On Thu, Aug 24, 2023 at 12:31 PM Lyndon Nerenberg (VE7TFX/VE6BBM) <lyn...@orthanc.ca> wrote: > For over a year now we have been seeing instability on our firewalls > that seems to kick in when our state tables approach 200K entries. > The number varies, but it's a safe bet that once we cross the 180K > threshold, the machines start getting cranky. At 200K+ performance > visibly degrades, often leading to a complete lockup of the network > stack, or a spontaneous reboot.
... > Our pf settings are pretty simple: > > set optimization normal > set ruleset-optimization basic > set limit states 400000 > set limit src-nodes 100000 > set loginterface none > set skip on lo > set reassemble yes > > # Reduce the number of state table entries in FIN_WAIT_2 state. > set timeout tcp.finwait 4 I don't know if there is any relation, but, with 400000 states defined, adaptive scaling should start to kick in at around 240000 states.
