Hello Patrick,
> I’ve found that fast networking is actually CPU & memory intensive.
In my case it is 40/4 Mbps at both ends. Not so fast.
> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my
> opinion.
I will run the same VPN confs on apu1d and PC with Pentium D 820 and check if
it works more stable.
> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio with a
> commercial router.
Could you explain it in other way?
> What are your context switches & interrupts doing while the VPN is up &
> traffic is flowing?
>
> vmstat -w 4
>
> What is your memory high water mark during a peak traffic?
>
> vmstat -m
My testing 6.5 setup looks like this:
net5501-70 - no LAN clients
ALIX2d3 - my home router - two laptops connected directly to ALIX
There is no a significant traffic over VPN, just 3 ping packets every 32 sec,
generated by monitoring script.
What is more, in the middle of the night (when home laptops were turned off) my
script also restarted iked.
Date: Fri, 23 Aug 2019 03:43:58 +0200 (CEST)
01. if traffic is not flowing
ALIX$ ifstat -i vr0 -i enc0
vr0 enc0
KB/s in KB/s out KB/s in KB/s out
0.13 0.27 0.00 0.00
0.06 0.14 0.00 0.00
0.63 0.14 0.00 0.00
0.42 0.14 0.00 0.00
ALIX$ vmstat -w 4
procs memory page disk traps cpu
r s avm fre flt re pi po fr sr wd0 int sys cs us sy id
1 57 192M 20M 8 0 0 0 0 117 1 258 31 71 0 1 99
0 58 192M 20M 4 0 0 0 0 0 0 230 24 31 0 0 100
1 57 192M 20M 2 0 0 0 0 0 0 230 23 32 0 0 100
0 58 192M 20M 2 0 0 0 0 0 0 230 21 31 0 0 100
0 58 192M 20M 2 0 0 0 0 0 0 230 25 33 0 0 100
0 58 192M 20M 2 0 0 0 0 0 0 229 19 29 0 0 100
0 58 192M 20M 2 0 0 0 0 0 0 230 24 33 0 1 99
net5501$ vmstat -w 4
procs memory page disk traps cpu
r s avm fre flt re pi po fr sr wd0 int sys cs us sy id
1 58 19M 218M 24 0 0 0 0 0 0 229 148 28 0 1 99
0 59 19M 218M 4 0 0 0 0 0 0 230 156 28 0 0 100
0 59 19M 218M 2 0 0 0 0 0 0 230 154 28 0 0 100
0 59 19M 218M 2 0 0 0 0 0 0 229 154 25 0 0 100
0 59 19M 218M 2 0 0 0 0 0 0 229 154 25 0 0 100
0 59 19M 218M 171 0 0 0 0 0 0 232 158 42 0 2 98
0 59 19M 218M 2 0 0 0 0 0 0 230 154 27 0 0 100
0 59 19M 218M 2 0 0 0 0 0 0 231 157 28 0 0 100
0 59 19M 218M 2 0 0 0 0 0 0 229 154 26 0 0 100
02. if traffic is flowing from ALIX to net5501
ALIX$ nc -N -s 172.16.1.254 10.0.17.254 1234 < 100MB.test
net5501$ nc -l 1234 > /dev/null
ALIX$ ifstat -i vr0 -i enc0
vr0 enc0
KB/s in KB/s out KB/s in KB/s out
29.59 579.75 17.39 549.12
30.15 580.07 17.19 549.56
29.43 578.51 17.40 548.09
32.87 535.13 19.61 506.97
30.23 581.61 17.47 551.02
29.90 581.63 17.61 551.04
30.08 580.03 17.40 549.53
ALIX$ vmstat -w 4
procs memory page disk traps cpu
r s avm fre flt re pi po fr sr wd0 int sys cs us sy id
1 58 192M 19M 8 0 0 0 0 117 1 258 31 71 0 1 99
0 59 192M 19M 4 0 0 0 0 0 0 573 519 950 1 23 77
0 59 192M 19M 2 0 0 0 0 0 0 573 532 953 0 22 78
0 59 192M 19M 2 0 0 0 0 0 0 574 521 955 2 19 79
0 59 192M 19M 2 0 0 0 0 0 0 574 517 951 0 25 75
0 59 192M 19M 2 0 0 0 0 0 0 571 535 956 1 22 77
0 59 192M 19M 2 0 0 0 0 0 0 576 522 960 0 22 77
net5501$ vmstat -w 4
procs memory page disk traps cpu
r s avm fre flt re pi po fr sr wd0 int sys cs us sy id
1 59 20M 218M 24 0 0 0 0 0 0 229 147 28 0 1 99
0 60 20M 218M 4 0 0 0 0 0 0 651 1433 1575 1 28 72
0 62 21M 216M 143 0 0 0 0 0 0 647 1404 1567 0 28 72
0 60 20M 218M 31 0 0 0 0 0 0 648 1476 1593 0 25 75
2 58 20M 218M 2 0 0 0 0 0 0 647 1429 1571 0 25 75
0 60 20M 218M 2 0 0 0 0 0 0 651 1492 1602 0 25 75
0 60 20M 218M 2 0 0 0 0 0 0 648 1442 1579 0 25 74
0 60 20M 218M 2 0 0 0 0 0 0 646 1312 1587 1 27 73
