Random freezes

[Rémy Sanchez]

Hi,

Well, I'm not sure that it's the kind of message you'd expect on this mailing 
list, but I couldn't really find a users mailing list, so here I am.

In short, we (= http://maiznet.fr/) use ipfw for our network, mainly because 
of dummynet's capabilities, that clearly outperforms any other solution for 
our needs. The network in question is inside a dormitory, to provide Internet 
to somewhat 150 people.

We have :

  - 3 WAN (2 ADSL and 1 SDSL). I know, it is quite insufficient, but we can't 
get more. [re1, re2, re3]
  - 1 students network [re0]
  - 1 DMZ [re4]
  - 1 office network [re5]

Both are on different subnets, and NAT is used a bit everywhere, along with 
load-balancing.

Here is a recent ipfw show : http://pastebin.com/ma3h9FUU

Now everything works fine, excepted that sometimes, for no reason, it looks 
like there is a rule that just stops working : sometimes the DNS gets blocked, 
or some users complain about not having internet at all (including internal 
routing not working for them)...

Take yesterday's example : packets that were routed through ADSL2 were NATed 
correctly outgoing, were correctly reverse-NATed incoming, but were not routed 
to the client. If I added a custom "allow" just after the NAT, it went working 
again (but the allow should be automatic due to state checking).

The only solution we have so far : we just reload the rules, and everything 
gets back to normal. Which is a bit unpleasant I must say...

So, I've fallen short of ideas, does anyone see why some rules just block like 
that ? Maybe we should move to the in-kernel NAT ?

Help is much appreciated,
-- 
Rémy Sanchez
http://hyperthese.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20110927/4273698c/attachment.pgp