Re: PF/rdr/nat

Thu, 16 Nov 2006 06:39:49 -0800 

Send us a dmesg. How much memory does the box have?
If it will legitimately serve that much traffic, try lowering the Apache timeouts to lower than the default (iirc 60 seconds?). Then match those timeouts to pf. 


Are you using source-hash in the config? That will create a state table 
of already established connections, to bypass cpu-intensive lookups when 
existing connection state sources send more packets.



I think you're on the right track with timeouts, and a little bit of 
tuning should do the trick. If nothing you do is able to mitigate the 
slowdowns, consider using carp to load-balance the traffic.



A couple other things to check which may or may not help: logs for 
system errors, ethernet interface stats (errors etc), MTU size, ethernet 
cable length, free memory stats, other running processes, upgrading to 
the latest version of OpenBSD - I don't know what version you are 
running, and the webserver itself which out of scope for OpenBSD 
problems :)


Have a great day,

Pierre

Sylwester S. Biernacki wrote:

Hi all,

  I was looking for any idea how to tune OBSD with PF, rdr & nat.
  I use rdr round-robin of port 80 to backend webservers using private
  adress space. When packets go back to clients watching webpage PF
  makes nat on them.

  Anyway, if I check it with ~100Mbps of traffic everything goes
  slower and slower and after few minutes clients sees that webserver
  is responding with very long delay to client's requests. However
  after ~15 seconds everything works well for another minute...

  I was reading OpenBSD/PF FAQ, trying to change limits in PF but
  problem still exists.

  After pfctl -x misc the following comes to logs:

Nov 16 08:06:30 ungabunga /bsd: pf: BAD state: TCP 10.0.0.1:80
1.1.1.1:80 2.2.2.23:5027 [lo=1659423809 high=1659488734 win=16384 modulator=0]
[lo=1312540182 high=1312540506 win=65535 modulator=0] 4:4 A seq=1312540182
ack=1659423809 len=1460 ackskew=0 pkts=3188:5511 dir=out,rev

Doest anyone have an idea what I should look for to find what should
be tuned up?


other info:

there are ~2500 state entries.

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         15s
interval                     10s
adaptive.start            24000 states
adaptive.end              48000 states
src.track                     0s

LIMITS:
states        hard limit    40000
src-nodes     hard limit    40000
frags         hard limit    40000
tables        hard limit     1000
table-entries hard limit   100000
















    











					Reply via email to