FreeBSD 6.4+ PF Binat =>Degraded traffic after few hours hours.

[Aminuddin Abdullah]

I have 2 servers running FreeBSD 6.4P#1 with standard SMP and each server
has multiple IP alias bind to the bge1, Dell R200.

# ifconfig -a
bge0: flags=8802 mtu 1500
options=1b
ether 00:19:b9:fa:0a:9f
media: Ethernet autoselect (none)
status: no carrier
bge1: flags=8843 mtu 1500
options=1b
inet x.x.72.23 netmask 0xff00 broadcast x.x.72.255
inet x.x.72.73 netmask 0xff00 broadcast x.x.72.255
inet x.x.72.74 netmask 0xff00 broadcast x.x.72.255
inet x.x.72.75 netmask 0xff00 broadcast x.x.72.255
inet x.x.72.76 netmask 0xff00 broadcast x.x.72.255
inet x.x.72.77 netmask 0xff00 broadcast x.x.72.255
ether 00:19:b9:fa:0a:a0
media: Ethernet autoselect (100baseTX )
status: active
lo0: flags=8049 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
pflog0: flags=141 mtu 33208
tun0: flags=8051 mtu 1500
inet 10.10.10.1 --> 255.255.0.0 netmask 0x
Opened by PID 1224

x.x.72.23 is the main IP and the rest are alias.
Tun0 is the address created by openvpn.

Following is the pf rules.

EXT_IF= "bge1"
INT_IF= "tun0"
# Configured Networks
EXT= "x.x.72.0/24"
INT= "10.10.0.0/16"
DMZ= "10.10.12.0/24"
FW= "x.x.72.23"
# DMZ Servers IP Addresses
user1="10.10.12.2"
user2="10.10.12.6"
user3="10.10.12.10"
user4="10.10.12.14"
user5="10.10.12.18"

#External IP Pool Mapping
WEB_EXT1= "x.x.72.73"
WEB_EXT2= "x.x.72.74"
WEB_EXT3= "x.x.72.75"
WEB_EXT4= "x.x.72.76"
WEB_EXT5= "x.x.72.77"


#
# NAT: Bi-directional NAT (one-to-one mapping)

binat on $EXT_IF inet from $user1 to any -> $WEB_EXT1
binat on $INT_IF inet from $user1 to any -> $WEB_EXT1
binat on $EXT_IF inet from $user2 to any -> $WEB_EXT2
binat on $INT_IF inet from $user2 to any -> $WEB_EXT2
binat on $EXT_IF inet from $user3 to any -> $WEB_EXT3
binat on $INT_IF inet from $user3 to any -> $WEB_EXT3
binat on $EXT_IF inet from $user4 to any -> $WEB_EXT4
binat on $INT_IF inet from $user4 to any -> $WEB_EXT4
binat on $EXT_IF inet from $user5 to any -> $WEB_EXT5
binat on $INT_IF inet from $user5 to any -> $WEB_EXT5

rdr pass on $EXT_IF proto {tcp, udp} from any to $WEB_EXT1 port 1024:65000
-> $user1
rdr pass on $EXT_IF proto {tcp, udp} from any to $WEB_EXT2 port 1024:65000
-> $user2
rdr pass on $EXT_IF proto {tcp, udp} from any to $WEB_EXT3 port 1024:65000
-> $user3
rdr pass on $EXT_IF proto {tcp, udp} from any to $WEB_EXT4 port 1024:65000
-> $user4
rdr pass on $EXT_IF proto {tcp, udp} from any to $WEB_EXT5 port 1024:65000
-> $user5

pass all
pass out on $EXT_IF proto {tcp,udp,icmp} from any to any keep state

---

It's a very simple pf.rules with no block rules. Main purpose to map vpn
user to dedicated public IP.

It was working great the last few months but lately it has been giving a
terrible performance after a few hours of running the servers. SSH is not
accessible, traffic and routing is very slow.

