Re: packet loss when > 1000 clients connect

+1 Em ter, 16 de abr de 2019 às 09:44, Torsten escreveu: > > Check with pfctl -si if you reach a limit > > Thanks, will do. > > Marc Peters also suggested to check pf state limit, upon digging into > that I found > > https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html > > and

Re: packet loss when > 1000 clients connect

> Check with pfctl -si if you reach a limit Thanks, will do. Marc Peters also suggested to check pf state limit, upon digging into that I found https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html and therefore added set limit states 20 to pf.conf.

Re: packet loss when > 1000 clients connect

On Tue, Apr 16, 2019 at 11:07:47AM +0200, Torsten wrote: > Hi! > > Problem description: > In a customers network more than 2k clients connect to a server and > perform https requests. When in the morning more and more clients become > active, the number of connections rises until more and more

Re: Packet loss with latest snapshot

On Mon, 4 Mar 2019, 13:29 David Gwynne, wrote: > On Mon, Mar 04, 2019 at 10:36:23AM +0100, Tony Sarendal wrote: > > On Mon, 4 Mar 2019, 09:43 Tony Sarendal, wrote: > > > > > > > > > > > Den m??n 4 mars 2019 kl 09:26 skrev Tony Sarendal : > > > > > >> Den s??n 3 mars 2019 kl 21:35 skrev Theo de

Re: Packet loss with latest snapshot

On Mon, Mar 04, 2019 at 10:36:23AM +0100, Tony Sarendal wrote: > On Mon, 4 Mar 2019, 09:43 Tony Sarendal, wrote: > > > > > > > Den m??n 4 mars 2019 kl 09:26 skrev Tony Sarendal : > > > >> Den s??n 3 mars 2019 kl 21:35 skrev Theo de Raadt : > >> > >>> Tony, > >>> > >>> Are you out of your mind?

Re: Packet loss with latest snapshot

On Mon, 4 Mar 2019, 09:43 Tony Sarendal, wrote: > > > Den mån 4 mars 2019 kl 09:26 skrev Tony Sarendal : > >> Den sön 3 mars 2019 kl 21:35 skrev Theo de Raadt : >> >>> Tony, >>> >>> Are you out of your mind? You didn't provide even a rough hint about >>> what your firewall configuration looks

Re: Packet loss with latest snapshot

Den mån 4 mars 2019 kl 09:26 skrev Tony Sarendal : > Den sön 3 mars 2019 kl 21:35 skrev Theo de Raadt : > >> Tony, >> >> Are you out of your mind? You didn't provide even a rough hint about >> what your firewall configuration looks like. You recognize that's >> pathetic, right? >> >> > Earlier

Re: Packet loss with latest snapshot

Den sön 3 mars 2019 kl 21:35 skrev Theo de Raadt : > Tony, > > Are you out of your mind? You didn't provide even a rough hint about > what your firewall configuration looks like. You recognize that's > pathetic, right? > > > Earlier in the week I could run parallel ping-pong tests through my

Re: Packet loss with latest snapshot

Tony, Are you out of your mind? You didn't provide even a rough hint about what your firewall configuration looks like. You recognize that's pathetic, right? > Earlier in the week I could run parallel ping-pong tests through my test > firewalls > at 300kpps without any packet loss. I updated

Re: Packet loss on traffic flowing between VLANs

Good to know it helped, probably you also need check for "set optimization aggressive" it will also reduce number of states if it works for your use cases. -- Evgeniy On Thu, Jun 2, 2016 at 2:40 PM, Tim Korn wrote: > Hi Evgeniy, > Thank you for your reply. The states hard

Re: Packet loss on traffic flowing between VLANs

Hi Evgeniy, Thank you for your reply. The states hard limit was the problem. The default limit is quite low :) -- Tim Korn Network Ninja On Thu, Jun 2, 2016 at 3:48 AM, Evgeniy Sudyr wrote: > Tim, > > from your problem description I can suggest you to check

Re: Packet loss on traffic flowing between VLANs

Tim, from your problem description I can suggest you to check if you are not hitting states hard limit with (note - during load when you can reproduce issue): pfctl -si pfctl -sm Default limit is: stateshard limit1 -- Evgeniy On Thu, Jun 2, 2016 at 3:29 AM, Tim Korn

Re: Packet loss on traffic flowing between VLANs

On 02/06/16 04:29, Tim Korn wrote: Hi. I have a pair of openBSD boxes (5.8) setup as a core/firewall. I have ten VLANs tied to a physical NIC (Intel 82599). This is a new setup and it was just recently put in service. Traffic was fine (or at least we didn't notice any issues) until a large

Re: packet loss in larger packets

On Fri, 21 Sep 2012, Erwin Lubbers wrote: I'm using OpenBSD 5.1 and an Intel 10GbE SR (82598AF) ethernet card as a router/firewall and it's working almost perfect. It is routing around 2 gbps of traffic. On the ix0 interface there are several vlans configured with an MTU of 1500. When I'm

