systat tells me
One box:
89450
IPKTS
19438
OPKTS
The other:
68814
IPKTS
87939
OPKTS
As the box are doing L2VPN, the NIC's for the vlans that are being
stretched are in promiscuous mode - thus all traffic on the networks are
hitting this box I have default block saying block drop
I guess this causes the box to care as little as possible about packages it
really shouldn't care about.
On Wed, Feb 15, 2023 at 5:52 PM Stuart Henderson <[email protected]>
wrote:
> On 2023-02-15, Lars Bonnesen <[email protected]> wrote:
> > lbo@PLOSLOL2VPN:/etc$ pfctl -s info
> > Status: Enabled for 0 days 00:06:49 Debug: err
> >
> > State Table Total Rate
> > current entries 149331
> > half-open tcp 5333
> > searches 4462647255 10911118.0/s
> > inserts 78143904 191060.9/s
> > removals 77994573 190695.8/s
> > Counters
> > match 250452866 612354.2/s
> > bad-offset 0 0.0/s
> > fragment 1 0.0/s
> > short 0 0.0/s
> > normalize 1 0.0/s
> > memory 5247954 12831.2/s
> > bad-timestamp 0 0.0/s
> > congestion 1469 3.6/s
> > ip-option 3 0.0/s
> > proto-cksum 3012 7.4/s
> > state-mismatch 145502864 355752.7/s
> > state-insert 305 0.7/s
> > state-limit 0 0.0/s
> > src-limit 0 0.0/s
> > synproxy 0 0.0/s
> > translate 0 0.0/s
> > no-route 0 0.0/s
>
> oof, how many packets/sec is the machine doing? ("systat ifs", IPKT/OPKT
> columns)
>
> mismatches are still really high.
>
> does this machine see packets in both directions of the traffic
> that it's passing? no active/active setup where the traffic is getting
> split, or asymmetric routing where it only sees traffic in one
> direction?
>
>
>
>
