Re: Ipnat +freebsd mbuf clusters

Mon, 31 Mar 2003 09:32:31 -0800 

okay. thanks for the quick responses
Here is some more info then

ipf is default to allow, not using any rules at 
all on it. ipnat (I know its messy, but its a duplicate of 
clients last rules before install) rules here :

---------------

map fxp0 172.28.1.249/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.249/32 -> 0/32
map fxp0 172.28.1.246/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.246/32 -> 0/32 

map fxp0 from 172.28.0.0/16 to 0/0 port = 3389 -> 0/32
map fxp0 from 172.28.0.0/16 to 0/0 port = 3390 -> 0/32
map fxp0 from 172.28.0.0/16 to 0/0 port = 3391 -> 0/32 


rdr fxp0 external_ip/32 port 80 -> 172.28.1.10 port 80 tcp
rdr fxp0 external_ip/32 port 12000 -> 172.28.1.63 port 12000 tcp 
rdr fxp0 external_ip/32 port 81 -> 172.28.1.64 port 80 tcp 
rdr fxp0 external_ip/32 port 25 -> 172.28.1.99 port 25 tcp 
rdr fxp0 external_ip/32 port 1433 -> 172.28.1.94 port 1433 tcp 
rdr fxp0 external_ip/32 port 3000 -> 172.28.1.5 port 3000 tcp
rdr fxp0 external_ip/32 port 3001 -> 172.28.1.5 port 3001 tcp
rdr fxp0 external_ip/32 port 3002 -> 172.28.1.5 port 3002 tcp 

map fxp0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.0.0/24 -> 0/32
map fxp0 172.28.1.201/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.201/32 -> 0/32
map fxp0 172.28.1.111/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.111/32 -> 0/32
map fxp0 172.28.1.5/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.5/32 -> 0/32
map fxp0 172.28.1.64/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.64/32 -> 0/32
map fxp0 172.28.1.206/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.206/32 -> 0/32
map fxp0 172.28.1.213/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.213/32 -> 0/32
map fxp0 172.28.1.63/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.63/32 -> 0/32
map fxp0 172.28.1.2/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.2/32 -> 0/32
map fxp0 172.28.1.211/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.211/32 -> 0/32
map fxp0 172.28.1.205/32 -> 0/32 proxy port ftp ftp/tcp
map fxp0 172.28.1.205/32 -> 0/32 

map fxp0 from 172.28.0.0/16 to somenetwork/26 -> 0/32
map fxp0 from 172.28.0.0/16 to somenetwork/26 -> 0/32 
map fxp0 from 172.28.0.0/16 to somenetwork/29 -> 0/32 
map fxp0 from 172.28.0.0/16 to somehost/32 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 600 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 443 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 10000 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 12000 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 56289 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 56403 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 53 -> 0/32 
map fxp0 from 172.28.0.0/16 to 0/0 port = 1534 -> 0/32


-------------

Yah there are a few sysctl tuned variables...
Here are net related ones:

kern.ipc.maxsockbuf=2097152 
(also tried kern.ipc.maxsockbuf=262144; mbuf problems..)
kern.ipc.somaxconn=8192 
kern.ipc.maxsockets=16424 
 net.inet.tcp.rfc1323=1 
net.inet.tcp.delayed_ack=0 
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
(I have also tried reducing these to very low values)

net.inet.ip.stealth=1 
net.inet.udp.blackhole=1 
net.inet.tcp.blackhole=2 
net.inet.ip.forwarding=1 

#Ipf vars
net.inet.ipf.fr_flags=0 
net.inet.ipf.fr_pass=514 
net.inet.ipf.fr_tcpidletimeout=864000 
net.inet.ipf.fr_tcpclosewait=60 
net.inet.ipf.fr_tcplastack=20 
net.inet.ipf.fr_tcptimeout=120 
net.inet.ipf.fr_tcpclosed=1 
net.inet.ipf.fr_udptimeout=120 
net.inet.ipf.fr_icmptimeout=120 
net.inet.ipf.fr_ipfrttl=120 
net.inet.ipf.ipl_unreach=13 
net.inet.ipf.fr_defaultauthage=500 
net.inet.ipf.fr_defnatage=100

(nat age I made very short...)


the external interface is going to cisco 1600 -
  10BaseT crossover...

Internal is 100baseTX full dup.


Anything else that might help?


TIA
Dave

----- Original Message ----- 
From: "rmkml" <[EMAIL PROTECTED]>
To: "Dave Raven" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, March 31, 2003 12:46 PM
Subject: Re: Ipnat +freebsd mbuf clusters


: Hi Dave,
: 
: How much have of memory ?
: 
: Do you have kernel tune ?
: sysctl tune ?
: ipfilter tune ?
: 
: Check memory :
: start ten "md5 /kernel" and do you have same response ?
: 
: # ipf -v ?
: 
: How much have ipfilter state ?
: How much have ipfilter nat ?
: Do you flush ipfilter state ? (ipf -F <i|o|a|s|S>
: 
: Send you ipf.conf ?
: Send you ipnat.conf ?
: 
: Do you have two interface FastEthernet ?
: or others ? (*DSL ?)
: 
: Regard.
: 
: 
:

Reply via email to