Re: DNAT in freebsd
On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
I think I was misunderstood...
Here is the situation i want to handle:
My box is a router that handles several /24 behind.
One of my links (em0) is connected to a private network 192.168.0.1 is me,
my neighbour is 192.168.0.2.
I want to make that any connection comes to 192.168.0.1 to go to ip
193.xxx.yyy.2 using specific public ip 84.xx.yy.1
And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
behind(192.168.1.xx/24).
Hope that makes it clearer, and I appreciate any help.
Sami
29 2013 03:30, ?? Paul A. Procacci
pproca...@datapipe.com:
The answer I provided you does exactly what you want it to do. Not to mention
the man page goes over other things as well if the answer I provided you
wasn't accurate. Here is my config that I use for my home setup.
The config:
- binds a nat instance on the primary interface
- denies all inbound syn's among other things
- Forward packets originating on the internal network interface through nat
- and returns packets (ack's) back to the original sender.
!!
#!/bin/sh
## Start of IPFW Configuration
# Set rules command prefix :: Rule numbering cannot exceed 900
cmd=/sbin/ipfw -q
pif=de0 # Public NIC
iif=bridge0 # Internal NIC
##
# Flush current rules and do config.
$cmd -f flush
$cmd enable one_pass
##
${cmd} add 1 allow all from any to any via lo0
${cmd} add 2 deny all from any to 127.0.0.0/8
${cmd} add 3 deny ip from 127.0.0.0/8 to any
${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
${cmd} add 00020 nat 1 all from any to any via ${pif}
${cmd} add 00050 allow all from any to any via ${iif}
${cmd} add 65534 deny log all from any to any
!!
Again, this information is found in `man ipfw(8)` and does what you are
asking.
~Paul
This message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this message.
See http://www.datapipe.com/legal/email_disclaimer/ for further information on
confidentiality and the risks of non-secure electronic communication. If you
cannot access these links, please notify us by reply message and we will send
the contents to you.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: DNAT in freebsd
Hi, (sorry for sending again, the last email was with wrong subject) I would like to perform a full dnat/snat as in iptbles in: linux-ip.net/html/nat-dnat.html How it can be done in fbsd, I use ipfw. I seeked natd man page but its translation, and thr proxy_rule is for specefic port, not a whole transparancy. Using in-kernel nat is probably a better choice IMHO. read `man ipfw(8)` The section labeled EXAMPLES has exactly what you need. Here is a snippet from the manpage to get you started: --- !--snip-- Then to configure nat instance 123 to alias all the outgoing traffic with ip 192.168.0.123, blocking all incoming connections, trying to keep same ports on both sides, clearing aliasing table on address change and keep- ing a log of traffic/link statistics: ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports !--snip-- ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66 redirect_port tcp 192.168.0.1:80 500 redirect_proto udp 192.168.1.43 192.168.1.1 redirect_addr 192.168.0.10,192.168.0.11 10.0.0.100 # LSNAT redirect_port tcp 192.168.0.1:80,192.168.0.10:22 500# LSNAT !--snip-- --- ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPFW tablearg questions
The question: Why can't you add a skipto to the default rule (65535)? http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html I also consider using tablearg with divert, but manpage is contradicting itself in regards to divert with tablearg: divert port Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates. vs The tablearg argument can be used with the following actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action parameters: tag, untag, rule options: limit, tagged. Also, in the EXAMPLES section one can find: In the following example per-interface firewall is created: ipfw table 10 add vlan20 12000 ipfw table 10 add vlan30 13000 ipfw table 20 add vlan20 22000 ipfw table 20 add vlan30 23000 .. ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(10)' in ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(10)' out where ipfw add 100 ipfw skipto seems wrong... I'm not sure where the contradiction is. Have you tried something like the following as an example? I'm not sure the below works, but in my mind it does. ;) # ipfw table 10 add 129.168.0.0/24 1234 ipfw table 10 add 10.5.21.0/24 5678 ipfw add 100 divert tablearg ip from table(10) to any # Perhaps knowing what it is you are trying to accomplish would lead to a more concrete answer. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Is it possible to slow down the network interface?
