t; is set on a bridging
firewall TCP RST will be sent out when TCP is blocked, but nothing is
sent out when UDP or any other protocol is blocked. Right?
Thanks,
Peter Hallin, Lund University
On 2011-11-30 20:20, Adriaan wrote:
>
> You could use a Makefile to concatenate a pf.conf from separate files.
> This can give more flexibility than provided by "include" :
Thank you very much for your elaborate solution.
To keep things a little less complex, I will probably go with includes
and
On 2011-11-30 16:14, Guido Tschakert wrote:
>
> How about a definition.conf with all your (Name,IP-Adress)-Pairs which
> is included first in your pf.conf, so your vlan.confs only include
> the rules but no definitions.
>
> guido
>
Thanks, this is probably the way to do it. Sometimes we mov
Hello,
I have some issues with pf.conf and includes that perhaps someone could
shed some light on.
Where I work, we use bridging firewalls with multiple tagged vlans
passing the bridges, and filtering is done on the vlan interfaces.
Normally we have around 10-20 vlans on each machine, and we ha
On 2011-06-16 14:43, Peter Hallin wrote:
> On 2011-06-15 22:40, Jonathan Gray wrote:
> >
> > Yes this seems low indeed. You could try use rdomains and route exec
> > with a cable between the two ports to make packets go over the interfaces
> > if you don't have
On 2011-06-16 14:43, Peter Hallin wrote:
>
> I didn't get that far. When connecting the two ports to each other (tried
> with a couple of TP cables) I only get 1000baseT full-duplex on ix0 and
> ix1.
Nevermind that. After a reboot with the cables connected the interfaces
show up
On 2011-06-15 22:40, Jonathan Gray wrote:
>
> Yes this seems low indeed. You could try use rdomains and route exec
> with a cable between the two ports to make packets go over the interfaces
> if you don't have another host with 10G interfaces.
I didn't get that far. When connecting the two port
On 2011-06-15 13:58, FRLinux wrote:
> Just out of curiosity, which iperf settings did you use?
Just standard TCP, iperf -c hostname
>
> I know this is on a Linux box, but just out of interest, I get full
> speed there:
Yeah, sure it works on Linux, but that's not what I'm running. Otherwise
it'
On 2011-06-15 04:26, Jonathan Gray wrote:
> Claudio has recently synced ix to a newer version of the Intel code,
> if you can try again with -current this should work.
Great, thanks. I tried it out today, but the performance wasn't exactly
what I had expected.
This is a dual port card, so I bridg
On 2011-04-06 16:43, Claudio Jeker wrote:
>
> Wait. It seems more is needed. Will come back when we have a better
> solution.
>
Alright. Your first quick fix is good enough for us, we don't use
expresscards in our firewalls.. ;)
I actually tested it on an older 4.4 fw that has been under heavy
On 2011-04-05 14:35, Claudio Jeker wrote:
> Can you give the following diff a spin and see if that makes the card act
> faster. This disables the ppb hotplug interrupt which is shared with the
> em2 and em3 interrupts.
>
> --
> :wq Claudio
Ok, that did the trick.
I made the changes to the 4.8 s
OK, here's a little update on this problem.
As I told you earlier in the thread, we did some successful tests with
the 4-port Intel 82576 card, HOWEVER we only tested two ports, em0 och
em1. When the card later was put into the production machine we chose
to use em0 as the unprocteded if and em2 a
On 2011-03-30 14:27, Claudio Jeker wrote:
> Could you donate a dual port card to the project if you replace them?
> I would like to figure out why some em(4) perform badly while the same
> chip on a different card seems to perform as expected.
>
> Can you provide the vmstat -zi output of the 4 por
On 2011-03-30 21:18, Rodrigo Mosconi wrote:
> >
> > Just as curiosity:
>
> Did you used both ports from the Intel Pro/1000 PCIe (82576)?
>
> And if is used a single port PCI-Ex Intel Card?
>
This is what we have tested today:
1. One dual port PCIe, with port 1 (em0) bridged with port 2 (em1),
60%
CPU (intr).
So, it seems the dual port PCIe cards suck and we have to replace them.
//Peter
On 2011-03-29 07:40, Peter Hallin wrote:
> I realized now that this measurement is wrong.
>
> "vmstat -iz" seems to calculate the interrupt rate based a longer
> period, an
h
seems to have a shorter measurement period) at the same time was way
higher, about 5000 intr/s on em0 and em2.
Sorry for the wrong data
On 2011-03-28 17:46, Peter Hallin wrote:
> This is the output when the machine is running at 80 Mbit/s
> and CPU usage is almost 100% interrupts:
>
This is the output when the machine is running at 80 Mbit/s
and CPU usage is almost 100% interrupts:
Please note that this is after we rebooted with the SP kernel,
which didn't make any differences.
systat ifs:
IFACE STATE DESC IPKTS IBYTESIERRSOPKTS
OBYT
still had 100% interrupts.
Do any of you have the same issues with high interrupts and low
throughput?
We really don't know where to start... :(
I'm very grateful for any kind of input regarding this matter.
Brgds, Peter Hallin, Lund University Sweden
dmesg:
OpenBSD 4.8 (GENERIC.MP)
Thanks, I tried that and got the routing table, however still no packets
coming through. //Peter
> sounds like rDNS delay.
>
> retry with arp -an and netstat -rn
>
> /Pete
ddr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa
I realize that I should have checked this before I bought it,
but as Intel claims in the specs
(http://www.intel.com/Assets/PDF/prodbrief/318349-004.pdf)
it is supported by FreeBSD and I believe that's from where the driver was
ported.
I'm very grateful for any input.
Peter Hallin
Lu
21 matches
Mail list logo