ALIX$ vmstat -m
Memory statistics by bucket size
Size In Use Free Requests HighWater Couldfree
16 492 532 13071 1280 0
32 1418 118 20867 640 14
64 595 45 160071 320 0
128 205 19 16906 160 0
256 434 14 9956 80 0
512 82 6 22142 40 1
1024 40 4 3327 20 0
2048 13 3 209 10 0
4096 14 2 8062 5 0
8192 23 0 42 5 0
16384 6 0 587 5 0
32768 8 0 9 5 0
65536 2 0 9786 5 0
524288 1 0 1 5 0
Memory usage type by bucket size
Size Type(s)
16 devbuf, pcb, rtable, ifaddr, UFS mount, dirhash, proc, in_multi, exec,
pfkey data, VM swap, UVM amap, UVM aobj, USB, USB device, temp
32 devbuf, pcb, rtable, ifaddr, sysctl, vnodes, sem, dirhash, proc,
ether_multi, pfkey data, VM swap, UVM amap, USB, USB device,
crypto data, IPsec creds, NDP, temp
64 devbuf, pcb, rtable, ifaddr, counters, sem, dirhash, NFS srvsock,
in_multi, pfkey data, xform_data, UVM amap, USB, memdesc, temp
128 devbuf, pcb, rtable, ifaddr, sysctl, counters, iov, vnodes, VM map,
dirhash, pfkey data, tdb, UVM amap, USB, USB device, crypto data,
IPsec creds, temp
256 devbuf, rtable, ifaddr, counters, ioctlops, UFS mount, shm, file desc,
exec, pfkey data, newblk, UVM amap, crypto data, temp
512 devbuf, pcb, ioctlops, shm, dirhash, proc, ttys, pfkey data, temp
1024 devbuf, counters, ioctlops, mount, ttys, exec, pfkey data, tdb,
UVM aobj, USB, crypto data, temp
2048 devbuf, ioctlops, UFS mount, proc, VM swap, temp
4096 devbuf, ifaddr, counters, ioctlops, proc, pagedep, USB, temp,
SYN cache
8192 devbuf, counters, NFS daemon, MSDOSFS mount, ttys, VM swap, UVM amap,
temp
16384 devbuf, UFS quota, UFS mount, ISOFS mount, inodedep, VM swap, temp
32768 devbuf
65536 devbuf, temp
524288 temp
Memory statistics by type Type Kern
Type InUse MemUse HighUse Limit Requests Limit Limit Size(s)
devbuf 1018 525K 525K 39248K 1862 0 0
16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536
pcb 94 14K 15K 39248K 750 0 0 16,32,64,128,512
rtable 123 8K 9K 39248K 494 0 0 16,32,64,128,256
ifaddr 53 10K 10K 39248K 54 0 0
16,32,64,128,256,4096
sysctl 2 1K 1K 39248K 2 0 0 32,128
counters 19 17K 17K 39248K 19 0 0
64,128,256,1024,4096,8192
ioctlops 0 0K 4K 39248K 5353 0 0
256,512,1024,2048,4096
iov 0 0K 1K 39248K 208 0 0 128
mount 3 3K 3K 39248K 3 0 0 1024
vnodes 1229 40K 40K 39248K 4834 0 0 32,128
UFS quota 1 16K 16K 39248K 1 0 0 16384
UFS mount 13 29K 29K 39248K 13 0 0
16,256,2048,16384
shm 2 1K 1K 39248K 2 0 0 256,512
VM map 2 1K 1K 39248K 2 0 0 128
sem 2 1K 1K 39248K 2 0 0 32,64
dirhash 189 35K 36K 39248K 486 0 0 16,32,64,128,512
file desc 2 1K 1K 39248K 2 0 0 256
proc 74 29K 37K 39248K 2359 0 0
16,32,512,2048,4096
NFS srvsock 1 1K 1K 39248K 1 0 0 64
NFS daemon 1 8K 8K 39248K 1 0 0 8192
in_multi 13 1K 1K 39248K 13 0 0 16,64
ether_multi 3 1K 1K 39248K 3 0 0 32
ISOFS mount 1 16K 16K 39248K 1 0 0 16384
MSDOSFS mount 1 8K 8K 39248K 1 0 0 8192
ttys 24 106K 106K 39248K 24 0 0 512,1024,8192
exec 0 0K 2K 39248K 3380 0 0 16,256,1024
pfkey data 8 1K 2K 39248K 22254 0 0
16,32,64,128,256,512,1024
tdb 5 3K 6K 39248K 118 0 0 128,1024
xform_data 4 1K 2K 39248K 148332 0 0 64
pagedep 1 4K 4K 39248K 1 0 0 4096
inodedep 1 16K 16K 39248K 1 0 0 16384
newblk 1 1K 1K 39248K 1 0 0 256
VM swap 7 23K 23K 39248K 7 0 0
16,32,2048,8192,16384
UVM amap 292 26K 28K 39248K 20153 0 0
16,32,64,128,256,8192
UVM aobj 2 2K 2K 39248K 2 0 0 16,1024
USB 32 8K 8K 39248K 36 0 0
16,32,64,128,1024,4096
USB device 7 1K 1K 39248K 7 0 0 16,32,128
memdesc 1 1K 1K 39248K 1 0 0 64
crypto data 12 3K 3K 39248K 372 0 0 32,128,256,1024
IPsec creds 3 1K 1K 39248K 486 0 0 32,128
