Re: [pfSense Support] 1.2.2 TCP Disconnects (sessions)
On Fri, Jan 30, 2009 at 12:53 PM, LJ Rand wrote: > > I think this may be related, or another 1.2.2 upgrade woe to add to your > list: > > I have 2 firewalls that were running 1.2, carped together with fw1 (master) > syncing to fw2. > This was resolved offlist, the cause being an incorrect default gateway on the server in question that was asymmetrically routing traffic. The PF in 7.0 added an implicit flags S/SA to all rules, which is what caused this to change between 6.2 and 7.0. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load balancer
On Sat, Feb 7, 2009 at 10:47 AM, Tim Nelson wrote: > I have to admit it took me a bit to find it as well. For whatever reason, > when looking by category, it assumes you want to edit the category. I simply > had to change the url from > http://doc.pfsense.org/index.php?title=Category:Load_balancing&action=edit > to http://doc.pfsense.org/index.php?title=Category:Load_balancing . Odd. > Maybe something could be done to make the wiki more user friendly? > For any links that don't exist, including categories that don't have a description, it assumes a click is an edit. Since we've had to lock things down considerably to prevent spam, that leaves the page inaccessible if you aren't logged in. Someone needs to go through and add a description for the categories that don't have one. If you'd like to help, email wikiad...@pfsense.org and we'll get an account created for you. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
I don't want to sound stupid or make this very complex network sound like it has a simple issue, but the support on this jumped strait from "i have a speed problem" to some failry complex stuff. I have sites with the same throughput needs without doing any type of debugging or CLI changes to the firewalls. Lenny, you said that you are connected to a Cisco switch on the GBIC interfaces, right? Have you statically set speed and duplex on those interfaces as well as on PF. I don't know what your skill level is on Cisco but check the interface for errors, resets, CRC's and watchdogs. Do the same on your pfSense box under the interface diagnostics. If all are 0's then I'll shutup but if you have anything besides that, then please consider these changes. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Feb 8, 2009 at 7:22 AM, Lenny wrote: > Hi, > > so after a long time of trying different things and some tests, I'm back to > square one, but with some additional info. > things I've done: > -Replaced the server. It's also an IBM x335, but with 2 Xeon 3.06GHz now. > 2GB RAM. > The only thing that's left from the old one is the Dual Intel NIC. I know > it may very well be the reason for failures, but before I go buy a new one, > I wanted to try everything else. > -I installed pfSense 1.2.2 and left the old configuration. > -Tried it with and without polling, and with and without checksum > offloading. > Nothing helped. > -I also bypassed the firewall and saw that without it everything works > perfect. > > Now for the things I've noticed yesterday(we had a high load): > -It was almost impossible to get through the firewall, good thing I had > polling enabled, so I could ssh and see "top -S". > I saw that em0 and em1 taskq were 100% CPU each. > -The RRD graphs showed blank spaces as always in these situations. > -At one point I noticed that the states came up as high as 997000 out of > 100. So I increased the value to 200, but the second I did that it > dropped to around 45(weird or what?). Also, it's strange that I still > have around 25 states, even when the actual sessions number is near > 2(according to Alteon), isn't it supposed to be somewhere near > 6-8 states? And I'm talking about 15 hours after the change. > > The load I'm talking about (that was yesterday) 18-20 kpps, around 150Mb/s > traffic. > > I also started reading about "em taskq on freebsd" and I saw a couple of > other guys having this problem. Those guys were advised to start tweaking > sysctl and loader.conf. No success stories were published though. But before > I do that, I was wondering if there is anything else I can do. > > The last, but definetely not least is that I realized that a static route > was on the wrong interface. > here's how: > mysetup goes like this. > > [squids]10.0.0.160/27 > <10.0.0.161[alteon]192.168.5.2<--192.168.5.1[pfSense]11.11.11.11<-Internet > > obviously the IPs are fictional. > Now the route I had on the firewall is 10.0.0.160/27 through gateway > 192.168.5.2, but it was on the WAN interface! > Yesterday I changed the interface to OPT1, which is the one connected to > the Alteon. > But I won't be able to see the effect of it till Saturday( this is my > biggest problem - I can only test it on Saturdays, cause this is when our > website is loaded). Is there any chance that it was the solution to my > problem? > > Sorry for the long post. > > Thanks, > > Lenny. > > > > > > > > On Sun, Dec 21, 2008 at 12:45 AM, Lenny wrote: > >> Hi, >> >> >> I'm kind of desperate here, so please try to help me. >> >> Here's my problem: >> >> I have a setup in production (a very dynamic website). >> >> It consists of pfsense-->Alteon Load Balancer-->IBM Bladecenter(with a >> Squids cluster on it). >> >> pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and Dual >> Intel NIC PCI-X 1Gb. >> >> I'm connected with 1Gb to the ISP. >> >> The problem is that no matter what I do, I can't get more than 15kpps. >> >> After that I start to get a lot of packet loss. >> >> At first I was sure that the ISP has me on QoS, because I never saw >> traffic going over a 100Mb/s, >> >> but then to convince me they downloaded some large files from my servers >> and came up as high as 170Mb/s. >> >> So that one was out. >> >> >> Next I changed the NICs (I used the onboard Broadcom at first) and it did >> save me from the need to >> >> do Device Polling, and I have no more interrupt using half the CPU, but >> not more than that. >> >> So I upgraded to 1.2.1 RC3. And still - the most I saw was 14kpps and 102 >> Mb/s. >> >> I have 70 states entered, while I never saw it going over 25 in >> reality. >> >> The files transfered are rather small, 600KB being the largest. >> >> As for the Alteon, at first it was connected via another Broadcom fibre >> NIC (Alteon only has 1 fibre uplink that's 1Gb), >> >> but now that I use an Intel Dual - I connected it to a
[pfSense Support] Re: Can't get more than 15kpps.
