Try increasing PF max number of states.
It is currently limited to 10000, so when you reach this no new
traffic (that would create a state) is permitted until some of the
old ones expire. The 10000 limit is ok for most machines, but
definitely not for a busy server / firewall. (Same goes for the
default httpd.conf, btw, which also requires tweaking for higher
performance.)
Use "pfctl -s info" and check the "memory" counter, it indicates the
number of states that could not be created due to the limit
(presumably other mem failures too). You want to see "0" (zero) here.
See pf.conf(5), try "set limit states 50000" or so.
/H
On 2 aug 2005, at 00.07, Bc. Radek Krejca wrote:
Hi,
thank you for response. It was my idea too but pfctl -ss shows about
10000 lines. Where I got better information about ports over nat?
Thank you
Radek
1. srpna 2005, 23:02:15, jste napsal(a):
SKQ> On Mon, 2005-08-01 at 21:21 +0200, Bc. Radek Krejca wrote:
I have problem with packet loss over nat. I dont know where
could be
mistake. If i try stop half IPs I have no problem. What can I
change
to resolving problem? Over this nat runs about 1300 IPs.
SKQ> My gut instinct says that you're simply running out of ports
on the one
SKQ> external address. That is definitely something you want to
look into at
SKQ> some point.
--
Regards,
Bc. Radek Krejca
[EMAIL PROTECTED]
http://www.ceskedomeny.cz
http://www.skdomeny.com
http://www.starnet.cz