NDP 6 1K 1K 39248K 6 0 0 32
temp 80 2359K 2486K 39248K 53390 0 0
16,32,64,128,256,512,1024,2048,4096,8192,16384,65536,524288
SYN cache 2 8K 8K 39248K 2 0 0 4096
Memory Totals: In Use Free Requests
3311K 42K 265039
Memory resource pool statistics
Name Size Requests Fail InUse Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
phpool 56 5693 0 708 11 0 11 11 0 8 0
extentpl 20 26376276 0 546 41 22 19 39 0 8 0
pmappl 160 4277 0 41 2 0 2 2 0 8 0
pvpl 16 3312549 0 6424 1498 1459 39 188 1 3 1
vmsppl 156 4277 0 41 2 0 2 2 0 8 0
vmmpepl 100 1215117 0 47971 4584 3378 1206 1411 0 205 0
vmmpekpl 100 238879 0 118 16 7 9 16 0 8 0
uaddr 12 4278 0 42 1 0 1 1 0 8 0
uaddrbest 16 2 0 2 1 0 1 1 0 8 0
uaddrrnd 12 4278 0 42 1 0 1 1 0 8 0
aobjpl 40 1 0 1 1 0 1 1 0 8 0
dma512 512 4 0 0 1 1 0 1 0 8 0
amappl 48 9874 0 137 11 9 2 9 0 49 0
amappl1 48 311183 0 4218 194 138 56 85 0 8 0
amappl2 52 219567 0 41954 1574 1029 545 564 0 8 0
amappl3 56 7857 0 71 24 23 1 4 0 8 0
amappl4 60 8810 0 172 32 29 3 20 0 8 0
amappl5 64 3688 0 46 2 1 1 2 0 8 0
amappl6 68 486 0 6 1 0 1 1 0 8 0
amappl7 72 103 0 0 26 26 0 1 0 8 0
amappl8 76 914 0 3 13 12 1 12 0 8 0
amappl9 80 3392 0 0 80 80 0 1 0 8 0
amappl10 84 1659 0 67 2 0 2 2 0 8 0
amappl11 88 3034 0 22 3 2 1 1 0 8 0
amappl12 92 375 0 0 313 313 0 1 0 8 0
amappl13 96 677 0 0 73 73 0 1 0 8 0
amappl14 100 2175 0 26 1 0 1 1 0 8 0
amappl15 104 4 0 0 3 3 0 1 0 8 0
amappl16 108 1602 0 33 21 20 1 14 0 8 0
amapchunkpl 80 16472 0 264 56 50 6 33 0 82 0
anonpl 12 691916 0 49975 552 401 151 267 0 12 0
bufpl 152 215443 0 3023 225 108 117 119 0 8 0
mbufpl 256 6742543 0 206 144 128 16 21 0 8 0
mtagpl 68 148233 0 1 3119 3118 1 1 0 8 0
mcl2k 2048 6123306 0 46 620 612 8 27 0 8 0
mcl2k2 2112 26 0 0 20 20 0 1 0 8 0
mcl4k 4096 5930 0 7 39 37 2 4 0 8 1
mcl8k 8192 20698 0 15 15 12 3 3 0 8 1
mcl9k 9216 20 0 0 9 8 1 1 0 8 1
mcl12k 12288 17 0 0 9 8 1 1 0 8 1
mcl16k 16384 73 0 0 4 3 1 1 0 8 1
sockpl 224 413829 0 109 17 10 7 7 0 8 0
procpl 368 4301 0 59 6 0 6 6 0 8 0
processpl 520 4295 0 59 13 8 5 5 0 8 0
zombiepl 80 4236 0 0 409 409 0 1 0 8 0
ucredpl 96 1471 0 37 1 0 1 1 0 8 0
pgrppl 28 212 0 29 1 0 1 1 0 8 0
sessionpl 80 112 0 22 1 0 1 1 0 8 0
lockfspl 20 3479 0 0 79 78 1 1 0 8 1
lockfpl 64 77 0 0 19 19 0 1 0 8 0
filepl 92 460916 0 174 5 0 5 5 0 8 0
fdescpl 300 4278 0 42 4 0 4 4 0 8 0
pipepl 84 5618 0 4 76 75 1 1 0 8 0
kqueuepl 60 25 0 16 1 0 1 1 0 8 0
knotepl 72 9552 0 108 11 8 3 3 0 8 0
futexpl 32 6444 0 0 5 5 0 1 0 8 0
sigapl 296 4277 0 41 4 0 4 4 0 8 0
pfiaddrpl 100 48 0 9 1 0 1 1 0 8 0
wdcxfer 96 239894 0 0 7264 7263 1 1 0 8 1
ehcixfer 160 22 0 1 1 0 1 1 0 8 0
ohcixfer 136 22 0 1 1 0 1 1 0 8 0
namei 1024 196369 0 0 4069 4068 1 1 0 8 1
vnodes 124 5926 0 5926 180 0 180 180 0 8 0
uvmvnodes 48 5926 0 5926 71 0 71 71 0 8 0
rtmask 16 1090 0 165 3 1 2 2 0 8 0
nchpl 88 84206 0 4122 125 33 92 92 0 8 0
ffsino 184 80349 0 5915 338 69 269 269 0 8 0
dino1pl 128 80349 0 5915 232 47 185 185 0 8 0
dirhash 1024 568 0 216 35 7 28 28 0 8 0
art_node 8 82 0 30 1 0 1 1 0 8 0
art_table 24 171 0 114 1 0 1 1 0 8 0
art_heap4 128 170 0 113 4 0 4 4 0 8 0
art_heap8 2048 1 0 1 1 0 1 1 0 8 0
pfrule 1212 211 0 36 9 3 6 6 0 8 0
pfsrctr 124 2 0 1 2 1 1 1 0 8 0
pfsnitem 8 3 0 2 2 1 1 1 0 8 0
pfstate 236 31602 0 4 362 361 1 38 0 8 0
pfstkey 80 35771 0 4 102 101 1 17 0 8 0
pfstitem 12 35771 0 4 11 10 1 3 0 8 0
pfruleitem 8 52168 0 4 4 3 1 2 0 8 0
pfrktable 1288 34 0 6 1 0 1 1 0 8 0
pfrke_plain 96 196065 4 51260 1613 158 1455 1455 0 8 0
pfosfpen 108 4998 0 0 113 113 0 20 0 8 0
