One says: # pfctl -s info Status: Enabled for 0 days 10:56:43 Debug: err
State Table Total Rate current entries 91680 half-open tcp 4032 searches 3132304294 79494.1/s inserts 60916552 1546.0/s removals 60824872 1543.7/s Counters match 79164265 2009.1/s bad-offset 0 0.0/s fragment 1 0.0/s short 0 0.0/s normalize 0 0.0/s memory 1768012 44.9/s bad-timestamp 0 0.0/s congestion 1201 0.0/s ip-option 0 0.0/s proto-cksum 387 0.0/s state-mismatch 82794949 2101.2/s state-insert 230 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s translate 0 0.0/s no-route 0 0.0/s The other says: # pfctl -s info Status: Enabled for 0 days 10:39:38 Debug: err State Table Total Rate current entries 93847 half-open tcp 8441 searches 3900545422 101634.9/s inserts 69463584 1810.0/s removals 69369737 1807.5/s Counters match 752203697 19599.9/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 2 0.0/s memory 212454 5.5/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 33380332 869.8/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s translate 0 0.0/s no-route 0 0.0/s What does that tell us? Regards, Lars. On Wed, Feb 15, 2023 at 9:16 AM Otto Moerbeek <o...@drijf.net> wrote: > On Tue, Feb 14, 2023 at 11:04:57PM +0100, Lars Bonnesen wrote: > > > What can be done to optimize obsd 7.2 running on top of ESXi 7 with > > > > 7 vmx "phys" ifs > > 3 em "phys" ifs > > 22 virtual ifs > > > > Very simply pf ruleset - the box is only running VPN solution between two > > sites up against a similar configured obsd 7.2 > > > > I came across https://calomel.org/network_performance.html which has a > > section concerning obsd 5.1 "and later" - is this also valid for 7.2? I > did > > implement the suggestions adapted to the setup, but I can't really see > any > > noticeable difference. > > This site is genereally regarded as garbage. Do not use it. > > > > > I configured the box with 8 vCPUs and 8 gig RAM and after running for > some > > time getting more and more load, I started to face massive package loss > > both for packages between the two sites but also from the obsd and to the > > rest of the world. CPU was far from reaching any critical level and loads > > of memory left > > > > I downscaled from 8 to 4 vCPUs and from 8 to 4 gig RAM - and the two obsd > > now seems to hold the packages decently. But for instance when pinging > > 1.1.1.1, I sometimes get: > > > > # ping 1.1.1.1 > > PING 1.1.1.1 (1.1.1.1): 56 data bytes > > ping: sendmsg: Permission denied > > ping: wrote 1.1.1.1 64 chars, ret=-1 > > ping: sendmsg: Permission denied > > ping: wrote 1.1.1.1 64 chars, ret=-1 > > ping: sendmsg: Permission denied > > ping: wrote 1.1.1.1 64 chars, ret=-1 > > 64 bytes from 1.1.1.1: icmp_seq=3 ttl=61 time=0.826 ms > > 64 bytes from 1.1.1.1: icmp_seq=4 ttl=61 time=0.797 ms > > 64 bytes from 1.1.1.1: icmp_seq=5 ttl=61 time=0.799 ms > > > > Some permissions denied and then it continues to ping > > > > Sometimes when trying to ping a FQDN, I get: > > ping: no address associated with name > > as it cannot resolve the name > > > > The name is of course registered correctly in DNS. > > > > We are planning to put even more load on the setup, but I am not sure > that > > it is a good idea > > Hard to say, but this could very well be pf running out of states. > pfctl -s info and look at state-limit and/or src-limit. If you are > natting, also look at translate. > > -Otto > > > > The ESX server has hyperthreading enabled.There are many discussions > about > > this, and what I can summarize is that apart from a security perspective, > > hyperthreading should be left enabled > > > > How to get better performance? > > > > Regards, Lars. >