Is the anything wrong with above configuration or 6.4 kernel with regards to
PF and OpenVPN?
The servers are not having any custom setting sysctl.conf or loader.conf or
rc.conf except the enabling openvpn, firewall and sshd.

Restarting sshd will provide remote access again or rebooting the server. Is
there any known memory leaked for pf in this configuration? Is there a
better and efficient way of doing this in PF or is it better to use ipfw?

When this happen (no ssh), all ping to the alias IPs resulted in timeout.
Only the main IP will respond.

Server RAM is 1GB and during this issue, top shows
---top
last pid:  4163;  load averages:  0.36,  0.29,  0.21
up 0+21:10:26  11:11:58
21 processes:  1 running, 20 sleeping
CPU:  2.3% user,  0.0% nice,  6.0% system,  3.9% interrupt, 87.8% idle
Mem: 15M Active, 233M Inact, 241M Wired, 76K Cache, 111M Buf, 503M Free
Swap: 1951M Total, 1951M Free
--

Anyone?

TIA.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Panic String: kmem_malloc(4096): kmem_map too small: 335544320 total allocated

[Aminuddin Abdullah]

I have 5 servers running almost at 70mbit/sec and each one of them will
crash/reboot after more than 24 hours. The most it can stay up is 48 hours.

How do I increase this memory from the default 320MB?

This is the log after the crash.

Dump header from device /dev/ad4s1b
  Architecture: i386
  Architecture Version: 2
  Dump Length: 2145722368B (2046 MB)
  Blocksize: 512
  Dumptime: Mon May 8 11:28:55 2008
  Hostname: XXX
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 6.3-RELEASE #0: Wed Jan 16 04:45:45 UTC 2008
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/SMP
  Panic String: kmem_malloc(4096): kmem_map too small: 335544320 total
allocated
  Dump Parity: 1828182091
  Bounds: 0
  Dump Status: good

Is there any option in version 6.3 to increase this?

My filesystem, df -h:

Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/ad4s1a496M 39M418M 8%/
devfs  1.0K1.0K  0B   100%/dev
/dev/ad4s1e496M228K456M 0%/tmp
/dev/ad4s1f218G1.3G199G 1%/usr
/dev/ad4s1d2.9G258M2.4G 9%/var

And fstab:
# DeviceMountpoint  FStype  Options Dump
Pass#
/dev/ad4s1b noneswapsw  0   0
/dev/ad4s1a /   ufs rw  1   1
/dev/ad4s1e /tmpufs rw  2   2
/dev/ad4s1f /usrufs rw  2   2
/dev/ad4s1d /varufs rw  2   2
/dev/cd0/cdrom  cd9660  ro,noauto   0   0


TIA



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FIFO overflow error

[Aminuddin Abdullah]

I've been getting a lot of this error on one of my FreeBSD 6.2 boxes. I have
5 other servers running the same configurations as this one and none of them
is giving me the error.

The only different between this and the other servers is AMD on this one and
Intel on the rest.

 

The repeated errors given were:

 

vr0: receive error (0406) overflow

vr0: rx error (09): FIFO overflow

vr0: rx error (09): FIFO overflow

vr0: receive error (0407) overflow

vr0: rx error (09): FIFO overflow

vr0: receive error (0407) overflow

vr0: receive error (0404) overflow

vr0: rx error (09): FIFO overflow

vr0: receive error (0404) overflow

vr0: rx error (09): FIFO overflow

vr0: receive error (0404) overflow

vr0: rx error (09): FIFO overflow

vr0: rx error (09): FIFO overflow

vr0: receive error (0407) overflow

vr0: rx error (09): FIFO overflow

vr0: receive error (0407) overflow

vr0: receive error (0404) overflow

vr0: rx error (09): FIFO overflow

vr0: watchdog timeout

vr0: rx error (09): FIFO overflow

vr0: receive error (1405) overflow

vr0: rx shutdown error!

vr0: restarting

 

..

