Adriaan wrote:
> On 10/14/06, Richard P. Koett <[EMAIL PROTECTED]> wrote:
>> I'm having throughput problems using a Soekris net4801 as a firewall
>> running OpenBSD 3.9. This is replacing a SonicWALL device that was
>> working fine from the user's perspective. (I want to replace it
>> because, among other things, I abhor SonicWALL's licensing). I won't
>> post a
>> dmesg unless requested because I think this platform is pretty well
>> known. Hosts on the internal network are able to access the Internet
>> but report that access seems slow. Some operations fail consistently.
>> For example, users can send and receive e-mail e-mails but can't send
>> e-mail with attachments larger than about 20K. I ran a browser-based
>> ADSL speed test from an internal host and found download speeds to
>> be quite good but upload tests fail to complete.
>>
>> I found a few similar problems in the archives but the posted
>> solutions haven't worked for me. I can't see that pf is blocking
>> anything I want passed. At the moment I am running a stripped down
>> pf.conf as follows:
>>
>> # DECLARATIONS:
>> Ext_If="sis0"
>> Int_If="sis1"
>> DMZ_If="sis2"
>> Int_Net="192.168.5.0/24"
>>
>> # OPTIONS:
>> set loginterface $Ext_If
>>
>> # NAT / REDIRECTION:
>> nat on $Ext_If from $Int_Net to any -> ($Ext_If)
>> rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3391 \
>> -> 192.168.5.1 port 3391
>> rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3392 \
>> -> 192.168.5.2 port 3392
>>
>> I think I can rule out things like speed and duplex problems between
>> the Soekris and the local switch because the problem only affects
>> outbound traffic. I tried a few scrub options to no avail but may
>> not have been doing the right thing. I would really appreciate any
>> suggestions on how to troubleshoot this. If I can't get this
>> resolved by Monday morning I'm going to take some heat.
>>
>
> Do netstat -in, netstat -s or netstat -ss give any clues?
netstat -in lists no errors or collisions. Below is the output from
netstat -ss and netstat -s. I'm not sure what to make of it:
# netstat -ss
ip:
241379 total packets received
3302 packets for this host
1 packet for unknown/unsupported protocol
236784 packets forwarded
3 packets not forwardable
3048 packets sent from this host
icmp:
495 calls to icmp_error
Output packet histogram:
echo reply: 180
destination unreachable: 495
Input packet histogram:
destination unreachable: 1
echo: 180
180 message responses generated
igmp:
ipencap:
tcp:
1234 packets sent
1017 data packets (161279 bytes)
27 data packets (17252 bytes) retransmitted
153 ack-only packets (775 delayed)
37 control packets
1737 packets received
762 acks (for 151461 bytes)
222 duplicate acks
808 packets (28599 bytes) received in-sequence
9 completely duplicate packets (252 bytes)
10 out-of-order packets (80 bytes)
4 window update packets
1737 packets hardware-checksummed
6 connection requests
26 connection accepts
32 connections established (including accepts)
57 connections closed (including 0 drops)
717 segments updated rtt (of 729 attempts)
26 retransmit timeouts
3 correct ACK header predictions
457 correct data packet header predictions
308 PCB cache misses
cwr by fastrecovery: 26
cwr by timeout: 26
26 SYN cache entries added
26 completed
26 SACK recovery episodes
34 segment rexmits in SACK recovery episodes
8552 byte rexmits in SACK recovery episodes
202 SACK options received
1 SACK option sent
udp:
1385 datagrams received
5 with no checksum
1380 input packets hardware-checksummed
99 dropped due to no socket
1260 broadcast/multicast datagrams dropped due to no socket
26 delivered
27 datagrams output
100 missed PCB cache
esp:
ah:
etherip:
ipcomp:
carp:
pfsync:
ip6:
12 packets sent from this host
Mbuf statistics:
icmp6:
Output packet histogram:
multicast listener report: 10
neighbor solicitation: 2
Histogram of error messages to be generated:
pim6:
rip6:
--------------------------------------------------------------
# netstat -s
(Note: Some parts omitted for brevity where all entries were zeros)
ip:
241674 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (duplicates or out of space)
0 malformed fragments dropped
0 fragments dropped after timeout
0 packets reassembled ok
3525 packets for this host
1 packet for unknown/unsupported protocol
236856 packets forwarded
3 packets not forwardable
0 redirects sent
3252 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 fragment floods
0 packets with ip length > max ip packet size
0 tunneling packets that can't find gif
0 datagrams with bad address in header
0 input datagrams checksum-processed by hardware
0 output datagrams checksum-processed by hardware
0 multicast packets which we don't join
icmp:
497 calls to icmp_error
0 errors not generated because old message was icmp
Output packet histogram:
echo reply: 180
destination unreachable: 497
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
Input packet histogram:
destination unreachable: 1
echo: 180
180 message responses generated
tcp:
1443 packets sent
1171 data packets (183704 bytes)
34 data packets (22984 bytes) retransmitted
0 fast retransmitted packets
195 ack-only packets (902 delayed)
0 URG only packets
0 window probe packets
0 window update packets
43 control packets
0 packets hardware-checksummed
1953 packets received
882 acks (for 171016 bytes)
253 duplicate acks
0 acks for unsent data
0 acks for old data
949 packets (35727 bytes) received in-sequence
11 completely duplicate packets (292 bytes)
0 old duplicate packets
0 packets with some duplicate data (0 bytes duplicated)
10 out-of-order packets (80 bytes)
0 packets (0 bytes) of data after window
0 window probes
4 window update packets
0 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
0 discarded for missing IPsec protection
0 discarded due to memory shortage
1953 packets hardware-checksummed
0 bad/missing md5 checksums
0 good md5 checksums
6 connection requests
31 connection accepts
37 connections established (including accepts)
63 connections closed (including 0 drops)
0 connections drained
0 embryonic connections dropped
815 segments updated rtt (of 825 attempts)
33 retransmit timeouts
0 connections dropped by rexmit timeout
0 persist timeouts
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
3 correct ACK header predictions
515 correct data packet header predictions
318 PCB cache misses
0 ECN connections accepted
0 ECE packets received
0 CWR packets received
0 CE packets received
0 ECT packets sent
0 ECE packets sent
0 CWR packets sent
cwr by fastrecovery: 27
cwr by timeout: 33
cwr by ecn: 0
0 bad connection attempts
31 SYN cache entries added
0 hash collisions
31 completed
0 aborted (no space to build PCB)
0 timed out
0 dropped due to overflow
0 dropped due to bucket overflow
0 dropped due to RST
0 dropped due to ICMP unreachable
0 SYN,ACKs retransmitted
0 duplicate SYNs received for entries already in the cache
0 SYNs dropped (no route or no space)
27 SACK recovery episodes
36 segment rexmits in SACK recovery episodes
9580 byte rexmits in SACK recovery episodes
226 SACK options received
1 SACK option sent
udp:
1393 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
5 with no checksum
1388 input packets hardware-checksummed
0 output packets hardware-checksummed
101 dropped due to no socket
1266 broadcast/multicast datagrams dropped due to no socket
0 dropped due to missing IPsec protection
0 dropped due to full socket buffers
26 delivered
27 datagrams output
102 missed PCB cache
