On Wed, Dec 18, 2024 at 11:21:44AM -0000, Stuart Henderson wrote: >On 2024-12-18, Janne Johansson <icepic...@gmail.com> wrote: >>> I have an NTP server behind an OpenBSD firewall / router and seeing some >>> packet loss. The NTP server (Leontp 1200) should be able to handle the >>> load easily, so I suspect the packet loss occurs at the firewall/router >>> or elsewhere. >>> My first suspect was the state table on the firewall/router. Due to the >>> nature of the traffic, nearly every incoming packet creates a new state, >>> leading to an average of about 50k to 70k states. Close to the default >>> limit of 100k, so perhaps the limit was reached during peak traffic. >>> The ‘memory’ counter from pfctl -si was also at ~37k. >>> >>> I increased the state limit to 500k and added ‘keep state (udp.single 5 >>> udp.first 5 udp.multiple 5)’ to the rules that concern the NTP traffic. >>> The state table is now around 20 – 30k, well below the limit. The load >>> on the router is also quite low (~98% idle). >> >> A quick thought here is to just not keep state for those kinds of packets. > >agreed. at least it would help pinpoint the problem.
Thanks for your comments, Janne and Stuart. I also thought about that, but the NTP server is on a RFC1918 address, so I need rdr/nat to translate the packets and these rules require keep state. >> Creating and cleaning out these states is still a bit of work. >> >> You are basically going to accept all incoming udp on this port and send back >> any replies created from your ntp server, so keeping state on this >> udp-port seems >> to give no huge* advantage, right? >> >> so "pass in quick on $ext_if proto udp from any to ntp-box port 123 no >> state" and >> "pass in quick on $int_if proto udp from ntp-box port 123 to any no state" >> basically and just have the firewall idle away even more. > >I would recommend putting this close to the top of the ruleset, the rules >are processed in order (at least, in post-optimiser order) so you want to >have these very common packets matched without evaluating against the whole >ruleset. I moved the rules for the NTP traffic to the top and this seems to improve things. But I'll leave it overnight to have some better stats in the morning. Best regards, Maurice
