I've got various 2.9 (IPF), 3.0 and 3.1 (PF) boxes fulfilling a variety of roles including corporate firewalls. The consensus from the people I support is that the OpenBSD boxes just sit there and do their job (the largest amount of memory in them is 512Meg for a busy squid proxy box). I haven't made any changes to the NMBCLUSTERS in any of them. However, whether the loads they're under are equal to what you're expecting I can't really know.
Honestly I think that Darren's advice is correct. If you're not comfortable with the way the system works, look at using another system. You may have to spend a little more time making sure unused services are turned off, but that's a small price to pay for a level of comfort when you have to support it. Brian -----Original Message----- From: Steve Shorter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 11, 2002 11:17 AM To: [EMAIL PROTECTED] Subject: Re: NMBCLUSTERS in OpenBSD 3.1 On Tue, Jun 11, 2002 at 08:14:24PM +1000, Darren Reed wrote: > In some email I received from Paul B. Henson, sie wrote: > > > > from research on this mailing list and others, it seems it is very common > > to have to increase the default value of NMBCLUSTERS under a heavy load. > > most often, it seems to have been increased to 8192 or 16384. > > [snip] > > In any case, I was wondering if anyone has placed an OpenBSD 3.1 firewall > > under heavy load yet. I have done some limited testing, but my test > > environment is not sufficient to completely emulate the production load. I > > really don't want to put a firewall into production that runs out of a > > critical network resource which I am then unable to increase. I have 2 GB > > of RAM in this machine -- I would much rather have unused buffers than ever > > run out. > > The best advice here is to just use another OS, if you feel that > uncomfortable with OpenBSD. Yep. If we're talking about a dedicated router/firewall then I can only conclude that OpenBSD is broken for serious production use. 2G of RAM for a dedicated router/firewall is rediculous. Or exactly what is meant by loaded? Here is some info from my situation. This machine is a 800MHz PIII with 128M of RAM. # uname -a FreeBSD fw1 4.5-RELEASE-p2 FreeBSD 4.5-RELEASE-p2 #0: Thu Apr 11 19:09:46 EDT 2002 root@jak:/usr/src/sys/compile/FW i386 # netstat -I fxp0 -w 8 input (fxp0) output packets errs bytes packets errs bytes colls 32842 0 4645036 39004 0 36242747 0 # netstat -m 357/576/8192 mbufs in use (current/peak/max): 353 mbufs allocated to data 4 mbufs allocated to packet headers 350/486/2048 mbuf clusters in use (current/peak/max) 1116 Kbytes allocated to network (18% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # top 9 processes: 1 running, 8 sleeping Mem: 4420K Active, 7000K Inact, 30M Wired, 16K Cache, 14M Buf, 82M Free # w 10:59AM up 60 days, 4:27, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT root console - 10:59AM - w # ipfstat -s IP states added: 1152710702 TCP 41774990 UDP 501817 ICMP 1892304881 hits 1724044636 misses 0 maximum 0 no memory 32721 bkts in use 33903 active 42276717 expired 1152676889 closed # ipnat -s mapped in 2267613053 out 3431175530 added 1043369903 expired 1043298210 no memory 0 bad nat 0 inuse 37542 rules 15 wilds 0