On Tue, Apr 02, 2013 at 04:25:58PM -0700, Yuri wrote: For the testing purposes, I would like to be able to control the maximum speed of the interface. ipfw (pf too?) can artifically control speeds via dummynet. There are man pages describing all of the above and should be a good starting place for you. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: mbuf tuning on 9.1
How can I increase mbufs, as they appear above, and mbuf clusters, as they appear above? You can modify the sysctl's associated with mbufs to suit your needs. https://wiki.freebsd.org/NetworkPerformanceTuning The following link describes what mbufs are and sysctl's governing their operation. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: one physical interface - n virtual interfaces
On Tue, Oct 16, 2012 at 10:35:55PM +0200, Mariano Cediel wrote: How do I create, from a physical interface, n virtual interfaces, but all effects are real, their MAC different, on which we can do individually NAT, etc, etc.? I need one external interface has 2 public IPs, and I'll do every NAT over every interface (with ipfw and divert) individually (each of them has its own gateway) A little help to start researching . Greetings. http://freebsd.1045724.n5.nabble.com/Virtual-Network-Interface-Card-td4005109.html The above was posted in late 2010. It has one example of creating vitual interfaces using the netgraph module. 3rd post from the top. I'm not entirely sure if this is the current _correct_ way, but I imagine is still accurate and can be used to get you started. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: DHCP server with a group of mac address
In dhcp.conf it describes ways to assign client's to classes. It further explains how to `deny` or `allow` those clients assigned to those classes. Read the subsection from dhcpd.conf(5) called `SUBCLASSES`. It provides an example which almost answers your question in its entirety. ~Paul On Wed, Sep 26, 2012 at 05:58:11PM +0800, d...@mybsd.org.my wrote: Hi, i'm installing isc-dhcp42-server and run in the network for like 1000 node. i have like 1000 mac address (servers, PC's, printers, phones, etc) which i put in the text file. FYI, Any mac address (which is in the text file) who plug into the network will get the ip address based on the vlan configured on the switch. Any mac address who's NOT in the text file, will not getting any IP and they will not authorize to be in our network. Is this possible to do with isc-dhcp ? I try to search around these topic but not much help. Anyone have any tips / shed me some light ? --- ded1 MyBSD Malaysia Project http://www.MyBSD.org.my ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: tcpdump in freebsd
tcpdump -ni interface src host ip tcpdump -ni interface not src host ip ~Paul On Thu, Jul 26, 2012 at 08:35:29AM +, m s wrote: hi all. I want to use tcpdump just for input or just for outout packet.isthis possible ? if no is there any other command that do this? thanks ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: System doesn't detect unplugged network cable and doesn't set interface up properly with DHCP
On Thu, Jul 12, 2012 at 03:25:07PM -0700, Chris Benesch wrote:
Maybe another option to dhclient to have it poll the interface every 2-3
seconds to see if it has lost a link and if so, set the lease timer to be
expired, and wait for it to come back and once it does, it will acquire a
new address.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
The Operating system should generate a devd event.
Something like the following in /usr/local/etc/devd.conf should do the trick,
though I haven't tested the below with anything other than carp interfaces.
I suspect it works just the same.
##
notify 30 {
match system IFNET;
match subsystem em0_or_whatever;
match type LINK_UP;
action /usr/local/sbin/script_to_do_something.sh up;
};
notify 30 {
match system IFNET;
match subsystem em0_or_whatever;
match type LINK_DOWN;
action /usr/local/sbin/script_to_do_something.sh down;
};
##
~Paul
This message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this message.
See http://www.datapipe.com/legal/email_disclaimer/ for further information on
confidentiality and the risks of non-secure electronic communication. If you
cannot access these links, please notify us by reply message and we will send
the contents to you.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: problem on ipfw using mac addresses
Have you set net.link.ether.ipfw? ~Paul On Wed, Jul 04, 2012 at 05:34:04PM +0430, h bagade wrote: Hi all, I have a problem using ipfw firewall. I have a topology connected as below: A(192.168.1.55) - (192.168.1.1)my_sys(192.168.2.1) ---(192.168.2.12)B I've set the rule ipfw add 1 deny icmp from any to any on my_sys, which works correctly. I can't ping from A to B by the rule. Then I've added mac part to the rule as the format of ipfw add 1 deny icmp from any to any ma any any which seems the same as before but after that I could ping the B from A. What's the reason? I'm really confused with what I saw! Is it a bug? Any hints or suggestions are really appreciated. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: setting up dns server
- What bind listening? (Can you see it with netstat?)
- What port is it listening to?
- What errors (if any) are in the error log?
I'm afraid your question really isn't a specific FreeBSD problem.
You might have better luck on the BIND mailing list.
~Paul
On Wed, Jul 04, 2012 at 06:43:00AM -0700, m s wrote:
Hi all.
I want to config FreeBSD as a dns server. I did below configuration but
when I use nslookup command it doesn't work. I also enabled named service
in rc.conf file and put my ip as a nameserver in resolv.conf.
what am I missing?is there anything else I should do?
any help would be appriciated.