pfosfp 28 2961 0 0 18 18 0 3 0 8 0
cryptop 276 148204 0 0 3104 3103 1 2 0 8 1
rttmr 40 1 0 0 1 1 0 1 0 8 0
tcpcb 396 317 0 11 12 10 2 2 0 8 0
tcpqe 16 2 0 0 2 2 0 1 0 8 0
sackhl 20 88 0 0 5 4 1 1 0 8 1
syncache 196 4 0 0 4 4 0 1 0 8 0
rtentry 76 82 0 32 1 0 1 1 0 8 0
plimitpl 148 145 0 23 1 0 1 1 0 8 0
inpcbpl 200 413097 0 29 2 0 2 2 0 8 0
arp 36 55 0 4 1 0 1 1 0 8 0
ipsec policy 252 54 0 5 1 0 1 1 0 8 0
In use 16966K, total allocated 19208K; utilization 88.3%
net5501$ vmstat -m
Memory statistics by bucket size
Size In Use Free Requests HighWater Couldfree
16 506 518 104184 1280 0
32 1421 115 172599 640 6290
64 896 64 432777 320 0
128 183 297 100066 160 5809
256 435 45 98889 80 0
512 82 14 265694 40 16502
1024 43 21 58904709 20 214091
2048 14 2 550 10 0
4096 15 6 126463 5 874
8192 24 1 56 5 0
16384 6 0 773 5 0
32768 4 0 5 5 0
65536 2 0 41105 5 0
524288 1 0 1 5 0
Memory usage type by bucket size
Size Type(s)
16 devbuf, pcb, rtable, ifaddr, vnodes, UFS mount, dirhash, proc,
in_multi, exec, pfkey data, VM swap, UVM amap, UVM aobj, USB,
USB device, temp
32 devbuf, pcb, rtable, ifaddr, sysctl, vnodes, sem, dirhash, proc,
ether_multi, pfkey data, xform_data, VM swap, UVM amap, USB,
USB device, crypto data, IPsec creds, NDP, temp
64 devbuf, pcb, rtable, ifaddr, counters, sem, dirhash, NFS srvsock,
in_multi, pfkey data, xform_data, UVM amap, USB, memdesc, temp
128 devbuf, pcb, rtable, ifaddr, sysctl, counters, iov, vnodes, VM map,
dirhash, pfkey data, tdb, UVM amap, USB, USB device, crypto data,
IPsec creds, temp
256 devbuf, rtable, ifaddr, counters, ioctlops, iov, UFS mount, shm,
file desc, exec, pfkey data, tdb, newblk, UVM amap, crypto data, temp
512 devbuf, pcb, ioctlops, shm, dirhash, proc, ttys, pfkey data, tdb,
temp
1024 devbuf, counters, ioctlops, mount, ttys, exec, pfkey data, tdb,
UVM aobj, USB, crypto data, temp
2048 devbuf, ioctlops, UFS mount, proc, VM swap, temp
4096 devbuf, ifaddr, counters, ioctlops, proc, pagedep, USB, temp,
SYN cache
8192 devbuf, counters, NFS daemon, MSDOSFS mount, ttys, VM swap, UVM amap,
temp
16384 devbuf, UFS quota, UFS mount, ISOFS mount, inodedep, VM swap, temp
32768 devbuf
65536 devbuf, temp
524288 temp
Memory statistics by type Type Kern
Type InUse MemUse HighUse Limit Requests Limit Limit Size(s)
devbuf 1031 415K 415K 39322K 1878 0 0
16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536
pcb 89 14K 15K 39322K 3392 0 0 16,32,64,128,512
rtable 95 5K 7K 39322K 991 0 0 16,32,64,128,256
ifaddr 60 10K 10K 39322K 61 0 0
16,32,64,128,256,4096
sysctl 2 1K 1K 39322K 2 0 0 32,128
counters 19 17K 17K 39322K 19 0 0
64,128,256,1024,4096,8192
ioctlops 0 0K 4K 39322K 58846185 0 0
256,512,1024,2048,4096
iov 0 0K 1K 39322K 6504 0 0 128,256
mount 3 3K 3K 39322K 3 0 0 1024
vnodes 1227 40K 40K 39322K 11182 0 0 16,32,128
UFS quota 1 16K 16K 39322K 1 0 0 16384
UFS mount 13 29K 29K 39322K 13 0 0
16,256,2048,16384
shm 2 1K 1K 39322K 2 0 0 256,512
VM map 2 1K 1K 39322K 2 0 0 128
sem 2 1K 1K 39322K 2 0 0 32,64
dirhash 189 35K 37K 39322K 1467 0 0 16,32,64,128,512
file desc 1 1K 1K 39322K 4 0 0 256
proc 63 24K 44K 39322K 6676 0 0
16,32,512,2048,4096
NFS srvsock 1 1K 1K 39322K 1 0 0 64
NFS daemon 1 8K 8K 39322K 1 0 0 8192
in_multi 13 1K 1K 39322K 13 0 0 16,64
ether_multi 3 1K 1K 39322K 3 0 0 32
ISOFS mount 1 16K 16K 39322K 1 0 0 16384
MSDOSFS mount 1 8K 8K 39322K 1 0 0 8192
ttys 24 106K 106K 39322K 24 0 0 512,1024,8192
exec 0 0K 2K 39322K 70239 0 0 16,256,1024
pfkey data 312 20K 21K 39322K 153835 0 0
