Traffic mysteriously dropping

Christopher McGee chris at xecu.net
Fri Mar 31 13:46:26 UTC 2006 


Bradley W. Dutton wrote:

>If you remove the red option do you still have dropped traffic?
>
>  
>
>>Christopher McGee wrote:
>>
>>    
>>
>>>I have 2 firewalls using all "em" network cards.  They have 2 onboard
>>>Intel Gigabit interfaces and 1 quad port intel pro1000MT in each
>>>firewall.  They are currently using both of the onboard interfaces and
>>>2 of the interfaces from the pci cards.  The firewalls are running
>>>carp and pfsync for failover.  They are managing traffic for a gigabit
>>>link and they usually don't push more than 150-200 Mbit/s and that is
>>>rare.  Some http traffic is mysteriously just disappearing, even at
>>>times when the firewalls are not busy(only 3-4 Mbit/s of traffic).
>>>I've tested this, and the traffic is reaching the firewall(inbound to
>>>our network) and hits pf and seems to be passing but then just never
>>>makes it out the other interfaces(although pf does not log any blocked
>>>packets).  The client will resend SYN packets until the connection
>>>eventually just times out.  This timeout is happening on approximately
>>>1 out of 25 connections.
>>>Here is how I fixed this temporarily:
>>>I moved the rule for the http traffic to the FIRST rule of pf.conf and
>>>make it a quick rule and bidirectional(stateless), it works and
>>>doesn't seem to drop any connections.
>>>
>>>I have a fairly extensive ruleset, 378 rules to be exact when they are
>>>all loaded.  I am using if-bound states.  If I make these rules
>>>stateful, or move them down even one or 2 lines in the list of rules,
>>>they start dropping connections again.  Hopefully someone can help
>>>with this.
>>>
>>>Chris
>>>      
>>>
>>A quick follow up since I realize I left out a little detail.  I have
>>tried this on 5.4-RELEASE-p8 and 6.0-RELEASE-p6.  I've been trying to
>>get altq working properly also, but it's been disabled until I work out
>>the above problem.
>>
>>The problem I've had with altq is trying to implement hfsc on the 6.0
>>firewall.  I thought it was a pretty simple configuration.  I want to
>>limit outgoing traffic to 100Mbit/s and have one queue higher priority,
>>with a guaranteed 3 Mb of bandwidth, and a second lower priority queue
>>with no guaranteed bandwidth.  The 2 queues should share the 97Mb of
>>spare bandwidth evenly when the firewalls are busy, and queue2 should
>>not be allowed to exceed 95Mb ever.  This is what I put together but it
>>errors:
>>
>>altq on $ext_if bandwidth 100Mb hfsc queue { queue1, queue2 }
>>queue queue1 priority 3 hfsc(realtime 3Mb linkshare 50% default red)
>>queue queue2 hfsc(upperlimit 95Mb linkshare 50% red)
>>
>>I get the following error:
>>pfctl: the sum of the child bandwidth higher than parent "root_em0"
>>
>>These 2 problems, are making pf, virtually unusable for our firewall
>>needs.  Hopefully there is a fix for them.
>>
>>Chris
>>    
>>
>  
>
The dropped traffic occurs with altq disabled.  It is compiled in the 
kernel, but if I remove all altq statements, the result does not change, 
the same traffic drops.

Chris

More information about the freebsd-pf mailing list