My named.conf file:
---
options {
directory /etc/namedb;
pid-file /var/run/named/pid;
dump-file/var/dump/named_dump.db;
statistics-file /var/stats/named.stats;
};
zone . { type hint; file /etc/namedb/named.root; };
zone 0.0.127.IN-ADDR.ARPA {
type master;
file master/localhost.rev;
};
zone ictptk.net { type master; file /etc/namedb/master/db.domain; };
zone 10.10.10.in-addr.arpa {
type master;
file /etc/named/master/db.ict;
};
---
my db.ict file :
---
$TTL 3600
@IN SOA ns.ictptk.net. root.ns.ictptk.net. (
2001220200
;Serial
3600
;Refresh
900
;Retry
360
;Expire
3600
)
;Minimum
IN NS ns.ictptk.net.
1 IN PTRictptk.net.
---
my db.domain file :
---
$TTL 3600
@IN SOA ns.ictptk.net. root.ns.ictptk.net. (
2001220200
;Serial
3600
;Refresh
900
;Retry
360
;Expire
3600
)
;Minimum
INNS ns.ictptk.net.
ictptk.net IN A 10.10.10.1
www.ictptk.net. INCNAME ictptk.net.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
This message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this message.
See http://www.datapipe.com/legal/email_disclaimer/ for further information on
confidentiality and the risks of non-secure electronic communication. If you
cannot access these links, please notify us by reply message and we will send
the contents to you.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: fsck problem FreeBSD 8.3
Nothing logged in /var/log/* or crashes that exist in /var/crash would indicate to me some sort of hardware related problem. Have you tested your hardware lately and know that it is in operational order? ~Paul On Mon, Apr 09, 2012 at 09:36:54PM +0300, ??? ??? wrote: Hi. Apr 9 19:51:58 fsck: /dev/ad8s1e: UNEXPECTED INCONSISTENCY, CANNOT RUN FAST FSCK Apr 9 19:51:58 fsck: Apr 9 19:51:58 fsck: Apr 9 19:51:58 fsck: /dev/ad8s1e: UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY. Apr 9 19:51:58 fsck: /dev/ad8s1e: CANNOT SET FS_NEEDSFSCK FLAG Apr 9 20:09:22 kernel: running manually: # fsck -y /dev/ad8s1e ** /dev/ad8s1e (NO WRITE) ** Last Mounted on /tmp ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 99 files, 10 used, 506477 free (45 frags, 63304 blocks, 0.0% fragmentation) Server reboot two or three time per day # uname -a FreeBSD flux 8.3-PRERELEASE FreeBSD 8.3-PRERELEASE #3 r231881: Fri Feb 24 17:07:48 UTC 2012 adm@flux:/usr/obj/usr/src/sys/KES_KERN_v8 amd64 before this it works about month without problems /var/crash - empty, in /var/log/messages there is no any messages before crash. Can any help to fix problem? ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: must define username in radius client???
Assuming ssh (you didn't specify), you only need to setup the shared secret between machines. The rest is handled by pam/login as normal (ala auth sufficient pam_radius.so) cat /etc/radius.conf auth 10.5.21.4:1645 SuperSkret 3 2 auth 10.5.21.5:1645 SuperSkret 3 2 ~Paul On Tue, Feb 21, 2012 at 11:24:03AM +0330, saeedeh motlagh wrote: hello guys, i wanna have authentication via radius server. in my local network, one system is radius server and the others are clients. the server is running well. when a client login, it sends an access-request to the server. if the user name and password are defined in the server, the server sends back the access-accept to client. if the user name is defined in the client, the login is successful but if this user name is not defined in the client, the login failed and say login incorrect although the client receives access-accept from the server. i wanna know if there is any way to have authentication successfully without defining any user name in the client system? yours, ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Help : configuring wpa_suplpicant.conf for WEP + login/passwd
On Wed, Feb 15, 2012 at 04:02:22PM +0100, Arno J. Klaassen wrote: Hello, Paul A. Procacci pproca...@datapipe.com writes: Is your DHCP daemon setup to listen on the interface where the AP is running? Dunno... How could eventually be sure Windows got it's IP-addres by DHCP? Sorry, you hadn't made it very clear if you were attempting to get a lease from a DHCP server running on a FreeBSD machine or not. I assumed you were, and had assumed your configuration may have been wrong. However, given your response, I assume you're using an off the shelf AP. There are several things that come to mind as to why you wouldn't get a DHCP lease, like MAC filtering as an example. You'll have to check the logs of the DHCP server to see if your requests are even making it to the daemon. tcpdump will come in handy if you have shell capabilities on your AP. For username/password prompt upon browser launch, you'll need to configure a reverse proxy to get a cookie upon successful auth to pass through the proxy. Could you please explain me how to do this? As for the proxy, you'll need to look at squid. I've personally never done what you need, but a buddy of mine has using squid. I can't give you any further details as the configuration/administrator of squid I know nothing about. I do know though that it has the capabilities you seek. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Help : configuring wpa_suplpicant.conf for WEP + login/passwd