16,32,64,128,256,512,1024
tdb 5 5K 25K 39322K 2209 0 0 128,256,512,1024
xform_data 4 1K 3K 39322K 227554 0 0 32,64
pagedep 1 4K 4K 39322K 1 0 0 4096
inodedep 1 16K 16K 39322K 1 0 0 16384
newblk 1 1K 1K 39322K 1 0 0 256
VM swap 7 23K 23K 39322K 7 0 0
16,32,2048,8192,16384
UVM amap 307 27K 62K 39322K 308929 0 0
16,32,64,128,256,8192
UVM aobj 2 2K 2K 39322K 2 0 0 16,1024
USB 32 8K 8K 39322K 36 0 0
16,32,64,128,1024,4096
USB device 7 1K 1K 39322K 7 0 0 16,32,128
memdesc 1 1K 1K 39322K 1 0 0 64
crypto data 12 3K 15K 39322K 7790 0 0 32,128,256,1024
IPsec creds 3 1K 1K 39322K 12240 0 0 32,128
NDP 7 1K 1K 39322K 7 0 0 32
temp 86 2361K 2430K 39322K 586586 0 0
16,32,64,128,256,512,1024,2048,4096,8192,16384,65536,524288
SYN cache 2 8K 8K 39322K 2 0 0 4096
Memory Totals: In Use Free Requests
3216K 129K 60247875
Memory resource pool statistics
Name Size Requests Fail InUse Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
phpool 56 2052 0 735 11 0 11 11 0 8 0
extentpl 20 240 0 28 1 0 1 1 0 8 0
pmappl 160 72499 0 43 2 0 2 2 0 8 0
pvpl 16 25451502 0 14191 533 468 65 381 1 3 1
vmsppl 156 72499 0 43 2 0 2 2 0 8 0
vmmpepl 100 9276414 0 4434 1938 1823 115 280 0 205 4
vmmpekpl 100 1914852 0 107 4 1 3 3 0 8 0
uaddr 12 72500 0 44 1 0 1 1 0 8 0
uaddrbest 16 2 0 2 1 0 1 1 0 8 0
uaddrrnd 12 72500 0 44 1 0 1 1 0 8 0
aobjpl 40 1 0 1 1 0 1 1 0 8 0
dma512 512 4 0 0 1 1 0 1 0 8 0
amappl 48 162738 0 140 12 8 4 9 0 49 0
amappl1 48 4520727 0 2447 245 213 32 61 0 8 0
amappl2 52 72764 0 152 60 57 3 22 0 8 0
amappl3 56 129318 0 72 6 4 2 4 0 8 0
amappl4 60 155339 0 81 29 27 2 18 0 8 0
amappl5 64 43861 0 59 2 0 2 2 0 8 0
amappl6 68 3776 0 8 1 0 1 1 0 8 0
amappl7 72 468 0 0 135 135 0 1 0 8 0
amappl8 76 3784 0 24 13 12 1 12 0 8 0
amappl9 80 70211 0 2 56 55 1 1 0 8 0
amappl10 84 4948 0 55 3 1 2 2 0 8 0
amappl11 88 14888 0 0 25 25 0 1 0 8 0
amappl12 92 1248 0 0 866 865 1 1 0 8 1
amappl13 96 2111 0 2 1 0 1 1 0 8 0
amappl14 100 37012 0 27 2 1 1 1 0 8 0
amappl15 104 24 0 0 4 4 0 1 0 8 0
amappl16 108 3426 0 29 21 20 1 14 0 8 0
amapchunkpl 80 192796 0 257 47 39 8 34 0 82 0
anonpl 12 5672215 0 6002 181 155 26 131 0 24 0
bufpl 152 71084 0 6240 277 36 241 241 0 8 0
mbufpl 256 1550028 0 140 288 277 11 15 0 8 1
mtagpl 68 266320 0 0 13852 13850 2 2 0 8 2
mcl2k 2048 659862 0 14 122 113 9 11 0 8 6
mcl2k2 2112 220 0 0 91 91 0 1 0 8 0
mcl4k 4096 1648 0 1 437 436 1 1 0 8 0
mcl8k 8192 119 0 0 22 22 0 1 0 8 0
mcl12k 12288 3 0 0 3 3 0 1 0 8 0
sockpl 224 25949 0 100 7 1 6 7 0 8 0
procpl 368 72524 0 63 6 0 6 6 0 8 0
processpl 520 72516 0 61 19 14 5 5 0 8 0
zombiepl 80 72456 0 1 5 4 1 1 0 8 0
ucredpl 96 63569 0 38 1 0 1 1 0 8 0
pgrppl 28 991 0 29 1 0 1 1 0 8 0
sessionpl 80 312 0 22 1 0 1 1 0 8 0
lockfspl 20 241096 0 0 14249 14248 1 1 0 8 1
lockfpl 64 124 0 0 30 30 0 1 0 8 0
filepl 92 2227952 0 172 23 18 5 5 0 8 1
fdescpl 300 72500 0 44 11 7 4 4 0 8 0
pipepl 84 105228 0 12 4 3 1 1 0 8 0
kqueuepl 60 429 0 16 1 0 1 1 0 8 0
knotepl 72 38905 0 105 2 0 2 2 0 8 0
futexpl 32 9113 0 0 5 5 0 1 0 8 0
sigapl 296 72499 0 43 7 3 4 4 0 8 0
pfiaddrpl 100 167 0 9 1 0 1 1 0 8 0
wdcxfer 96 241979 0 0 16211 16211 0 1 0 8 0
ehcixfer 160 26 0 1 1 0 1 1 0 8 0
ohcixfer 136 26 0 1 1 0 1 1 0 8 0
namei 1024 2940928 0 0 1 0 1 1 0 8 1
vnodes 124 6240 0 6240 190 0 190 190 0 8 0
uvmvnodes 48 6240 0 6240 75 0 75 75 0 8 0
rtmask 16 248 0 3 1 0 1 1 0 8 0
nchpl 88 296992 0 3895 115 28 87 87 0 8 0
ffsino 184 280756 0 6231 346 62 284 284 0 8 0
dino1pl 128 280756 0 6231 236 41 195 195 0 8 0
dirhash 1024 1397 0 220 80 51 29 29 0 8 0
