[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF and stalled connections



Check your switch and server ports/interfaces aren't set to autoneg.

Generally, *never* use autoneg, *always* fix the speeds and duplex
(which is usually the problem) at both ends.

If you can't fix both ends, fix just one end and the other end should
work it out okay, but auto-auto is a real dodgy setup.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom_(_at_)_devitto_(_dot_)_com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 


-----Original Message-----
From: owner-misc_(_at_)_openbsd_(_dot_)_org [mailto:owner-misc_(_at_)_openbsd_(_dot_)_org] On Behalf
Of Abdul Rehman Gani
Sent: Monday, December 30, 2002 1:56 PM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: PF and stalled connections


Hi,

I have just upgraded a working OBSD 2.9 + IPF firewall to OBSD 3.2 and
PF. 
Rules syntax changes have been made, checked and successfully applied -
all 
works as expected. Generic kernel from the 3.2 CD - tried with no
patches and 
with the kernel patches from the errata page.  Only additional software
is 
dnscache on 192.168.0.1 and tinydns on 127.0.0.1 (both from djbdns) to 
provide a split horizon DNS.

However, connections (from the inside) tend to stall for brief periods
of 
time, then resume. For instance, if I connect to the firewall via ssh
from an 
internal host the connection will stall for a time, then resume and all 
entries made at the prompt during the stall will be processed as soon as
the 
stall is over. If I ping the firewall's internal iface from an internal
host 
using -c 200 I will see between 5% and 28% packet loss. Connections
through 
the firewall also suffer from stalls, ie via a browser to a web site.

A ping from an external host to the firewall's external iface does not
suffer 
any packet loss.

I am open to all suggestions/opinions.

Thanks,

Abdul

Dmesg.boot included below and I have reduced the rules to:-

---------------pf.conf----------------
# Define the interfaces
int=fxp0
ext=fxp1

# normalise all packets
scrub in on $int all fragment reassemble
scrub in on $ext all fragment reassemble

# translate outgoing packets
nat on $ext from 192.168.0.0/24 to any -> 196.33.34.240

# pass all packets
pass in on $ext all keep state
pass out on $ext all keep state
pass in on $int all keep state
pass out on $int all keep state
---------------pf.conf----------------


---------------dmesg.boot----------------
OpenBSD 3.2 (GENERIC) #25: Thu Oct  3 19:51:53 MDT 2002
    deraadt_(_at_)_i386_(_dot_)_openbsd_(_dot_)_org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 399
MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F
XSR
real mem  = 133791744 (130656K)
avail mem = 118448128 (115672K)
using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0
(root) bios0 at mainbus0: AT/286+(9f) BIOS, date 05/19/99, BIOS32 rev. 0
@ 0xfd7a0 apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xfd7a0/0x860
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB PCI-ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xe0000/0x4000! 0xe4000/0xc000 pci0 at
mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0
function 0 "Intel 82443BX PCI-AGP" rev 0x03 ppb0 at pci0 dev 1 function
0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 1
function 0 "Trident 3DImage 9750" rev 0xf3 wsdisplay0 at vga1: console
(80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <ST34311A>
wd0: 16-sector PIO, LBA, 4126MB, 8944 cyl, 15 head, 63 sec, 8452080
sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0:
2 targets cd0 at scsibus0 targ 0 lun 0: <ATAPI, 48X CDROM, 3.30> SCSI0
5/cdrom removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 9 usb0
at uhci0: USB revision 1.0 uhub0 at usb0
uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not
configured yds0 at pci0 dev 12 function 0 "Yamaha 740C" rev 0x03: irq 10
ac97: codec id 0x41445303 (Analog Devices AD1819)
ac97: codec features Analog Devices Phat Stereo
audio0 at yds0
fxp0 at pci0 dev 14 function 0 "Intel 82557" rev 0x05: irq 11, address 
00:90:27:35:14:8a
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0 fxp1 at pci0
dev 15 function 0 "Intel 82557" rev 0x05: irq 10, address 
00:a0:c9:ea:28:86
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 0 isa0 at
pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd
slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0
port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq
6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec opl0 at yds0:
model OPL3 midi1 at opl0: <DS-1 integrated Yamaha OPL3> mpu at yds0 not
configured mpu at yds0 not configured mpu at yds0 not configured mpu at
yds0 not configured biomask 4240 netmask 4e40 ttymask 4ec2
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
---------------dmesg.boot----------------

-- 
http://www.eastcoast.co.za
Tel: +27-31-566-8080
Fax: +27-31-566-8010
Email: support_(_at_)_eastcoast_(_dot_)_co_(_dot_)_za