It depends where most traffic flows... We have VPN and LAN on one NIC and WAN and DMZ on the other...
It solved that problems... Von: Lenny [mailto:five2one.le...@gmail.com] Gesendet: Sonntag, 8. März 2009 15:54 An: support@pfsense.com Betreff: Re: [pfSense Support] Re: Can't get more than 15kpps. Yeah, but I'm already using a Dual NIC - I wrote that. I only use WAN and OPT1 - they're both on the same card. On Sun, Mar 8, 2009 at 3:01 PM, Fuchs, Martin <martin.fu...@trendchiller.com<mailto:martin.fu...@trendchiller.com>> wrote: We once had a similar problem and solved it by using multiport cards, so when the traffic leaves the physical card to be routed to another card there are more interrupts generated as when the traffic only is routed between the interfaces of one physical cars, we used 2-port or 4-port em0 and it works really cool, we got out interrupt rate from 100% under heavy load to 12% under heavy load by this... Regards, Martin Von: Lenny [mailto:five2one.le...@gmail.com<mailto:five2one.le...@gmail.com>] Gesendet: Sonntag, 8. März 2009 12:57 An: support@pfsense.com<mailto:support@pfsense.com> Betreff: Re: [pfSense Support] Re: Can't get more than 15kpps. Guys, I'm really desperate:( Last week I replaced the Intel Dual NIC with a new one of the same kind (82546GB). For a week of low load (6kpps on average) I never saw a single error on the interfaces, but yesterday came the high load and it happened again. So I'm totally out of ideas. The main problem remains: the minute I get high load (about 14-18kpps, 250000 states, 120Mb traffic), the em0 and em1 taskq processes lock on 100% each and the website becomes unresponsive or very slow. I also started to see errors on the interfaces again. The moment I release some of that load - everything is back to normal. Just to remind you, my hardware is IBM x335 server, 2 x Xeon 3.06GHz CPU, 2GB RAM, Intel Dual NIC PCI-X. By the way, the total CPU load I see at these situations is 40-50%. It's a SMP setup, so the taskq processes lock the 2 out of 4 CPUs available. Should I go on and mess with em drivers? What should I change there if so? Please, please help! Lenny. On Tue, Feb 10, 2009 at 7:49 PM, Lenny <five2one.le...@gmail.com<mailto:five2one.le...@gmail.com>> wrote: Hi, apparently my last few emails were only between me and Curtis, so I'm attaching them all. so as far as I understand my problem is whether with one of the cables (which is less likely, as I see errors on both interfaces), whether with the NIC itself? Can anyone confirm that? Thank a lot, Lenny. Lenny wrote: I drew you a diagram you asked for: http://rapidshare.com/files/195843186/file3.jpg.html Hope it makes things clearer, and also explains why I'm a bit skeptical about the switch/cable issues... I ran the command you asked me to and these are the results. seems OK, doesn't it? 2948-cis> show port counters 2/49 Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------- 2/49 - 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants ----- ---------- ---------- ---------- ---------- --------- --------- --------- 2/49 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------- Mon Aug 4 2008, 09:03:45 2948-cis> show port counters 2/50 Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------- 2/50 - 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants ----- ---------- ---------- ---------- ---------- --------- --------- --------- 2/50 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------- Mon Aug 4 2008, 09:03:45 Regarding the NICs - the Broadcom NICs are on PCI bus and I had CPU loaded with interrupt, so I've never even had a chance to reach this kind of load without hitting 80% CPU(even with device polling), on the other hand I don't remember the blank spaces on RRD graphs. This is why I'm not throwing the Intel Dual NIC out of the equation just yet. Curtis LaMasters wrote: A static route should be enough. If they are both plugged into the same LAN you may want to enable the checkbox that says supress ARP messages. Do you have a little diagram available of this setup? IP's do not have to be included. I am not versed with CatOS but Google brought me to this http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008010e9d5.shtml that says you should do "show port counters". You've tested both Intel and Broadcom nic's right? This would lead me to a switch or cable issue 100%. Let me know what the Cisco switch says. Do you have anything plugged into LAN? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Feb 8, 2009 at 3:15 PM, Lenny <five2one.le...@gmail.com<mailto:five2one.le...@gmail.com>> wrote: another thing I just thought of: Is it possible I need a VLAN in my configuration or is the static route enough for this? Curtis LaMasters wrote: I would have to say bad hardware or cable, or speed/duplex issue. The traffic difference is probably due to blocked traffic. If you have cli access to the cisco switch run "show int | i errors" and report the output. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Feb 8, 2009 at 2:54 PM, Lenny <five2one.le...@gmail.com<mailto:five2one.le...@gmail.com>> wrote: Hi, actually, it's a good point about the errors! I'm way far from "0". WAN: Media 1000baseTX <full-duplex> In/out packets 2865480509/3025905907 (792.79 MB/2.11 GB) In/out errors 6041699/0 Collisions 0 OPT1: Media 1000baseTX <full-duplex> In/out packets 3044923904/2862204565 (1.23 GB/688.88 MB) In/out errors 13720077/0 Collisions 0 also makes me wonder about the difference 2.11GB against 1.23 GB. there are no other connected interfaces... where does it go? anyway, please share your ideas. thank you, Lenny. Curtis LaMasters wrote: I apologize, I was not stating that your network is overly complex, simply that the solutions that the others were stating were more than I think you needed. I have a total of 65 deployed pfSense solutions around the midwest. Nearly any of them that are connected to Cisco have a speed/duplex issue out of the box with autonegotiation. I only wanted to make sure that the simple stuff was out of the way before you got too far deep into customization where upgrades would prove to be dificult. I'm going to asume that you have zero for both collisions and errors on your interfaces on pf under "status>interfaces"? If that is the case and your ISP says all is well, then I can only assume it's another issue require much more complex solutions. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Sun, Feb 8, 2009 at 10:05 AM, <five2one.le...@gmail.com<mailto:five2one.le...@gmail.com>> wrote: Hi, thanks for answering. Actually, the network has not changed and I don't think it's too complex either. And I do know that my kind of load is supposed to be handled with "out of the box" configuration. That's why I'm asking you and not starting tweaking the sysctl just yet. Regarding your suggestion, you're right - I'm not a Cisco guy, but I asked one of the guys at the ISP to check it for errors and he said everything's OK. Plus, when I bypassed the firewall, the Cisco switch was still in the game. It's set to auto negotiate and it seemed to be fine with Alteon, so I'd rather believe it's fine with pfSense too. thanks, Lenny.