art_node 8 103 0 29 1 0 1 1 0 8 0
art_table 24 117 0 105 1 0 1 1 0 8 0
art_heap4 128 116 0 104 4 0 4 4 0 8 0
art_heap8 2048 1 0 1 1 0 1 1 0 8 0
pfrule 1212 700 0 38 15 9 6 7 0 8 0
pfsrctr 124 20 0 2 12 11 1 1 0 8 0
pfsnitem 8 23 0 2 12 11 1 1 0 8 0
pfstate 236 14538 0 4 622 621 1 2 0 8 0
pfstkey 80 14849 0 4 611 610 1 1 0 8 0
pfstitem 12 14849 0 4 611 610 1 1 0 8 0
pfruleitem 8 48358 0 4 861 860 1 1 0 8 0
pftag 80 5 0 0 3 3 0 1 0 8 0
pfrktable 1288 73 0 5 1 0 1 1 0 8 0
pfrke_plain 96 222 0 12 1 0 1 1 0 8 0
pfosfpen 108 15708 0 0 414 414 0 20 0 8 0
pfosfp 28 9306 0 0 63 63 0 3 0 8 0
pffrent 24 167044 0 0 304 303 1 1 0 8 1
pffrnode 64 83522 0 0 304 303 1 1 0 8 1
pffrag 132 83522 0 0 304 303 1 1 0 34 1
cryptop 276 224713 0 0 13859 13858 1 3 0 8 1
rttmr 40 2 0 0 2 2 0 1 0 8 0
tcpcb 396 786 0 10 4 2 2 2 0 8 0
tcpqe 16 2749 0 0 19 18 1 1 0 8 1
syncache 196 29 0 0 29 28 1 1 0 8 1
rtentry 76 103 0 29 1 0 1 1 0 8 0
plimitpl 148 429 0 23 1 0 1 1 0 8 0
inpcbpl 200 22575 0 25 5 3 2 2 0 8 0
arp 36 77 0 5 1 0 1 1 0 8 0
ipsec policy 252 2110 0 5 280 279 1 2 0 8 0
In use 5679K, total allocated 6336K; utilization 89.6%
On Thu, 22 Aug 2019 19:12:55 -0500
Patrick Dohman <dohmanpatr...@gmail.com> wrote:
> Radek
>
> I’ve found that fast networking is actually CPU & memory intensive.
> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my
> opinion.
> Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio with a
> commercial router.
>
> What are your context switches & interrupts doing while the VPN is up &
> traffic is flowing?
>
> vmstat -w 4
>
> What is your memory high water mark during a peak traffic?
>
> vmstat -m
>
> Regards
> Patrick
>
> > On Aug 21, 2019, at 12:34 AM, radek <r...@int.pl> wrote:
> >
> > Hello Patrick,
> > I am sorry for the late reply.
> >
> >> Do you consider memory an issue?
> > No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3,
> > that I use for VPN testing.
> > Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
> > Production set (6.3/i386) is net5501-70 <-> ALIX2d2
> > Also have tried net5501-70 <-> net5501-70 - the same VPN problem occurs
> > It is unlikely that every box has any hardware issue.
> >
> >> Unix load average can occasionally be deceiving.
> > I did not know.
> >
> > #### net5501-70 ####
> > $top -d1 | head -n 4
> > load averages: 0.05, 0.01, 0.00 RAC-fw65-test.PRAC 10:58:14
> > 38 processes: 1 running, 35 idle, 1 dead, 1 on processor up 3 days, 18:02
> > CPU states: 0.5% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.2% intr,
> > 98.8% idle
> > Memory: Real: 18M/267M act/tot Free: 222M Cache: 97M Swap: 0K/256M
> >
> > #### ALIX2d3 ####
> > $top -d1 | head -n 4
> > load averages: 0.00, 0.00, 0.00 mon65.home 07:30:05
> > 37 processes: 1 running, 35 idle, 1 on processor up 13:46
> > CPU states: 0.3% user, 0.0% nice, 1.1% sys, 0.0% spin, 0.4% intr,
> > 98.3% idle
> > Memory: Real: 125M/223M act/tot Free: 14M Cache: 47M Swap: 73M/256M
> >
> >
> >
> >> What is the speed of your memory?
> >> What make of Ethernets are you running?
> > Dmesgs below
> >
> > #### net5501-70 ####
> > OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
> > r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> > real mem = 536363008 (511MB)
> > avail mem = 511311872 (487MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
> > pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
> > pcibios0: pcibios_get_intr_routing - function not supported
> > pcibios0: PCI IRQ Routing information unavailable.
