat -I IFACE -nd 1) to see when/where your
drops are. What kind of
>> cpu usage are you seeing when you start dropping
the packets?
>>
>> Regards,
>>
>> Chris
>>
>>
>>
>>
>>
>>
>> Abra sua conta no Yahoo! Mail, o único sem
limite de espaço para
>> armazenamento! http://br.mail.yahoo.com/
>> _______________________________________________
>> freebsd-pffreebsd.org mailing list
>>
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
>
>
>
> --
> /" Best regards, |
mlaierfreebsd.org
> / Max Laier | ICQ
#67774661
> X http://pf4freebsd.l
ove2party.net/ | mlaierEFnet
> / ASCII Ribbon Campaign | Against HTML
Mail and News
>
>
>
>
>
>
> Abra sua conta no Yahoo! Mail, o único sem
limite de espaço para
> armazenamento!
> http://br.mail.yahoo.com/
--
/" Best regards, | mlaierfreebsd.org
/ Max Laier | ICQ #67774661
X http://pf4freebsd.l
ove2party.net/ | mlaierEFnet
/ ASCII Ribbon Campaign | Against HTML Mail
and News
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
| Re: Res: Res: Dropped Packets |
 
United States |
2008-03-07 15:20:26 |
Max Laier wrote:
> AGAIN: PLEASE DON'T TOP-POST!
>
> Am Fr, 7.03.2008, 19:16, schrieb Lorenz Helleis:
>> Max..
>>
>> the Current entry is not 5005. I got this value
after "pfctl -d"...
>
> then these numbers are completely useless!
>
Indeed, do you have any min & max number for bps and pps
for this
firewall's internal and external interfaces? On which
interface are you
dropping the packets?
Regards,
Chris
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
[1-3]
|
|