Hi, so after a long time of trying different things and some tests, I'm back to square one, but with some additional info. things I've done: -Replaced the server. It's also an IBM x335, but with 2 Xeon 3.06GHz now. 2GB RAM. The only thing that's left from the old one is the Dual Intel NIC. I know it may very well be the reason for failures, but before I go buy a new one, I wanted to try everything else. -I installed pfSense 1.2.2 and left the old configuration. -Tried it with and without polling, and with and without checksum offloading. Nothing helped. -I also bypassed the firewall and saw that without it everything works perfect. Now for the things I've noticed yesterday(we had a high load): -It was almost impossible to get through the firewall, good thing I had polling enabled, so I could ssh and see "top -S". I saw that em0 and em1 taskq were 100% CPU each. -The RRD graphs showed blank spaces as always in these situations. -At one point I noticed that the states came up as high as 997000 out of 100. So I increased the value to 200, but the second I did that it dropped to around 45(weird or what?). Also, it's strange that I still have around 25 states, even when the actual sessions number is near 2(according to Alteon), isn't it supposed to be somewhere near 6-8 states? And I'm talking about 15 hours after the change. The load I'm talking about (that was yesterday) 18-20 kpps, around 150Mb/s traffic. I also started reading about "em taskq on freebsd" and I saw a couple of other guys having this problem. Those guys were advised to start tweaking sysctl and loader.conf. No success stories were published though. But before I do that, I was wondering if there is anything else I can do. The last, but definetely not least is that I realized that a static route was on the wrong interface. here's how: mysetup goes like this. [squids]10.0.0.160/27 <10.0.0.161[alteon]192.168.5.2<--192.168.5.1[pfSense]11.11.11.11<-Internet obviously the IPs are fictional. Now the route I had on the firewall is 10.0.0.160/27 through gateway 192.168.5.2, but it was on the WAN interface! Yesterday I changed the interface to OPT1, which is the one connected to the Alteon. But I won't be able to see the effect of it till Saturday( this is my biggest problem - I can only test it on Saturdays, cause this is when our website is loaded). Is there any chance that it was the solution to my problem? Sorry for the long post. Thanks, Lenny. On Sun, Dec 21, 2008 at 12:45 AM, Lenny wrote: > Hi, > > > I'm kind of desperate here, so please try to help me. > > Here's my problem: > > I have a setup in production (a very dynamic website). > > It consists of pfsense-->Alteon Load Balancer-->IBM Bladecenter(with a > Squids cluster on it). > > pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and Dual > Intel NIC PCI-X 1Gb. > > I'm connected with 1Gb to the ISP. > > The problem is that no matter what I do, I can't get more than 15kpps. > > After that I start to get a lot of packet loss. > > At first I was sure that the ISP has me on QoS, because I never saw traffic > going over a 100Mb/s, > > but then to convince me they downloaded some large files from my servers > and came up as high as 170Mb/s. > > So that one was out. > > > Next I changed the NICs (I used the onboard Broadcom at first) and it did > save me from the need to > > do Device Polling, and I have no more interrupt using half the CPU, but not > more than that. > > So I upgraded to 1.2.1 RC3. And still - the most I saw was 14kpps and 102 > Mb/s. > > I have 70 states entered, while I never saw it going over 25 in > reality. > > The files transfered are rather small, 600KB being the largest. > > As for the Alteon, at first it was connected via another Broadcom fibre NIC > (Alteon only has 1 fibre uplink that's 1Gb), > > but now that I use an Intel Dual - I connected it to a Cisco Gbic and from > there to the Alteon by another fibre Gbic (don't judge me - I don't have a > giga switch). I know it's another possible trap, but right now I don't have > any other choice. > > > 99% of the traffic is port 80. > > I don't use NAT. All the IPs are public. > > WAN is static. LAN is not used. OPT1 is and also static. > > WAN and OPT1 are on different subnets of course. With additional static > route (the squids cluster is on the third subnet). > > CPU doesn't go over 30%. RAM is about 20-30. I'm talking peaks now. > > sysctl net.inet.ip.intr_queue_drops shows 0. > > I have no more than 15 rules while the first one should take care of most > of the traffic. > > I tried Aggressive mode with 1.2 and it didn't help. With the current > version I'm using the Normal mode. > > The biggest problem with our website is that people are starting to hit > refresh when the site is not functioning > > properly and it's kind of killing our web servers. Plus it adds traffic to > the firewall, thus loading it even more. > > > Another weird thing I
