Adriaan wrote: > On 10/14/06, Richard P. Koett <[EMAIL PROTECTED]> wrote: >> I'm having throughput problems using a Soekris net4801 as a firewall >> running OpenBSD 3.9. This is replacing a SonicWALL device that was >> working fine from the user's perspective. (I want to replace it >> because, among other things, I abhor SonicWALL's licensing). I won't >> post a >> dmesg unless requested because I think this platform is pretty well >> known. Hosts on the internal network are able to access the Internet >> but report that access seems slow. Some operations fail consistently. >> For example, users can send and receive e-mail e-mails but can't send >> e-mail with attachments larger than about 20K. I ran a browser-based >> ADSL speed test from an internal host and found download speeds to >> be quite good but upload tests fail to complete. >> >> I found a few similar problems in the archives but the posted >> solutions haven't worked for me. I can't see that pf is blocking >> anything I want passed. At the moment I am running a stripped down >> pf.conf as follows: >> >> # DECLARATIONS: >> Ext_If="sis0" >> Int_If="sis1" >> DMZ_If="sis2" >> Int_Net="192.168.5.0/24" >> >> # OPTIONS: >> set loginterface $Ext_If >> >> # NAT / REDIRECTION: >> nat on $Ext_If from $Int_Net to any -> ($Ext_If) >> rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3391 \ >> -> 192.168.5.1 port 3391 >> rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3392 \ >> -> 192.168.5.2 port 3392 >> >> I think I can rule out things like speed and duplex problems between >> the Soekris and the local switch because the problem only affects >> outbound traffic. I tried a few scrub options to no avail but may >> not have been doing the right thing. I would really appreciate any >> suggestions on how to troubleshoot this. If I can't get this >> resolved by Monday morning I'm going to take some heat. >> > > Do netstat -in, netstat -s or netstat -ss give any clues?
netstat -in lists no errors or collisions. Below is the output from netstat -ss and netstat -s. I'm not sure what to make of it: # netstat -ss ip: 241379 total packets received 3302 packets for this host 1 packet for unknown/unsupported protocol 236784 packets forwarded 3 packets not forwardable 3048 packets sent from this host icmp: 495 calls to icmp_error Output packet histogram: echo reply: 180 destination unreachable: 495 Input packet histogram: destination unreachable: 1 echo: 180 180 message responses generated igmp: ipencap: tcp: 1234 packets sent 1017 data packets (161279 bytes) 27 data packets (17252 bytes) retransmitted 153 ack-only packets (775 delayed) 37 control packets 1737 packets received 762 acks (for 151461 bytes) 222 duplicate acks 808 packets (28599 bytes) received in-sequence 9 completely duplicate packets (252 bytes) 10 out-of-order packets (80 bytes) 4 window update packets 1737 packets hardware-checksummed 6 connection requests 26 connection accepts 32 connections established (including accepts) 57 connections closed (including 0 drops) 717 segments updated rtt (of 729 attempts) 26 retransmit timeouts 3 correct ACK header predictions 457 correct data packet header predictions 308 PCB cache misses cwr by fastrecovery: 26 cwr by timeout: 26 26 SYN cache entries added 26 completed 26 SACK recovery episodes 34 segment rexmits in SACK recovery episodes 8552 byte rexmits in SACK recovery episodes 202 SACK options received 1 SACK option sent udp: 1385 datagrams received 5 with no checksum 1380 input packets hardware-checksummed 99 dropped due to no socket 1260 broadcast/multicast datagrams dropped due to no socket 26 delivered 27 datagrams output 100 missed PCB cache esp: ah: etherip: ipcomp: carp: pfsync: ip6: 12 packets sent from this host Mbuf statistics: icmp6: Output packet histogram: multicast listener report: 10 neighbor solicitation: 2 Histogram of error messages to be generated: pim6: rip6: -------------------------------------------------------------- # netstat -s (Note: Some parts omitted for brevity where all entries were zeros) ip: 241674 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (duplicates or out of space) 0 malformed fragments dropped 0 fragments dropped after timeout 0 packets reassembled ok 3525 packets for this host 1 packet for unknown/unsupported protocol 236856 packets forwarded 3 packets not forwardable 0 redirects sent 3252 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 fragment floods 0 packets with ip length > max ip packet size 0 tunneling packets that can't find gif 0 datagrams with bad address in header 0 input datagrams checksum-processed by hardware 0 output datagrams checksum-processed by hardware 0 multicast packets which we don't join icmp: 497 calls to icmp_error 0 errors not generated because old message was icmp Output packet histogram: echo reply: 180 destination unreachable: 497 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length Input packet histogram: destination unreachable: 1 echo: 180 180 message responses generated tcp: 1443 packets sent 1171 data packets (183704 bytes) 34 data packets (22984 bytes) retransmitted 0 fast retransmitted packets 195 ack-only packets (902 delayed) 0 URG only packets 0 window probe packets 0 window update packets 43 control packets 0 packets hardware-checksummed 1953 packets received 882 acks (for 171016 bytes) 253 duplicate acks 0 acks for unsent data 0 acks for old data 949 packets (35727 bytes) received in-sequence 11 completely duplicate packets (292 bytes) 0 old duplicate packets 0 packets with some duplicate data (0 bytes duplicated) 10 out-of-order packets (80 bytes) 0 packets (0 bytes) of data after window 0 window probes 4 window update packets 0 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 0 discarded for missing IPsec protection 0 discarded due to memory shortage 1953 packets hardware-checksummed 0 bad/missing md5 checksums 0 good md5 checksums 6 connection requests 31 connection accepts 37 connections established (including accepts) 63 connections closed (including 0 drops) 0 connections drained 0 embryonic connections dropped 815 segments updated rtt (of 825 attempts) 33 retransmit timeouts 0 connections dropped by rexmit timeout 0 persist timeouts 0 keepalive timeouts 0 keepalive probes sent 0 connections dropped by keepalive 3 correct ACK header predictions 515 correct data packet header predictions 318 PCB cache misses 0 ECN connections accepted 0 ECE packets received 0 CWR packets received 0 CE packets received 0 ECT packets sent 0 ECE packets sent 0 CWR packets sent cwr by fastrecovery: 27 cwr by timeout: 33 cwr by ecn: 0 0 bad connection attempts 31 SYN cache entries added 0 hash collisions 31 completed 0 aborted (no space to build PCB) 0 timed out 0 dropped due to overflow 0 dropped due to bucket overflow 0 dropped due to RST 0 dropped due to ICMP unreachable 0 SYN,ACKs retransmitted 0 duplicate SYNs received for entries already in the cache 0 SYNs dropped (no route or no space) 27 SACK recovery episodes 36 segment rexmits in SACK recovery episodes 9580 byte rexmits in SACK recovery episodes 226 SACK options received 1 SACK option sent udp: 1393 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 5 with no checksum 1388 input packets hardware-checksummed 0 output packets hardware-checksummed 101 dropped due to no socket 1266 broadcast/multicast datagrams dropped due to no socket 0 dropped due to missing IPsec protection 0 dropped due to full socket buffers 26 delivered 27 datagrams output 102 missed PCB cache