> > pcibios0: PCI bus #0 is the last bus
> > bios0: ROM list: 0xc8000/0xa800
> > cpu0 at mainbus0: (uniprocessor)
> > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
> > 500 MHz, 05-0a-02
> > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> > mtrr: K6-family MTRR support (2 registers)
> > amdmsr0 at mainbus0
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > 0:20:0: io address conflict 0x6100/0x100
> > 0:20:0: io address conflict 0x6200/0x200
> > pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> > glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> > vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
> > address 00:00:24:cb:4f:cc
> > ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5,
> > address 00:00:24:cb:4f:cd
> > ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9,
> > address 00:00:24:cb:4f:ce
> > ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12,
> > address 00:00:24:cb:4f:cf
> > ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
> > 3579545Hz timer, watchdog, gpio, i2c
> > gpio0 at glxpcib0: 32 pins
> > iic0 at glxpcib0
> > pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
> > wired to compatibility, channel 1 wired to compatibility
> > wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-008G>
> > wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
> > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > pciide0: channel 1 ignored (disabled)
> > ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version
> > 1.0, legacy support
> > ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
> > usb0 at ehci0: USB revision 2.0
> > uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00
> > addr 1
> > isa0 at glxpcib0
> > isadma0 at isa0
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > com0: console
> > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> > pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> > pckbc0: unable to establish interrupt for irq 12
> > pckbd0 at pckbc0 (kbd slot)
> > wskbd0 at pckbd0: console keyboard
> > pcppi0 at isa0 port 0x61
> > spkr0 at pcppi0
> > nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
> > gpio1 at nsclpcsio0: 29 pins
> > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> > usb1 at ohci0: USB revision 1.0
> > uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00
> > addr 1
> > vscsi0 at root
> > scsibus1 at vscsi0: 256 targets
> > softraid0 at root
> > scsibus2 at softraid0: 256 targets
> > root on wd0a (2bf8b7abbbce37df.a) swap on wd0b dump on wd0b
> >
> >
> > #### ALIX2d3 ####
> > OpenBSD 6.5 (GENERIC) #2: Tue Jul 23 23:08:46 CEST 2019
> > r...@syspatch-65-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> > real mem = 267931648 (255MB)
> > avail mem = 247779328 (236MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 11/05/08, BIOS32 rev. 0 @ 0xfd088
> > pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
> > pcibios0: pcibios_get_intr_routing - function not supported
> > pcibios0: PCI IRQ Routing information unavailable.
> > pcibios0: PCI bus #0 is the last bus
> > bios0: ROM list: 0xe0000/0xa800
> > cpu0 at mainbus0: (uniprocessor)
> > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
> > 499 MHz, 05-0a-02
> > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> > mtrr: K6-family MTRR support (2 registers)
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> > glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> > vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10,
> > address 00:0d:b9:1e:85:8c
> > ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
> > address 00:0d:b9:1e:85:8d
> > ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15,
> > address 00:0d:b9:1e:85:8e
> > ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> > 0x004063, model 0x0034
> > glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
> > 3579545Hz timer, watchdog, gpio, i2c
> > gpio0 at glxpcib0: 32 pins
> > iic0 at glxpcib0
> > maxtmp0 at iic0 addr 0x4c: lm86
> > pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
> > wired to compatibility, channel 1 wired to compatibility
> > wd0 at pciide0 channel 0 drive 0: <SanDisk SDCFH-008G>
> > wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
> > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > pciide0: channel 1 ignored (disabled)
> > ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version
> > 1.0, legacy support
> > ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12
> > usb0 at ehci0: USB revision 2.0
> > uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00
> > addr 1
> > isa0 at glxpcib0
> > isadma0 at isa0
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > com0: console
> > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> > pcppi0 at isa0 port 0x61
> > spkr0 at pcppi0
> > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> > usb1 at ohci0: USB revision 1.0
> > uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00
> > addr 1
> > nvram: invalid checksum
> > vscsi0 at root
> > scsibus1 at vscsi0: 256 targets
> > softraid0 at root
> > scsibus2 at softraid0: 256 targets
> > root on wd0a (83b335c3c86bb80c.a) swap on wd0b dump on wd0b
> > clock: unknown CMOS layout
> >
> > On Mon, 19 Aug 2019 18:17:48 -0500
> > Patrick Dohman <dohmanpatr...@gmail.com> wrote:
> >
> >> Do you consider memory an issue?
> >> What is the speed of your memory?
> >> Unix load average can occasionally be deceiving.
> >> What make of Ethernets are you running?
> >> Regards
> >> Patrick
> >>
> >>> On Aug 19, 2019, at 5:28 AM, radek <r...@int.pl> wrote:
> >>>
> >>> Hello Patrick,
> >>>
> >>>> Does your ISP implement authoritative DNS?
> >>>> Do you suspect a UDP issue?
> >>> My VPN is configured with IPs, not with domain names. Does DNS and/or UDP
> >>> matter anyway?
> >>>
> >>>> Is a managed (switch) involved?
> >>> No, it is not. I do not use any switches in my testing setup.
> >>> GW1--ISP1_modem--.....--ISP2_modem--GW2
> >>>
> >>> Has duplex ever been an issue?
> >>> I have never noticed any duplex issue.
> >>>
> >>>
> >>> On Sun, 18 Aug 2019 16:07:14 -0500
> >>> Patrick Dohman <dohmanpatr...@gmail.com> wrote:
> >>>
> >>>> Does your ISP implement authoritative DNS?
> >>>> Do you suspect a UDP issue?
> >>>> Is a managed (switch) involved? Has duplex ever been an issue?
> >>>> Regards
> >>>> Patrick
> >>>>
> >>>>> On Aug 18, 2019, at 1:03 PM, Radek <r...@int.pl> wrote:
> >>>>>
> >>>>> Hello,
> >>>>>
> >>>>> I have two testing gateways (6.5/i386) with site-to-side VPN between
> >>>>> its LANs (OpenIKED).
> >>>>> Both gws are fully syspatched, have public IPs and the same iked/pf
> >>>>> configuration.
> >>>>>
> >>>>> Unfortunately, the network traffic over the VPN tunnel stalls few times
> >>>>> a day.
