Re: ipfw rules consuming CPU
Hi, all rules togther less than 80 rules how tablearg helps this? each ip pipe (up down) are unique... any other advices? Sami On Sat, Jun 9, 2012 at 1:15 PM, Alexander V. Chernikov melif...@freebsd.org wrote: On 09.06.2012 01:56, Sami Halabi wrote: Hi, I Manage a FreeBSD server as an edge router firewall. the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB bce-BCM5709) connected to 10G/1G switches. With the following setup i get higher cpu usage: bce1-upstream provider with little bandwidth, so i use pipes to limit users, and subnets ix0 - Internet Exchange some rules. . . .from 4000 starts pipes for specefic ips bandwidth allocations 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any out xmit bce1 04100 412898975373064110648124 pipe 1004 ip from any to 182.46.92.13 in recv bce1 You should use pipe tablearg for that. Traversing 4k rules effectively kills all performance. . . . .7000 is the wider pipeline for the whole block 0700091271547244651308720315 pipe 1000 ip from 182.46.92.0/24 to any out xmit bce1 071004837016828 458027989917 pipe 1002 ip from any to 182.46.92.0/24 in recv bce1 last rule default to accept... specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider pipe (1000 and 1002) has a global limit of 40MBps that should be reached by all other non-specefic ips, config like this: #Wide ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes #specefic ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes with this configuration when i have lots of traffic (3-6GB) going via ix0 (not necessarly the ips described above, lets say to a server in my net ip 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage (70-90%). my first test was to: ipfw add 1 allow all from any to any, and cpu usage drops immediatly to 10-15%. but that not why i want (i wantto keep thelimits) so I add rule right before 4000 and the cpu usage drops down to 10-20%: 03020 1669463072808 1493341413029803 allow ip from any to any via ix0 Any advice why this happens? or should it be there in the first place? I use FreeBSD 8.1-R-p10-amd64. Thanks in advance, -- WBR, Alexander -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: ipfw rules consuming CPU
On 09.06.2012 15:19, Sami Halabi wrote: Hi, all rules togther less than 80 rules However, it is too much. You should reduce this to 10 rules or less (at least for main traffic flow). (Btw, there is related http://wiki.freebsd.org/NetworkPerformanceTuning wiki page) how tablearg helps this? each ip pipe (up down) are unique... ipfw table 1 add 182.46.92.0/24 1000 ipfw table 1 add XXX.XXX.XX.0/24 1001 .. ipfw table 2 add 182.46.92.0/24 1002 ipfw table 2 add XXX.XXX.XX.0/24 1003 ipfw add 4000 pipe tablearg from table(1) to any out xmit bce1 ipfw add 4100 pipe tablearg from any to table(1) in recv bce1 It is often a good idea to split in/out rules initially (e.g. skipto 1 ip from any to any out) You can send me your ipfw config and we can discuss it more detailed. any other advices? Sami On Sat, Jun 9, 2012 at 1:15 PM, Alexander V. Chernikov melif...@freebsd.org mailto:melif...@freebsd.org wrote: On 09.06.2012 01:56, Sami Halabi wrote: Hi, I Manage a FreeBSD server as an edge router firewall. the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB bce-BCM5709) connected to 10G/1G switches. With the following setup i get higher cpu usage: bce1-upstream provider with little bandwidth, so i use pipes to limit users, and subnets ix0 - Internet Exchange some rules. . . .from 4000 starts pipes for specefic ips bandwidth allocations 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any out xmit bce1 04100 412898975373064110648124 pipe 1004 ip from any to 182.46.92.13 in recv bce1 You should use pipe tablearg for that. Traversing 4k rules effectively kills all performance. . . . .7000 is the wider pipeline for the whole block 0700091271547244651308720315 pipe 1000 ip from 182.46.92.0/24 http://182.46.92.0/24 to any out xmit bce1 071004837016828 458027989917 pipe 1002 ip from any to 182.46.92.0/24 http://182.46.92.0/24 in recv bce1 last rule default to accept... specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider pipe (1000 and 1002) has a global limit of 40MBps that should be reached by all other non-specefic ips, config like this: #Wide ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes #specefic ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes with this configuration when i have lots of traffic (3-6GB) going via ix0 (not necessarly the ips described above, lets say to a server in my net ip 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage (70-90%). my first test was to: ipfw add 1 allow all from any to any, and cpu usage drops immediatly to 10-15%. but that not why i want (i wantto keep thelimits) so I add rule right before 4000 and the cpu usage drops down to 10-20%: 03020 1669463072808 1493341413029803 allow ip from any to any via ix0 Any advice why this happens? or should it be there in the first place? I use FreeBSD 8.1-R-p10-amd64. Thanks in advance, -- WBR, Alexander -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert -- WBR, Alexander ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: ipfw rules consuming CPU
