+1
Em ter, 16 de abr de 2019 às 09:44, Torsten escreveu:
> > Check with pfctl -si if you reach a limit
>
> Thanks, will do.
>
> Marc Peters also suggested to check pf state limit, upon digging into
> that I found
>
> https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html
>
> and
> Check with pfctl -si if you reach a limit
Thanks, will do.
Marc Peters also suggested to check pf state limit, upon digging into
that I found
https://serverascode.com/2011/09/12/openbsd-pf-set-limit-states.html
and therefore added
set limit states 20
to pf.conf.
On Tue, Apr 16, 2019 at 11:07:47AM +0200, Torsten wrote:
> Hi!
>
> Problem description:
> In a customers network more than 2k clients connect to a server and
> perform https requests. When in the morning more and more clients become
> active, the number of connections rises until more and more
On Mon, 4 Mar 2019, 13:29 David Gwynne, wrote:
> On Mon, Mar 04, 2019 at 10:36:23AM +0100, Tony Sarendal wrote:
> > On Mon, 4 Mar 2019, 09:43 Tony Sarendal, wrote:
> >
> > >
> > >
> > > Den m??n 4 mars 2019 kl 09:26 skrev Tony Sarendal :
> > >
> > >> Den s??n 3 mars 2019 kl 21:35 skrev Theo de
On Mon, Mar 04, 2019 at 10:36:23AM +0100, Tony Sarendal wrote:
> On Mon, 4 Mar 2019, 09:43 Tony Sarendal, wrote:
>
> >
> >
> > Den m??n 4 mars 2019 kl 09:26 skrev Tony Sarendal :
> >
> >> Den s??n 3 mars 2019 kl 21:35 skrev Theo de Raadt :
> >>
> >>> Tony,
> >>>
> >>> Are you out of your mind?
On Mon, 4 Mar 2019, 09:43 Tony Sarendal, wrote:
>
>
> Den mån 4 mars 2019 kl 09:26 skrev Tony Sarendal :
>
>> Den sön 3 mars 2019 kl 21:35 skrev Theo de Raadt :
>>
>>> Tony,
>>>
>>> Are you out of your mind? You didn't provide even a rough hint about
>>> what your firewall configuration looks
Den mån 4 mars 2019 kl 09:26 skrev Tony Sarendal :
> Den sön 3 mars 2019 kl 21:35 skrev Theo de Raadt :
>
>> Tony,
>>
>> Are you out of your mind? You didn't provide even a rough hint about
>> what your firewall configuration looks like. You recognize that's
>> pathetic, right?
>>
>> > Earlier
Den sön 3 mars 2019 kl 21:35 skrev Theo de Raadt :
> Tony,
>
> Are you out of your mind? You didn't provide even a rough hint about
> what your firewall configuration looks like. You recognize that's
> pathetic, right?
>
> > Earlier in the week I could run parallel ping-pong tests through my
Tony,
Are you out of your mind? You didn't provide even a rough hint about
what your firewall configuration looks like. You recognize that's
pathetic, right?
> Earlier in the week I could run parallel ping-pong tests through my test
> firewalls
> at 300kpps without any packet loss. I updated
Good to know it helped,
probably you also need check for "set optimization aggressive" it will
also reduce number of states if it works for your use cases.
--
Evgeniy
On Thu, Jun 2, 2016 at 2:40 PM, Tim Korn wrote:
> Hi Evgeniy,
> Thank you for your reply. The states hard
Hi Evgeniy,
Thank you for your reply. The states hard limit was the problem. The
default limit is quite low :)
--
Tim Korn
Network Ninja
On Thu, Jun 2, 2016 at 3:48 AM, Evgeniy Sudyr wrote:
> Tim,
>
> from your problem description I can suggest you to check
Tim,
from your problem description I can suggest you to check if you are not hitting
states hard limit with (note - during load when you can reproduce issue):
pfctl -si
pfctl -sm
Default limit is: stateshard limit1
--
Evgeniy
On Thu, Jun 2, 2016 at 3:29 AM, Tim Korn
On 02/06/16 04:29, Tim Korn wrote:
Hi. I have a pair of openBSD boxes (5.8) setup as a core/firewall. I have
ten VLANs tied to a physical NIC (Intel 82599). This is a new setup and it
was just recently put in service. Traffic was fine (or at least we didn't
notice any issues) until a large
On Fri, 21 Sep 2012, Erwin Lubbers wrote:
I'm using OpenBSD 5.1 and an Intel 10GbE SR (82598AF) ethernet card as a
router/firewall and it's working almost perfect. It is routing around 2 gbps
of traffic.
On the ix0 interface there are several vlans configured with an MTU of 1500.