Netstat -m does not shows any memory issues.

$ netstat -m

8512/8918/17430 mbufs in use (current/cache/total)

6992/6630/13622/65536 mbuf clusters in use (current/cache/total/max)

6928/6512 mbuf+clusters out of packet secondary zone in use (current/cache)

0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max)

0/0/0/0 9k jumbo clusters in use (current/cache/total/max)

0/0/0/0 16k jumbo clusters in use (current/cache/total/max)

16112K/15489K/31601K bytes allocated to network (current/cache/total)

0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)

0/0/0 requests for jumbo clusters denied (4k/9k/16k)

0/7/4608 sfbufs in use (current/peak/max)

0 requests for sfbufs denied

0 requests for sfbufs delayed

0 requests for I/O initiated by sendfile

1 calls to protocol drain routines

 

Ifconfig shows

vr0: flags=8843 mtu 1500

inet 66.90.101.146 netmask 0xff00 broadcast 66.90.101.255

ether 00:17:31:78:e0:f8

media: Ethernet autoselect (100baseTX )

status: active

 

My loader.conf:

kern.maxusers=256

kern.maxproc=32768

kern.ipc.nmbclusters=65536

kern.ipc.maxsockets=32768

 

sysctl.conf

kern.maxprocperuid=32768

kern.ipc.somaxconn=32768

kern.ipc.maxsockbuf=16777216

net.inet.ip.portrange.first=3

net.inet.ip.portrange.hifirst=3

net.inet.ip.rtexpire= 1200

net.inet.ip.intr_queue_maxlen=1024

 

net.inet.tcp.rfc1323=1

net.inet.tcp.mssdflt=1460

 

net.inet.udp.recvspace=65535

net.inet.udp.maxdgram=57344

 

net.inet.tcp.sendspace=65535

net.inet.tcp.recvspace=65535

net.local.stream.recvspace=65535

net.local.stream.sendspace=65535

net.inet.tcp.keepidle=72000

net.inet.tcp.keepintvl=1800

 

net.inet.icmp.icmplim=300

net.inet.tcp.delayed_ack=0

net.inet.tcp.blackhole=2

net.inet.udp.blackhole=1

 



 

This server is acting as socks5 proxy server connecting to 40-80 users,
which will connect to more than 8000-11000 peers. 

All other servers can push close to 85mbit/sec but this one can only go to a
max of 25mbit.

 

Anyone? Is this configuration or hardware problem?

 

Thanks

 

 

 

 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Cannot su or have root access after changing loader.conf

[Aminuddin Abdullah]

Loader.conf with the following statement disable all su or root access:
 kern.dfldsiz="1G"
 kern.maxdsiz="1G"
 kern.maxssiz=131072

When I add the above 3 lines, all access to su or even single user boot is
restricted without any error messages.

Is this a bug or "1G" is not supported for maximum data size? My server is a
2GB ram E6600 with 400GB HDD. What are the valid values for these lines?

thanks


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 11, 2007 8:00 PM
To: freebsd-questions@freebsd.org
Subject: freebsd-questions Digest, Vol 182, Issue 2

Send freebsd-questions mailing list submissions to
freebsd-questions@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-questions digest..."


Today's Topics:

   1. Re: [FreeBSD][Newb] How I use sendmail to send mail? (Doug Hardie)
   2. Re: [FreeBSD][Newb] How I use sendmail to send mail?
  (Bjorn Boulder)
   3. Re: [FreeBSD][Newb] How I use sendmail to send mail?
  (Bjorn Boulder)
   4. Re: [FreeBSD][Newb] How I use sendmail to send mail? (Toomas Aas)
   5. tcp port error (tethys ocean)
   6. Installing FreeBSD on large disk >2TB (Enrique Ayesta Perojo)
   7. Re: Installing FreeBSD on large disk >2TB (Andreas Rudisch)
   8. Re: [FreeBSD][Newb] How I use sendmail to send mail?
  (Bjorn Boulder)
   9. procmailrc configuration fails  (dhaneshk k)
  10. Re: Installing FreeBSD on large disk >2TB (Enrique Ayesta Perojo)


