Hi All
To reproduce the stalling problem I am doing an FTP download from my local
ISP. The stalled transfer shows duplicate acks when analyzed with wireshark
expert info composite.
To rule out the hardware I used IPCop which works fine.
I thought it might be a window scaling misconfiguration but I think I have
covered the block and flags S/SA and keep state requirements on all the pass
rules. The stalling problem is worse when there is any kind of transfer
happening on the dmz.
My connection speed is 15Mbps/900Kbps
My pf.conf, dmesg and ppp.conf are listed below.
Would someone mind helping me out with this?
############
# MACROS
############
ext_if = "tun0"
int_if = "dc0"
dmz_if = "rl0"
lan = "..."
dmz = "..."
torrent = "..."
tcp_services = "{ 22 113 }"
udp_services = "{ }"
icmp_types="echoreq"
############
# OPTIONS
############
set block-policy return
set loginterface $ext_if
set skip on lo
############
# SCRUB
############
scrub in
scrub out on $ext_if max-mss 1440
############
# QUEUE
############
altq on $ext_if priq bandwidth 700Kb queue { q_pri, q_def } queue q_pri
priority 7 queue q_def priority 1 priq(default)
############
# NAT/RDR
############
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr
on $dmz_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port xxxx -> $torrent rdr on
$ext_if proto udp from any to any port xxxx -> $torrent
############
# FILTER
############
block in log
block out
pass out on { $int_if, $dmz_if } flags S/SA keep state
pass out on $ext_if inet proto tcp from $ext_if to any flags S/SA keep state
queue(q_def, q_pri)
pass out on $ext_if inet proto { udp, icmp } from $ext_if to any keep state
queue(q_def, q_pri)
anchor "ftp-proxy/*"
antispoof quick for { lo $ext_if }
pass log on $ext_if inet proto icmp icmp-type unreach code needfrag
pass in on { $ext_if, $int_if } inet proto icmp all icmp-type $icmp_types
keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
flags S/SA keep state queue(q_def, q_pri)
#pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services
keep state queue(q_def, q_pri)
pass in on $ext_if inet proto tcp from any to $torrent port xxxx flags S/SA
keep state queue(q_def, q_pri)
pass in on $ext_if inet proto udp from any to $torrent port xxxx keep state
queue(q_def, q_pri)
pass in on $int_if flags S/SA keep state
pass in on $dmz_if from any to !$lan flags S/SA keep state
--------------
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache) 903 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,
SSE
real mem = 133722112 (130588K)
avail mem = 114610176 (111924K)
using 1663 buffers containing 6811648 bytes (6652K) of memory mainbus0
(root) bios0 at mainbus0: AT/286+ BIOS, date 02/14/00, BIOS32 rev. 0 @
0xfb350, SMBIOS rev. 2.2 @ 0xf0800 (39 entries)
bios0: EDsys Computers PENC46VG43
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xb7d8
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x10000
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0
function 0 "VIA VT82C691 PCI" rev 0x44 ppb0 at pci0 dev 1 function 0 "VIA
VT82C598 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA Vanta" rev 0x15 wsdisplay0 at vga1 mux
1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7
function 0 "VIA VT82C596A ISA" rev 0x12 pciide0 at pci0 dev 7 function 1
"VIA VT82C571 IDE" rev 0x06: ATA66, channel 0 configured to compatibility,
channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: <WDC
WD800BB-00BSA0>
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 atapiscsi0 at pciide0
channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0
lun 0: <HL-DT-ST, DVD-ROM GDR8162B, 0015> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7
function 2 "VIA VT83C572 USB" rev 0x08: irq 10 usb0 at uhci0: USB revision
1.0 uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered "VIA VT82C596 Power" rev 0x20
at pci0 dev 7 function 3 not configured dc0 at pci0 dev 8 function 0 "DEC
21142/3" rev 0x41: irq 11, address
00:40:f4:66:84:e2
sqphy0 at dc0 phy 17: Seeq 84220 10/100 PHY, rev. 0 rl0 at pci0 dev 9
function 0 "Realtek 8139" rev 0x10: irq 12, address 00:40:f4:b3:f1:7b rlphy0
at rl0 phy 0: RTL internal PHY
rl1 at pci0 dev 10 function 0 "Accton MPX 5030/5038" rev 0x10: irq 5,
address 00:04:e2:0e:06:32
rlphy1 at rl1 phy 0: RTL internal PHY
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port
0x61 midi0 at pcppi0: <PC speaker> spkr0 at pcppi0 lpt0 at isa0 port 0x378/4
irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port
0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask e745 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
-----
default:
set log Phase Chat LCP IPCP CCP tun command set redial 15 0 set reconnect
15 10000
pppoe:
set device "!/usr/sbin/pppoe -i rl1"
disable acfcomp protocomp
deny acfcomp
set mtu max 1440
set mru max 1440
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname myname
set authkey mypass
add! default HISADDR
enable dns
enable mssfixup
Thanks
Mark
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.487 / Virus Database: 269.13.22/1015 - Release Date: 18/09/2007
11:53
