2011/10/21 Michel Blais <[email protected]>
> This is for a firewall and main gateway of my network.
> Is a atom dual core cpu 1.6 Ghz with 2 Go or RAM
> It have 2 realtek onboard nic but since I wanted Intel NIC, I added a 3
> intel NIC optional board.
>
> em0 is use to connect to my ISP fiber link
> em1 is use to connect to my Lan
> re1 is use to connect direct to the router for maintenance.
>
> PF is use for firewall and nat some users. Others have public IP.
>
> PMACCT to collect some network stat.
>
> OLSRd for dynamic routing that annonce 0.0.0.0/0
>
> Michel
>
>
> 2011/10/21 Stuart Henderson <[email protected]>
>
>> You haven't explained what this machine is doing. But a few random
>> comments from a wild assumption that it's just routing packets + PF:
>>
>> - MP is not helping you, and may be making things worse
>> - amd64 is probably not helping you, and may be making things worse
>> - try comparing kern.pool_debug=0 and kern.pool_debug=1
>>
>> if you can say a bit more about what you're doing, maybe you'll get
>> some other tips.
>>
>>
>> On 2011-10-21, Michel Blais <[email protected]> wrote:
>> > I got a problem with snapshot (not shure if it's the last),
>> > download is really slow, 0.3 to 1 Mbps per customent.
>> > Also a lot of paquet lost beginning from the openbsd.
>> > The're around 800 to 1000 users on this server.
>> > Bandwith is not a problem but we often saw limitation in number
>> > of paquets be the problem on our old servers. When it's happen
>> > with linux, it often a ct sysctl value. I saw this too with PF on
>> > FreeBSD that I add to give higher value in set limit.
>> >
>> > I use the same limit value than on my FreeBSD server that have 3 x more
>> > traffic and users.
>> > set limit { states 196608, src-nodes 16384, frags 8192, tables 1024,
>> > table-entries 131072 }
>> > so I really don't think those value are too low
>> >
>> > # pfctl -si
>> > Status: Enabled for 0 days 05:18:11 Debug: err
>> >
>> > State Table Total Rate
>> > current entries 24986
>> > searches 112481055 5891.8/s
>> > inserts 3846438 201.5/s
>> > removals 3821452 200.2/s
>> > Counters
>> > match 5534959 289.9/s
>> > bad-offset 0 0.0/s
>> > fragment 26 0.0/s
>> > short 1284 0.1/s
>> > normalize 602 0.0/s
>> > memory 4228 0.2/s
>> > bad-timestamp 0 0.0/s
>> > congestion 0 0.0/s
>> > ip-option 1 0.0/s
>> > proto-cksum 0 0.0/s
>> > state-mismatch 20446 1.1/s
>> > state-insert 24 0.0/s
>> > state-limit 0 0.0/s
>> > src-limit 0 0.0/s
>> > synproxy 0 0.0/s
>> >
>> > no queue and I don't see any error in dmesg or in the log. CPU load is
>> > between 4 to 8% load checking with systat, 1920704 active memory free.
>> > Interrupts total from 6 to 7k.
>> >
>> > Is there a sysctl that could block too much connexion ? I looked at the
>> inet
>> > list 1 by 1 but didn't find anything for now. Any other idea ?
>> >
>> > Michel
>> >
>> > DMESG :
>> >
>> > arpresolve: 10.8.1.4: route without link local address (This one come
>> often
>> > and also see somethime 10.8.1.26)
>> > syncing disks... done
>> > r
>> > OpenBSD 5.0-current (GENERIC.MP) #70: Mon Sep 12 02:07:20 MDT 2011
>> > [email protected]:/usr/src/sys/arch/amd64/compile/
>> GENERIC.MP
>> > real mem = 2135490560 (2036MB)
>> > avail mem = 2064576512 (1968MB)
>> > mainbus0 at root
>> > bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9f800 (22 entries)
>> > bios0: vendor American Megatrends Inc. version "080016" date 03/04/2011
>> > acpi0 at bios0: rev 2
>> > acpi0: sleep states S0 S1 S4 S5
>> > acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI SSDT
>> > acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4)
>> USB2(S4)
>> > USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4)
>> > SLPB(S4)
>> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
>> > cpu0 at mainbus0: apid 0 (boot processor)
>> > cpu0: Intel(R) Atom(TM) CPU N550 @ 1.50GHz, 1500.18 MHz
>> > cpu0:
>> >
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
>> > cpu0: 512KB 64b/line 8-way L2 cache
>> > cpu0: apic clock running at 166MHz
>> > cpu1 at mainbus0: apid 2 (application processor)
>> > cpu1: Intel(R) Atom(TM) CPU N550 @ 1.50GHz, 1499.99 MHz
>> > cpu1:
>> >
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
>> > cpu1: 512KB 64b/line 8-way L2 cache
>> > cpu2 at mainbus0: apid 1 (application processor)
>> > cpu2: Intel(R) Atom(TM) CPU N550 @ 1.50GHz, 1499.99 MHz
>> > cpu2:
>> >
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
>> > cpu2: 512KB 64b/line 8-way L2 cache
>> > cpu3 at mainbus0: apid 3 (application processor)
>> > cpu3: Intel(R) Atom(TM) CPU N550 @ 1.50GHz, 1499.99 MHz
>> > cpu3:
>> >
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG
>> > cpu3: 512KB 64b/line 8-way L2 cache
>> > ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 20, 24 pins
>> > ioapic0: misconfigured as apic 1, remapped to apid 4
>> > acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
>> > acpihpet0 at acpi0: 14318179 Hz