Is your DHCP daemon setup to listen on the interface where the AP is running? For username/password prompt upon browser launch, you'll need to configure a reverse proxy to get a cookie upon successful auth to pass through the proxy. ~Paul On Tue, Feb 14, 2012 at 09:49:01PM -0800, Adrian Chadd wrote: Wep? With a username/password? I've not seen this. Does anyone have any ideas? Adrian On 14 February 2012 05:51, Arno J. Klaassen a...@heho.snv.jussieu.fr wrote: Hello, could someone provide me wit a hint how to get wpa_supplicant to work in the following environment : ?- standard ?: IEEE 802.11 (at least they pretend in the doc) ?- ? ?mode ? : infrastructure (?) ?- ? ?WEP ? ?: 128bit ?- Authent ? : open ?- and then username/password upon browser-launch (at least under ? Windows) When I put the following to wpa_suplicant.conf I get State : ASSOCIATED - COMPLETED ?: ?ssid=their-ID ?(unpublished) ?scan_ssid=1 ?key_mgmt=NONE ?wep_key0=part1 ?wep_key1=part2 ?wep_key2=part3 However, 'dhclient wlan0' says No DHCPOFFERS received Any help appreciated. Thanx in advance, regards, Arno ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: how to debug non-working hole in nat
add divert natd all from any to any via bridge0 This nat's all internal traffic on your lan. You probably don't want this. I'd place the nat on the tun0 interface. Which leads me to If you machine receives a syn from the tun0 interface, what firewall rule is in place to redirect the packet to the nat instance? I do not see any. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/about-us-legal-email-disclaimer.htm for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
[High Interrupt Count] Networking Difficulties
Gents, I'm having quite an aweful problem that I need a bit of help with. I have an HPDL360 G3 ( http://h18000.www1.hp.com/products/quickspecs/11504_na/11504_na.HTML ) which acts as a NAT (via PF) for several (600+) class C's amongst 24+ machines sitting behind it. It's running FPSense (FreeBSD 8.1-RELEASE-p4). The important guts are: 2 x 2.8 GHz Cpus 2 BGE interfaces on a PCI-X bus. During peak times this machine is only able to handle between 500Mbps - 600Mbps before running out of cpu capacity. (300Mbps(ish) on the LAN, 300Mbps(ish) on the WAN) It's due to the high number of interrupts. I was speaking with a networking engineer here and he mentioned that I should look at Interrupt Coalescing to increase throughput. The only information I found online regarding this was a post from 2 years ago here: http://lists.freebsd.org/pipermail/freebsd-net/2009-June/07.html The tunables mentioned in the above post aren't present in my system, so I imagine this never made it into the bge driver. Assuming this to be the case, I started looking at DEVICE_POLLING as a solution. I did try implementing device polling, but the results were worse than I expected. netisr was using 100% of a single cpu while the other cpu remained mostly idle. Not knowing exactly what netisr is, I reverted the changes. This leads me to this list. Given the scenario above, I'm nearly certain I need to use device polling instead of the standard interrupt driven setup. The two sysctl's that I've come across thus far that I think are what I need are: net.isr.maxthreads hern.hz I would assume setting net.isr.maxthreads to 2 given my dual core machine is advisable, but I'm not 100% sure. What are the caveats in setting this higher? Given the output of `sysctl -d net.isr.maxthreads` I would expect anything higher than the number of cores to be detrimental. Is this correct? kern.hz I'm more unsure of. I understand what the sysctl is, but I'm not sure how to come up with a reasonable number. Generally speaking, and in your experience, would a setting of 2000 achive close to the theoritical meximum of the cards? Is there an upper limit that I would be worried about? Random Question: - is device polling really the answer? I am missing something in the bge driver that I've overlooked? - what tunables directly effect processing high volumes of packets. Network Interfaces: ## bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:0b:cd:ca:1d:1a inet 209.18.70.211 netmask 0xff00 broadcast 209.18.70.255 inet6 fe80::20b:cdff:feca:1d1a%bge0 prefixlen 64 scopeid 0x1 nd6 options=3PERFORMNUD,ACCEPT_RTADV media: Ethernet autoselect (1000baseT full-duplex) status: active bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:0b:cd:ca:1a:74 inet 172.16.0.3 netmask 0xfffc broadcast 172.19.255.255 inet6 fe80::20b:cdff:feca:1a74%bge1 prefixlen 64 scopeid 0x2 nd6 options=3PERFORMNUD,ACCEPT_RTADV media: Ethernet autoselect (1000baseT full-duplex) status: active ## I appreciate the help in advance. Thanks, Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/about-us-legal-email-disclaimer.htm for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: [High Interrupt Count] Networking Difficulties
