Hello Stuart, thanks for your precisions. I have tried to download a big matlab.deb on our repositories and it works like a charm (3GB file). By removing 'in' i also notice a little more reactivity on the network and the latency. Now i'll wait tomorrow when my 500 users goes to work to see if router works well with this configuration, and then i deploy this new type of rule on all rules and firewalls. For the cable, i can't. I haven't any more RJ45 slot available (4/4 ports used, LACP trunks). Thanks for your tips. I the issue is coming when charge is increasing i'll try it !
Good evening. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le lundi 07 octobre 2013 à 21:30 +0000, Stuart Henderson a écrit : > On 2013-10-07, Loïc BLOT <loic.b...@unix-experience.fr> wrote: > > Now with pfsync state are synchronized but late, then client must launch > > 2 or 3 TCP connections and when it works it's very slow. > > I also have tried defer mode and increasing maxupd but no changes > > appear. I also add Is there anything more to do ? > > defer helps, but if your typical scenario is to have a path split > between two routers (rather than just having this happen > occasionally) you may well be better off just using sloppy states. > > > On 2013-10-07, Lo\xc3\xafc BLOT <loic.b...@unix-experience.fr> wrote: > > Hmmm > > I solved it by removing 'in' from pass in quick <...> > > test that longer connections work ok (or verify that you get wscale > information in all states associated with a connection, pfctl -ss -v > shows this) > > > Here is a pfsync configuration example: > > up syncdev vlanXX5 syncpeer 10.XX.X.129 > > > > The latency between the two host is very light, because they are on the > > same switch, with a dedicated VLAN > > have you tried a direct cable? I find latency significantly lower > that way.. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
