On Tue, Feb 14, 2023 at 11:04:57PM +0100, Lars Bonnesen wrote:
> What can be done to optimize obsd 7.2 running on top of ESXi 7 with
>
> 7 vmx "phys" ifs
> 3 em "phys" ifs
> 22 virtual ifs
>
> Very simply pf ruleset - the box is only running VPN solution between two
> sites up against a similar configured obsd 7.2
>
> I came across https://calomel.org/network_performance.html which has a
> section concerning obsd 5.1 "and later" - is this also valid for 7.2? I did
> implement the suggestions adapted to the setup, but I can't really see any
> noticeable difference.
This site is genereally regarded as garbage. Do not use it.
>
> I configured the box with 8 vCPUs and 8 gig RAM and after running for some
> time getting more and more load, I started to face massive package loss
> both for packages between the two sites but also from the obsd and to the
> rest of the world. CPU was far from reaching any critical level and loads
> of memory left
>
> I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd
> now seems to hold the packages decently. But for instance when pinging
> 1.1.1.1, I sometimes get:
>
> # ping 1.1.1.1
> PING 1.1.1.1 (1.1.1.1): 56 data bytes
> ping: sendmsg: Permission denied
> ping: wrote 1.1.1.1 64 chars, ret=-1
> ping: sendmsg: Permission denied
> ping: wrote 1.1.1.1 64 chars, ret=-1
> ping: sendmsg: Permission denied
> ping: wrote 1.1.1.1 64 chars, ret=-1
> 64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=0.826 ms
> 64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=0.797 ms
> 64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=0.799 ms
>
> Some permissions denied and then it continues to ping
>
> Sometimes when trying to ping a FQDN, I get:
> ping: no address associated with name
> as it cannot resolve the name
>
> The name is of course registered correctly in DNS.
>
> We are planning to put even more load on the setup, but I am not sure that
> it is a good idea
Hard to say, but this could very well be pf running out of states.
pfctl -s info and look at state-limit and/or src-limit. If you are
natting, also look at translate.
-Otto
>
> The ESX server has hyperthreading enabled.There are many discussions about
> this, and what I can summarize is that apart from a security perspective,
> hyperthreading should be left enabled
>
> How to get better performance?
>
> Regards, Lars.