On Mon, Oct 31, 2011 at 08:57:46PM -0500, Paul A. Procacci wrote: Gents, I'm having quite an aweful problem that I need a bit of help with. I have an HPDL360 G3 ( http://h18000.www1.hp.com/products/quickspecs/11504_na/11504_na.HTML ) which acts as a NAT (via PF) for several (600+) class C's amongst 24+ machines sitting behind it. It's running FPSense (FreeBSD 8.1-RELEASE-p4). The important guts are: 2 x 2.8 GHz Cpus 2 BGE interfaces on a PCI-X bus. During peak times this machine is only able to handle between 500Mbps - 600Mbps before running out of cpu capacity. (300Mbps(ish) on the LAN, 300Mbps(ish) on the WAN) It's due to the high number of interrupts. I was speaking with a networking engineer here and he mentioned that I should look at Interrupt Coalescing to increase throughput. The only information I found online regarding this was a post from 2 years ago here: http://lists.freebsd.org/pipermail/freebsd-net/2009-June/07.html The tunables mentioned in the above post aren't present in my system, so I imagine this never made it into the bge driver. Assuming this to be the case, I started looking at DEVICE_POLLING as a solution. I did try implementing device polling, but the results were worse than I expected. netisr was using 100% of a single cpu while the other cpu remained mostly idle. Not knowing exactly what netisr is, I reverted the changes. This leads me to this list. Given the scenario above, I'm nearly certain I need to use device polling instead of the standard interrupt driven setup. The two sysctl's that I've come across thus far that I think are what I need are: net.isr.maxthreads hern.hz I would assume setting net.isr.maxthreads to 2 given my dual core machine is advisable, but I'm not 100% sure. What are the caveats in setting this higher? Given the output of `sysctl -d net.isr.maxthreads` I would expect anything higher than the number of cores to be detrimental. Is this correct? kern.hz I'm more unsure of. I understand what the sysctl is, but I'm not sure how to come up with a reasonable number. Generally speaking, and in your experience, would a setting of 2000 achive close to the theoritical meximum of the cards? Is there an upper limit that I would be worried about? Random Question: - is device polling really the answer? I am missing something in the bge driver that I've overlooked? - what tunables directly effect processing high volumes of packets. snip After some more coffee, and source code reading, I've now learned that having device polling enabled forces netisr to limit the number of threads it creates to 1. This kinda defeats the purpose of enabling device polling. This makes me believe that device polling isn't going to be a great solution afterall. A snippet from dmesg: snip bge0: Compaq NC7781 Gigabit Server Adapter, ASIC rev. 0x001002 mem 0xf7ef-0xf7ef irq 30 at device 2.0 on pci1 brgphy0: BCM5703 10/100/1000baseTX PHY PHY 1 on miibus0 bge1: Compaq NC7781 Gigabit Server Adapter, ASIC rev. 0x001002 mem 0xf7ff-0xf7ff irq 29 at device 2.0 on pci4 brgphy1: BCM5703 10/100/1000baseTX PHY PHY 1 on miibus1 snip Any help/advice is appreciated, and sorry for following up to myself with this information. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/about-us-legal-email-disclaimer.htm for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: kern/138292: [zyd] [usb8] zyd0: device timeout with ZyXEL G-202
The following reply was made to PR kern/138292; it has been noted by GNATS. From: Paul A. Procacci pproca...@datapipe.net To: bug-follo...@freebsd.org, sam...@boivie.org Cc: Subject: Re: kern/138292: [zyd] [usb8] zyd0: device timeout with ZyXEL G-202 Date: Tue, 1 Sep 2009 00:02:58 -0500 I've got the same problem here for what it's worth. zyd0: Belkin USB2.0 WLAN, rev 2.00/48.10, addr 2 on usbus0 This is Freebsd 9.0-Current. Same timeout problems. (was trying to download/install fluxbox) This message may contain confidential or privileged information. If you ar= e not the intended recipient, please advise us immediately and delete this = message. See http://www.datapipe.com/emaildisclaimer.aspx for further info= rmation on confidentiality and the risks of non-secure electronic communica= tion. If you cannot access these links, please notify us by reply message a= nd we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