>> > acpiprt0 at acpi0: bus 0 (PCI0)
>> > acpiprt1 at acpi0: bus 5 (P0P1)
>> > acpiprt2 at acpi0: bus 1 (P0P4)
>> > acpiprt3 at acpi0: bus 2 (P0P5)
>> > acpiprt4 at acpi0: bus 3 (P0P6)
>> > acpiprt5 at acpi0: bus 4 (P0P7)
>> > acpiprt6 at acpi0: bus -1 (P0P8)
>> > acpiprt7 at acpi0: bus -1 (P0P9)
>> > acpicpu0 at acpi0: PSS
>> > acpicpu1 at acpi0: PSS
>> > acpicpu2 at acpi0: PSS
>> > acpicpu3 at acpi0: PSS
>> > acpibtn0 at acpi0: SLPB
>> > acpibtn1 at acpi0: PWRB
>> > cpu0: Enhanced SpeedStep 1499 MHz: speeds: 1500, 1000 MHz
>> > pci0 at mainbus0 bus 0
>> > mem address conflict 0xfc00/0x400
>> > pchb0 at pci0 dev 0 function 0 "Intel Pineview DMI" rev 0x02
>> > vga1 at pci0 dev 2 function 0 "Intel Pineview Video" rev 0x02
>> > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
>> > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
>> > intagp0 at vga1
>> > agp0 at intagp0: aperture at 0xd0000000, size 0x10000000
>> > inteldrm0 at vga1: apic 4 int 16
>> > drm0 at inteldrm0
>> > "Intel Pineview Video" rev 0x02 at pci0 dev 2 function 1 not configured
>> > azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
>> > azalia0: codecs: VIA/0x4397
>> > audio0 at azalia0
>> > ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: msi
>> > pci1 at ppb0 bus 1
>> > ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: msi
>> > pci2 at ppb1 bus 2
>> > re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
>> > (0x2c00), apic 4 int 17, address 00:30:18:a0:fd:eb
>> > rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4
>> > ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: msi
>> > pci3 at ppb2 bus 3
>> > re1 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
>> > (0x2c00), apic 4 int 18, address 00:30:18:a0:fd:ec
>> > rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 4
>> > ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: msi
>> > pci4 at ppb3 bus 4
>> > jmb0 at pci4 dev 0 function 0 "JMicron JMB363 IDE/SATA" rev 0x10
>> > ahci0 at jmb0: apic 4 int 19, AHCI 1.1
>> > scsibus0 at ahci0: 32 targets
>> > pciide0 at jmb0: DMA, channel 0 wired to native-PCI, channel 1 wired to
>> > native-PCI
>> > pciide0: using apic 4 int 19 for native-PCI interrupt
>> > pciide0: channel 0 disabled (no drives)
>> > pciide0: channel 1 disabled (no drives)
>> > uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 4 int
>> 23
>> > uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 4 int
>> 19
>> > uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 4 int
>> 18
>> > uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 4 int
>> 16
>> > ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 4 int
>> 23
>> > usb0 at ehci0: USB revision 2.0
>> > uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
>> > ppb4 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
>> > pci5 at ppb4 bus 5
>> > em0 at pci5 dev 4 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic
>> 4
>> > int 18, address 00:30:18:a0:f5:a1
>> > em1 at pci5 dev 6 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic
>> 4
>> > int 19, address 00:30:18:a0:f5:a2
>> > em2 at pci5 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: apic
>> 4
>> > int 16, address 00:30:18:a0:f5:a3
>> > pcib0 at pci0 dev 31 function 0 "Intel Tigerpoint LPC" rev 0x02
>> > pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x02: DMA,
>> > channel 0 configured to native-PCI, channel 1 configured to native-PCI
>> > pciide1: using apic 4 int 19 for native-PCI interrupt
>> > wd0 at pciide1 channel 0 drive 0: <INTEL SSDSA2CT040G3>
>> > wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
>> > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
>> > ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x02: apic 4
>> int
>> > 19
>> > iic0 at ichiic0
>> > spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600 SO-DIMM
>> > usb1 at uhci0: USB revision 1.0
>> > uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> > usb2 at uhci1: USB revision 1.0
>> > uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> > usb3 at uhci2: USB revision 1.0
>> > uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> > usb4 at uhci3: USB revision 1.0
>> > uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
>> > isa0 at pcib0
>> > isadma0 at isa0
>> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
>> > com0: probed fifo depth: 15 bytes
>> > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
>> > com1: probed fifo depth: 15 bytes
>> > pckbc0 at isa0 port 0x60/5
>> > pckbd0 at pckbc0 (kbd slot)
>> > pckbc0: using irq 1 for kbd slot
>> > wskbd0 at pckbd0: console keyboard, using wsdisplay0
>> > pcppi0 at isa0 port 0x61
>> > spkr0 at pcppi0
>> > lpt0 at isa0 port 0x378/4 irq 7
>> > mtrr: Pentium Pro MTRR support
>> > vscsi0 at root
>> > scsibus1 at vscsi0: 256 targets
>> > softraid0 at root
>> > scsibus2 at softraid0: 256 targets
>> > root on wd0a (c0b9648c56b1a52b.a) swap on wd0b dump on wd0b
