PF: See packet errors on external interface
Mark Pagulayan
m.pagulayan at auckland.ac.nz
Tue Jun 10 00:56:53 UTC 2008
Hi Guys,
I was just wondering if you could help me with my problem.
Before going to the details here is my setup:
OS: FreeBSD 7.0-RELEASE i386
Firewall:PF
Interface: em1(external interface) and em0(internal interface)
Setup: The 2 interfaces above are setup as a bridge so we are using PF
as a layer2 FW.
Use altq to define queues on em1 and em0 ( default, unlimited,
sponsored, premium, standard)
Doing a netstat -d -I em1. I can see that there incoming packet errors
but no outgoing packet errors. A number of drops but no collision.
Doing a netstat -d -I em0. I can see that there are no errors on the
incoming and outgoing packets. A number of drops but no collision.
Doing a netstat -d -l bridge0. don't see any errors on the incoming and
outgoing packets. No drops and collision.
Looking at my ruleset I can see that I have
scrub in on em1
Does this rule cause the packet errors? Or presumably because of the
speed of the network? We are running at around 8000 packet/s for
incoming and outgoing traffic.
There was plan of removing this rule? If we do that? What would the
implications be?
Also using the tool pftop, the default queue has packet drops and
suspensions
QUEUE BW SCH PRIO PKTS BYTES
DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S
default 134M cbq 1326370
775902K 138 102128 0 0 2798
8182 4340435
Do you think the scrub rule is the causing pf to suspend some packets?
I also wish to understand how pftop works to be able to debug the
problem.
The reason that I am asking this questions is that we get connectivity
issues with some external sites that we connect to. It might be the
uplink that has problems but I hope I could gather information on what
might be causing this, or things might be or not related to this issue.
Your help would be greatly appreciated.
Thanks
Mark Pagulayan
University of Auckland
More information about the freebsd-pf
mailing list