On Fri, May 19, 2017 at 9:46 AM, Ugo Bellavance <[email protected]> wrote:
> On 2017-05-19 08:24 AM, WebDawg wrote: > > Thanks for your quick answer. > > I mean. Your net connection is dripping packets...is your gateway going >> down? >> > > My external Nagios system saw nothing up to now (it always sees my gateway > as up from the outside). But it only checks once every minute and the > packet losses that I experience last about 15 seconds. 1/4 chance of > seeing it when pooling every minute. > > Your ISP should do something...your WAN connection is going down...unless >> you have a bad VM config. >> > > The firewall has been up for 187 days and we've been using this VM since > 2012. However, there is more and more traffic going through the VM as time > goes by. This problem happened about 6 times in the past year, but 3 of > them were in the past 2 weeks. > > pfSense does do SOMETHING when a gateway goes down...do you have failover >> internet setup? When pfSense marks a connection as down and then back up, >> some of the things your are describing, I think, are supposed to happen. >> > > Only one WAN. > > You can adjust latency settings in the advanced settings of the gateway. >> You can adjust loss settings too. Some ISP QoS configs I think are known >> to drop ICMP in favor of higher priority things. In that case it is >> usually better to do your own QoS. >> > > That is interesting. I'll look into that. > > For some reason every T1 I have ever used had latent ICMP when loaded. I >> tried so many different QoS configs but I could only get it so good. >> > > In our case it's an ethernet link provided on a gigabit GPON. 50 mbps. But > I can see that the problem occurs when traffic is at 50 mbps (backups > replication) so I lowered the maximum bandwidth for the replication to 43 > mbps. > > If the IPS's equipement ignores your QoS (and I think that's what they > do), if they decide to drop some ICMP messages, what will your own QoS do? > > > There are specific types of QoS that are designed to stop the ISP's QoS from coming into play. CODELQ was part of that. https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_do_about_Bufferbloat/ The general concept is to lower your max QoS speed to less then what the max of your connection is for, but I always wondered how this would effect things down the line, lets say if an ISP sells you 50mbits but then then over provisions there back hauls. There is also things that other ISP's have been caught doing in the past like resetting torrent connections and such. I also would wonder about links that have, no QoS and what the default is for things like that. But that can be tested with iperf and ping over a standard ethernet link I would guess. You should run iperf tests on your virtualized install while pinging and watch your CPU load externally via your hypervisor. I took a trip down the virtualized router path and I paid attention to 3 things. Traffic shaping support with PV type drivers, performance out of HVM drivers, and CPU queues for virtual NICs when applicable. I think the max I could get out of the best VM choice with pfSense and a i3 processor was 100-300 mbits and some configurations would provide so little mbits it was laughable. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