When I'm
Op 21 sep. 2012, om 09:43 heeft Camiel Dobbelaar c...@sentia.nl het volgende
geschreven:
Can you show from both systems with tcpdump what the packets look like?
You are using normal (no flood) ping and the systems and switch are not
loaded with other traffic?
No flooding ping, just
We've solved the problem increasing net.inet.ip.ifq.maxlen from the default
of our version (50) to the default of the more recent versions (250). Does
it make sens to you?
How far do you think we can go with that value considering that we've 3
physical interfaces (int 100mbit, ext 100mbit and
Sorry, I've mised the top 2 rows of the dmesg:
OpenBSD 3.9 (FIREWALL) #0: Sun Sep 17 15:49:07 CEST 2006
r...@fw1.domain.com:/usr/src/sys/arch/i386/compile/FIREWALL
Firewall is just the generic.mp with a device (cpu temp monitor) removed
because not working.
This is my netstat -i from the
Thanks for the suggestion, I'll try with the GENERIC kernel
Is that possibile that this problem is due to hardware limitation (it's
quite an old server)? Apparently when the traffic decrease the packet loss
decrease as well and disappear just like the odd ping's result
Thanks!
Alessandro
On
On Tue, Nov 29, 2011 at 11:47 AM, rik rikc...@gmail.com wrote:
Sorry, I've mised the top 2 rows of the dmesg:
OpenBSD 3.9 (FIREWALL) #0: Sun Sep 17 15:49:07 CEST 2006
r...@fw1.domain.com:/usr/src/sys/arch/i386/compile/FIREWALL
Firewall is just the generic.mp with a device (cpu temp
rik rikc...@gmail.com writes:
I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup.
In the last few days we saw the packet loss percentuale increase up to
8-10% and it doesn't look like a problem for outside.
I take this to mean that the CARP setup provided the needed
Hi,
On Mon, Nov 28, 2011 at 5:59 PM, Peter N. M. Hansteen pe...@bsdly.netwrote:
rik rikc...@gmail.com writes:
I'm using 2 openbsd boxes as router firewall with carp in a colo-like
setup.
In the last few days we saw the packet loss percentuale increase up to
8-10% and it doesn't look
dmesg?
On 2011-11-28, rik rikc...@gmail.com wrote:
Good day,
I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup.
In the last few days we saw the packet loss percentuale increase up to
8-10% and it doesn't look like a problem for outside. If I ping from the
master
Run
ifconfig carp | grep status
on both machines... If they're pre 4.8, do:
ifconfig carp | grep 'carp: '
.
If both think they're masters, they'll do what you're seeing.
Thank you,
James Shupe
On 11/28/11 12:53 PM, Stuart Henderson wrote:
dmesg?
On 2011-11-28, rik rikc...@gmail.com
Hi,
this is the dmesg:
cpu0: Intel Pentium III (GenuineIntel 686-class) 745 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE
real mem = 536449024 (523876K)
avail mem = 482430976 (471124K)
using 4278 buffers containing 26927104 bytes (26296K) of
Hi James,
both carp on the master firewall are in master status (one on the external
side, one on the internal side), but as much as I know they've always been
like this; on the backup firewall they both are in backup status (and the
backup, using the phisical interface, can ping without any
Your dmesg doesn't show the version you're running. Can you provide
that, along with ifconfig output from both machines? You may want to
check the physical connectivity (cable/ NIC/ switch) for the internal
interface of the carp master... Or just fail over to the secondary box
to see if the issue
On 2011-11-28, James Shupe jsh...@osre.org wrote:
Your dmesg doesn't show the version you're running. Can you provide
that,
Yep, seconded. If people ask for a dmesg, they mean a complete one.
I would also try a GENERIC kernel (not GENERIC.MP).
along with ifconfig output from both machines?
On Tue, Nov 02, 2010 at 02:23:23AM +1300, Jammer wrote:
I'm experiencing problems setting up an OpenBSD box as a
firewall/Wireless Access Point(...)
Firstly my setup:
* I've tried this using OpenBSD v4.1, v4.6 and a 4.8 snapshot from
29/10/20 all with similar results.
Just install 4.8 or
Try increasing PF max number of states.
It is currently limited to 1, so when you reach this no new
traffic (that would create a state) is permitted until some of the
old ones expire. The 1 limit is ok for most machines, but
definitely not for a busy server / firewall. (Same goes
Hi,
thank you for response. It was my idea too but pfctl -ss shows about
1 lines. Where I got better information about ports over nat?
Thank you
Radek
1. srpna 2005, 23:02:15, jste napsal(a):
SKQ On Mon, 2005-08-01 at 21:21 +0200, Bc. Radek Krejca wrote:
I have problem with
30 matches
Mail list logo