> >>>>>
> >>>>> On the one side I use a script to monitor VPN tunnel with ping, it
> >>>>> restarts iked and emails me if there is no ping over the VPN tunnel.
> >>>>> Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST)
> >>>>>
> >>>>>
> >>>>> In 6.3/i386 I have the same problem, but more frequently.
> >>>>> Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST)
> >>>>> Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST)
> >>>>>
> >>>>> Do I have any bugs/deficiencies in my configs, missed something?
> >>>>> Is there any way to make it work uninterruptedly?
> >>>>> I would be very greatful if you could help me with this case.
> >>>>>
> >>>>> $cat /etc/hostname.enc0
> >>>>> up
> >>>>>
> >>>>> $cat /etc/hostname.vr3
> >>>>> inet 10.0.17.254 255.255.255.0 NONE description "LAN17"
> >>>>> group trust
> >>>>>
> >>>>> $cat /etc/iked.conf
> >>>>> local_gw_RAC17 = "10.0.17.254" # lan_RAC
> >>>>> local_lan_RAC17 = "10.0.17.0/24"
> >>>>> remote_gw_MON = "1.2.3.5" # fw_MON
> >>>>> remote_lan_MON = "172.16.1.0/24"
> >>>>> ikev2 quick active esp \
> >>>>> from $local_gw_RAC17 to $remote_gw_MON \
> >>>>> from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \
> >>>>> childsa enc chacha20-poly1305 \
> >>>>> psk "psk"
> >>>>>
> >>>>> $cat /etc/pf.conf
> >>>>> # RAC-fwTEST
> >>>>> ext_if = "vr0"
> >>>>> lan_rac_if = "vr3" # vr3 -
> >>>>> lan_rac_local = $lan_rac_if:network # 10.0.17.0/24
> >>>>> backup_if = "vr2" # vr2 - lewy port
> >>>>> backup_local = $backup_if:network # 10.0.117/24
> >>>>>
> >>>>> bud = "1.2.3.0/25"
> >>>>> rdk_wy = "1.2.3.4"
> >>>>> rdk_mon = "1.2.3.5"
> >>>>> panac_krz = "1.2.3.6"
> >>>>> panac_rac = "1.2.3.7"
> >>>>>
> >>>>> set fingerprints "/dev/null"
> >>>>> set skip on { lo, enc0 }
> >>>>> set block-policy drop
> >>>>> set optimization normal
> >>>>> set ruleset-optimization basic
> >>>>>
> >>>>> antispoof quick for {lo0, $lan_rac_if, $backup_if }
> >>>>>
> >>>>> match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to
> >>>>> $ext_if set prio (3, 7)
> >>>>>
> >>>>> block all
> >>>>>
> >>>>> match in all scrub (no-df random-id)
> >>>>> match out all scrub (no-df random-id)
> >>>>> pass out on egress keep state
> >>>>>
> >>>>> pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set
> >>>>> prio (3, 7) keep state
> >>>>>
> >>>>> ssh_port = "1071"
> >>>>> table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $panac_krz,
> >>>>> $panac_rac, 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 }
> >>>>> table <bruteforce> persist counters
> >>>>> block from <bruteforce>
> >>>>> pass in log quick inet proto tcp from <ssh_trust> to $ext_if port
> >>>>> $ssh_port flags S/SA \
> >>>>> set prio (7, 7) keep state \
> >>>>> (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce>
> >>>>> flush global)
> >>>>>
> >>>>> icmp_types = "{ echoreq, unreach }"
> >>>>> pass inet proto icmp all icmp-type $icmp_types \
> >>>>> set prio (7, 7) keep state
> >>>>>
> >>>>> table <vpn_peers> const { $rdk_mon, $panac_rac, $panac_krz }
> >>>>> pass out quick on egress proto esp from (egress:0) to <vpn_peers>
> >>>>> set prio (6, 7) keep state
> >>>>> pass out quick on egress proto udp from (egress:0) to <vpn_peers> port
> >>>>> {500, 4500} set prio (6, 7) keep state
> >>>>> pass in quick on egress proto esp from <vpn_peers> to (egress:0)
> >>>>> set prio (6, 7) keep state
> >>>>> pass in quick on egress proto udp from <vpn_peers> to (egress:0) port
> >>>>> {500, 4500} set prio (6, 7) keep state
> >>>>> pass out quick on trust received-on enc0 set prio (6, 7) keep state
> >>>>>
> >>>>> pass in on egress proto udp from any to (egress:0) port
> >>>>> {isakmp,ipsec-nat-t} set prio (6,7) keep state
> >>>>> pass in on egress proto {ah,esp} set prio (6,7) keep state
> >>>>>
> >>>>> # By default, do not permit remote connections to X11
> >>>>> block return in on ! lo0 proto tcp to port 6000:6010
> >>>>>
> >>>>> $cat iked_monitor.sh
> >>>>> #!/bin/sh
> >>>>> while true
> >>>>> do
> >>>>> vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F
> >>>>> " " '{print $4}'`
> >>>>>
> >>>>> if [ "${vpn}" -eq 0 ] ; then
> >>>>> mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " "
> >>>>> '{print $4}'`
> >>>>> wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'`
> >>>>>
> >>>>> if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then
> >>>>> echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping
> >>>>> through VPN RACTEST-MON! restartng iked!" em...@example.com
> >>>>> rcctl restart iked
> >>>>> fi
> >>>>> fi
> >>>>> sleep 32
> >>>>> done
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Radek
> >>>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> Radek
> >>>
> >>
> >
> >
> > --
> > Radek
> >
>
--
Radek
