On 2017-05-19 10:09 AM, WebDawg wrote:
On Fri, May 19, 2017 at 9:46 AM, Ugo Bellavance <[email protected]> wrote:
On 2017-05-19 08:24 AM, WebDawg wrote:
Thanks for your quick answer.
I mean. Your net connection is dripping packets...is your gateway going
down?
My external Nagios system saw nothing up to now (it always sees my gateway
as up from the outside). But it only checks once every minute and the
packet losses that I experience last about 15 seconds. 1/4 chance of
seeing it when pooling every minute.
Your ISP should do something...your WAN connection is going down...unless
you have a bad VM config.
The firewall has been up for 187 days and we've been using this VM since
2012. However, there is more and more traffic going through the VM as time
goes by. This problem happened about 6 times in the past year, but 3 of
them were in the past 2 weeks.
pfSense does do SOMETHING when a gateway goes down...do you have failover
internet setup? When pfSense marks a connection as down and then back up,
some of the things your are describing, I think, are supposed to happen.
Only one WAN.
You can adjust latency settings in the advanced settings of the gateway.
You can adjust loss settings too. Some ISP QoS configs I think are known
to drop ICMP in favor of higher priority things. In that case it is
usually better to do your own QoS.
That is interesting. I'll look into that.
For some reason every T1 I have ever used had latent ICMP when loaded. I
tried so many different QoS configs but I could only get it so good.
In our case it's an ethernet link provided on a gigabit GPON. 50 mbps. But
I can see that the problem occurs when traffic is at 50 mbps (backups
replication) so I lowered the maximum bandwidth for the replication to 43
mbps.
If the IPS's equipement ignores your QoS (and I think that's what they
do), if they decide to drop some ICMP messages, what will your own QoS do?
There are specific types of QoS that are designed to stop the ISP's QoS
from coming into play. CODELQ was part of that.
https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_do_about_Bufferbloat/
The general concept is to lower your max QoS speed to less then what the
max of your connection is for, but I always wondered how this would effect
things down the line, lets say if an ISP sells you 50mbits but then then
over provisions there back hauls.
That is approximately what I did. When we saturate the link, it is
outboud, to a remote location where we have replicas of our backups. I
have a limiter over there but it was either not working or not low
enough. I lowered it more to avoid maxing out the pipe.
There is also things that other ISP's have been caught doing in the past
like resetting torrent connections and such.
I also would wonder about links that have, no QoS and what the default is
for things like that. But that can be tested with iperf and ping over a
standard ethernet link I would guess.
You should run iperf tests on your virtualized install while pinging and
watch your CPU load externally via your hypervisor. I took a trip down the
virtualized router path and I paid attention to 3 things. Traffic shaping
support with PV type drivers, performance out of HVM drivers, and CPU
queues for virtual NICs when applicable. I think the max I could get out
of the best VM choice with pfSense and a i3 processor was 100-300 mbits and
some configurations would provide so little mbits it was laughable.
The thing is that this outbound traffic is going through a VPN tunnel so
there is a CPU requirement for the encryption.
pfSense graphs shows an average of all CPUs, but since we have only one
VPN tunnel, I think that it cannot saturate all 3 vCPUs.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