Re: packet loss in larger packets

Op 21 sep. 2012, om 09:43 heeft Camiel Dobbelaar c...@sentia.nl het volgende geschreven: Can you show from both systems with tcpdump what the packets look like? You are using normal (no flood) ping and the systems and switch are not loaded with other traffic? No flooding ping, just

Re: packet loss

We've solved the problem increasing net.inet.ip.ifq.maxlen from the default of our version (50) to the default of the more recent versions (250). Does it make sens to you? How far do you think we can go with that value considering that we've 3 physical interfaces (int 100mbit, ext 100mbit and

Re: packet loss

Sorry, I've mised the top 2 rows of the dmesg: OpenBSD 3.9 (FIREWALL) #0: Sun Sep 17 15:49:07 CEST 2006 r...@fw1.domain.com:/usr/src/sys/arch/i386/compile/FIREWALL Firewall is just the generic.mp with a device (cpu temp monitor) removed because not working. This is my netstat -i from the

Re: packet loss

Thanks for the suggestion, I'll try with the GENERIC kernel Is that possibile that this problem is due to hardware limitation (it's quite an old server)? Apparently when the traffic decrease the packet loss decrease as well and disappear just like the odd ping's result Thanks! Alessandro On

Re: packet loss

On Tue, Nov 29, 2011 at 11:47 AM, rik rikc...@gmail.com wrote: Sorry, I've mised the top 2 rows of the dmesg: OpenBSD 3.9 (FIREWALL) #0: Sun Sep 17 15:49:07 CEST 2006 r...@fw1.domain.com:/usr/src/sys/arch/i386/compile/FIREWALL Firewall is just the generic.mp with a device (cpu temp

Re: packet loss

rik rikc...@gmail.com writes: I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup. In the last few days we saw the packet loss percentuale increase up to 8-10% and it doesn't look like a problem for outside. I take this to mean that the CARP setup provided the needed

Re: packet loss

Hi, On Mon, Nov 28, 2011 at 5:59 PM, Peter N. M. Hansteen pe...@bsdly.netwrote: rik rikc...@gmail.com writes: I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup. In the last few days we saw the packet loss percentuale increase up to 8-10% and it doesn't look

Re: packet loss

dmesg? On 2011-11-28, rik rikc...@gmail.com wrote: Good day, I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup. In the last few days we saw the packet loss percentuale increase up to 8-10% and it doesn't look like a problem for outside. If I ping from the master

Re: packet loss

Run ifconfig carp | grep status on both machines... If they're pre 4.8, do: ifconfig carp | grep 'carp: ' . If both think they're masters, they'll do what you're seeing. Thank you, James Shupe On 11/28/11 12:53 PM, Stuart Henderson wrote: dmesg? On 2011-11-28, rik rikc...@gmail.com

Re: packet loss

Hi, this is the dmesg: cpu0: Intel Pentium III (GenuineIntel 686-class) 745 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 536449024 (523876K) avail mem = 482430976 (471124K) using 4278 buffers containing 26927104 bytes (26296K) of

Re: packet loss

Hi James, both carp on the master firewall are in master status (one on the external side, one on the internal side), but as much as I know they've always been like this; on the backup firewall they both are in backup status (and the backup, using the phisical interface, can ping without any

Re: packet loss

Your dmesg doesn't show the version you're running. Can you provide that, along with ifconfig output from both machines? You may want to check the physical connectivity (cable/ NIC/ switch) for the internal interface of the carp master... Or just fail over to the secondary box to see if the issue

Re: packet loss

On 2011-11-28, James Shupe jsh...@osre.org wrote: Your dmesg doesn't show the version you're running. Can you provide that, Yep, seconded. If people ask for a dmesg, they mean a complete one. I would also try a GENERIC kernel (not GENERIC.MP). along with ifconfig output from both machines?

Re: Packet Loss on Wireless (RAL and WI)

On Tue, Nov 02, 2010 at 02:23:23AM +1300, Jammer wrote: I'm experiencing problems setting up an OpenBSD box as a firewall/Wireless Access Point(...) Firstly my setup: * I've tried this using OpenBSD v4.1, v4.6 and a 4.8 snapshot from 29/10/20 all with similar results. Just install 4.8 or

Re: packet loss over nat

Try increasing PF max number of states. It is currently limited to 1, so when you reach this no new traffic (that would create a state) is permitted until some of the old ones expire. The 1 limit is ok for most machines, but definitely not for a busy server / firewall. (Same goes

Re: packet loss over nat

Hi, thank you for response. It was my idea too but pfctl -ss shows about 1 lines. Where I got better information about ports over nat? Thank you Radek 1. srpna 2005, 23:02:15, jste napsal(a): SKQ On Mon, 2005-08-01 at 21:21 +0200, Bc. Radek Krejca wrote: I have problem with