--

Message: 1
Date: Sun, 10 Jun 2007 21:45:48 -0700
From: Doug Hardie <[EMAIL PROTECTED]>
Subject: Re: [FreeBSD][Newb] How I use sendmail to send mail?
To: Bjorn Boulder <[EMAIL PROTECTED]>
Cc: freebsd-questions@freebsd.org
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed


On Jun 10, 2007, at 21:25, Bjorn Boulder wrote:

> Doug, Mats
>
> Your advice is on the money; thanks.
>
> I see this:
>
> Jun 10 05:43:40 jake sendmail[15068]: l5AAhekD015068:
> [EMAIL PROTECTED], ctladdr=oracle
> (1004/1005),
> delay=00:00:00, xdelay=00:00:00, mailer=relay,
> pri=30062,
> relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0,
> stat=Deferred: Connection
> refused by [127.0.0.1]
>
> Your tip along with that given by Mats suggests that
> I need to learn about /etc/mail/sendmail.cf
>
> It appears that the box cannot send mail to itself:
>
> Jun 10 03:05:44 jake sendmail[14546]: l5A84ObZ014546:
> to=postmaster,
> delay=00:00:00, xdelay=00:00:00, mailer=relay,
> pri=154501,
> relay=[127.0.0.1], dsn=4.0.0, stat=Deferred:
> Connection refused by
> [127.0.0.1]
>
> Jun 10 03:05:44 jake sendmail[14546]: l5485I55093939:
> to=root,
> ctladdr=root (0/0), delay=6+00:00:26, xdelay=00:00:00,
> mailer=relay,
> pri=691450, relay=[127.0.0.1], dsn=4.0.0,
> stat=Deferred: Connection
> refused by [127.0.0.1]
>
> Jun 10 03:05:44 jake sendmail[14546]: l5485I55093939:
> l5A84Oba014546:
> sender notify: Cannot send message for 5 days
>
> Jun 10 03:05:44 jake sendmail[14546]: l5A84Oba014546:
> to=root,
> delay=00:00:00, xdelay=00:00:00, mailer=relay,
> pri=152806,
> relay=[127.0.0.1], dsn=4.0.0, stat=Deferred:
> Connection refused by
> [127.0.0.1]
>
> Currently, my main assumption is that
> /etc/mail/sendmail.cf
> is the primary administrative interface for e-mail.

That is correct, but you don't want to directly mess with  
sendmail.cf.  You really want to use the mc file and then make to  
build the cf file.  Its much easier and more readable.  See /usr/ 
share/sendmail/cf/readme for more details.  The cf files are in  
another directory from there named cf.

You will also want to use
sendmail -bv email-address
to have sendmail show you how and where it will deliver for the  
address:  email-address.  That is a useful tool.



--

Message: 2
Date: Sun, 10 Jun 2007 22:02:13 -0700 (PDT)
From: Bjorn Boulder <[EMAIL PROTECTED]>
Subject: Re: [FreeBSD][Newb] How I use sendmail to send mail?
To: Doug Hardie <[EMAIL PROTECTED]>
Cc: freebsd-questions@freebsd.org
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=iso-8859-1

ok,

I'll look at that readme.

And

I nosed around on the box for clues about sendmail.cf

It looks like the previous sysadmin ignored
sendmail.cf

I see this:

bash jake oracle /etc/mail 14 $ pwd
/etc/mail
bash jake oracle /etc/mail 15 $ 
bash jake oracle /etc/mail 15 $ 
bash jake oracle /etc/mail 15 $ ls -latr
total 582
-rw-r--r--   1 root  wheel569 Nov  4  2004
virtusertable.sample
-r--r--r--   1 root  wheel  40449 Nov  4  2004
submit.cf
-rw-r--r--