I have Linux FreeBSD systems running ipfw with 80 rules with 70Mb/s symmetric, passing traffic for about 1000-1200 hosts. Alexander V. Chernikov wrote: On 09.06.2012 01:56, Sami Halabi wrote: Hi, I Manage a FreeBSD server as an edge router firewall. the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB bce-BCM5709) connected to 10G/1G switches. With the following setup i get higher cpu usage: bce1-upstream provider with little bandwidth, so i use pipes to limit users, and subnets ix0 - Internet Exchange some rules. . . .from 4000 starts pipes for specefic ips bandwidth allocations 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any out xmit bce1 04100 412898975373064110648124 pipe 1004 ip from any to 182.46.92.13 in recv bce1 You should use pipe tablearg for that. Traversing 4k rules effectively kills all performance. . . . .7000 is the wider pipeline for the whole block 0700091271547244651308720315 pipe 1000 ip from 182.46.92.0/24 to any out xmit bce1 071004837016828 458027989917 pipe 1002 ip from any to 182.46.92.0/24 in recv bce1 last rule default to accept... specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider pipe (1000 and 1002) has a global limit of 40MBps that should be reached by all other non-specefic ips, config like this: #Wide ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes #specefic ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes with this configuration when i have lots of traffic (3-6GB) going via ix0 (not necessarly the ips described above, lets say to a server in my net ip 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage (70-90%). my first test was to: ipfw add 1 allow all from any to any, and cpu usage drops immediatly to 10-15%. but that not why i want (i wantto keep thelimits) so I add rule right before 4000 and the cpu usage drops down to 10-20%: 03020 1669463072808 1493341413029803 allow ip from any to any via ix0 Any advice why this happens? or should it be there in the first place? I use FreeBSD 8.1-R-p10-amd64. Thanks in advance, ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: ipfw rules consuming CPU
on my box with 130 rules 100Mbit the cpu don't go above 5%. I daily manage 1.5-6GB. Thanks in advance, Sami On Sat, Jun 9, 2012 at 11:21 PM, Michael Spratt m...@magicislandtechnologies.com wrote: I have Linux FreeBSD systems running ipfw with 80 rules with 70Mb/s symmetric, passing traffic for about 1000-1200 hosts. Alexander V. Chernikov wrote: On 09.06.2012 01:56, Sami Halabi wrote: Hi, I Manage a FreeBSD server as an edge router firewall. the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB bce-BCM5709) connected to 10G/1G switches. With the following setup i get higher cpu usage: bce1-upstream provider with little bandwidth, so i use pipes to limit users, and subnets ix0 - Internet Exchange some rules. . . .from 4000 starts pipes for specefic ips bandwidth allocations 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any out xmit bce1 04100 412898975373064110648124 pipe 1004 ip from any to 182.46.92.13 in recv bce1 You should use pipe tablearg for that. Traversing 4k rules effectively kills all performance. . . . .7000 is the wider pipeline for the whole block 0700091271547244651308720315 pipe 1000 ip from 182.46.92.0/24to any out xmit bce1 071004837016828 458027989917 pipe 1002 ip from any to 182.46.92.0/24 in recv bce1 last rule default to accept... specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider pipe (1000 and 1002) has a global limit of 40MBps that should be reached by all other non-specefic ips, config like this: #Wide ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes #specefic ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes with this configuration when i have lots of traffic (3-6GB) going via ix0 (not necessarly the ips described above, lets say to a server in my net ip 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage (70-90%). my first test was to: ipfw add 1 allow all from any to any, and cpu usage drops immediatly to 10-15%. but that not why i want (i wantto keep thelimits) so I add rule right before 4000 and the cpu usage drops down to 10-20%: 03020 1669463072808 1493341413029803 allow ip from any to any via ix0 Any advice why this happens? or should it be there in the first place? I use FreeBSD 8.1-R-p10-amd64. Thanks in advance, -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
ipfw rules consuming CPU
Hi, I Manage a FreeBSD server as an edge router firewall. the setup has 10G interfaces (ixgbe-82599EB) and 1G interfaces(em-82571EB bce-BCM5709) connected to 10G/1G switches. With the following setup i get higher cpu usage: bce1-upstream provider with little bandwidth, so i use pipes to limit users, and subnets ix0 - Internet Exchange some rules. . . .from 4000 starts pipes for specefic ips bandwidth allocations 0400062100530015845967300616 pipe 1003 ip from 182.46.92.13 to any out xmit bce1 04100 412898975373064110648124 pipe 1004 ip from any to 182.46.92.13 in recv bce1 . . . .7000 is the wider pipeline for the whole block 0700091271547244651308720315 pipe 1000 ip from 182.46.92.0/24 to any out xmit bce1 071004837016828 458027989917 pipe 1002 ip from any to 182.46.92.0/24 in recv bce1 last rule default to accept... specefic pipes (1003-...) have limits say between 1-10Mbps, and the wider pipe (1000 and 1002) has a global limit of 40MBps that should be reached by all other non-specefic ips, config like this: #Wide ipfw pipe 1000 config bw 40Mbit/s queue 200Kbytes ipfw pipe 1002 config bw 40Mbit/s queue 200Kbytes #specefic ipfw pipe 1003 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1004 config bw 9Mbit/s queue 200Kbytes ipfw pipe 1005 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1006 config bw 3Mbit/s queue 200Kbytes ipfw pipe 1007 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1008 config bw 5Mbit/s queue 200Kbytes ipfw pipe 1009 config bw 10Mbit/s queue 200Kbytes ipfw pipe 1010 config bw 10Mbit/s queue 200Kbytes with this configuration when i have lots of traffic (3-6GB) going via ix0 (not necessarly the ips described above, lets say to a server in my net ip 1832.46.93.4 and users behind the Internet Exchange) i see high cpu usage (70-90%). my first test was to: ipfw add 1 allow all from any to any, and cpu usage drops immediatly to 10-15%. but that not why i want (i wantto keep thelimits) so I add rule right before 4000 and the cpu usage drops down to 10-20%: 03020 1669463072808 1493341413029803 allow ip from any to any via ix0 Any advice why this happens? or should it be there in the first place? I use FreeBSD 8.1-R-p10-amd64. Thanks in advance, -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
