Re: packet loss over nat

[Håkan Olsson]

Try increasing PF max number of states.

It is currently limited to 1, so when you reach this no new  
traffic (that would create a state) is permitted until some of the  
old ones expire. The 1 limit is ok for most machines, but  
definitely not for a busy server / firewall. (Same goes for the  
default httpd.conf, btw, which also requires tweaking for higher  
performance.)


Use pfctl -s info and check the memory counter, it indicates the  
number of states that could not be created due to the limit  
(presumably other mem failures too). You want to see 0 (zero) here.


See pf.conf(5), try set limit states 5 or so.

/H

On 2 aug 2005, at 00.07, Bc. Radek Krejca wrote:


Hi,

  thank you for response. It was my idea too but pfctl -ss shows about
  1 lines. Where I got better information about ports over nat?

  Thank you
  Radek

1. srpna 2005, 23:02:15, jste napsal(a):
SKQ On Mon, 2005-08-01 at 21:21 +0200, Bc. Radek Krejca wrote:

  I have problem with packet loss over nat. I dont know where  
could be
  mistake. If i try stop half IPs I have no problem. What can I  
change

  to resolving problem? Over this nat runs about 1300 IPs.



SKQ My gut instinct says that you're simply running out of ports  
on the one
SKQ external address. That is definitely something you want to  
look into at

SKQ some point.



--
Regards,
 Bc. Radek Krejca
 [EMAIL PROTECTED]
 http://www.ceskedomeny.cz
 http://www.skdomeny.com
 http://www.starnet.cz

packet loss over nat

[Bc. Radek Krejca]

Hello,

  I have problem with packet loss over nat. I dont know where could be
  mistake. If i try stop half IPs I have no problem. What can I change
  to resolving problem? Over this nat runs about 1300 IPs.

  Options of my pf.conf:
  
---
  set limit { states 2, frags 2, src-nodes 2 }
  set optimization aggressive

  ext_if  =   fxp0
  ext_addr=   someIP
  
  scrub no-df

nat on $ext_if from 10.3.0.0/16  - $ext_addr
nat on $ext_if from 10.4.0.0/16  - $ext_addr
nat on $ext_if from 10.5.0.0/16  - $ext_addr
nat on $ext_if from 10.6.0.0/16  - $ext_addr
nat on $ext_if from 10.7.0.0/16  - $ext_addr
nat on $ext_if from 10.8.0.0/16  - $ext_addr
nat on $ext_if from 10.9.0.0/16  - $ext_addr
--

  I could send more information but I dont know which.

  dmesg:

OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 465 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 65646592 (64108K)
avail mem = 54775808 (53492K)
using 826 buffers containing 3383296 bytes (3304K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(44) BIOS, date 01/10/99, BIOS32 rev. 0 @ 0xeba00
pcibios0 at bios0: rev. 2.1 @ 0xeba00/0x3600
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf6400/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x1000 0xca000/0x800 
0xe/0x1!
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82810-DC100 rev 0x02: rng active, 8Kb/sec
vga1 at pci0 dev 1 function 0 Intel 82810-DC100 Graphics rev 0x02: aperture 
at 0x4400, size 0x400
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02
pci1 at ppb0 bus 1
fxp0 at pci1 dev 2 function 0 Intel 82557 rev 0x08: irq 11, address 
00:50:8b:a7:df:d2
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
fxp1 at pci1 dev 8 function 0 Intel 82557 rev 0x08: irq 11, address 
00:90:27:e9:a7:36
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 4
fxp2 at pci1 dev 9 function 0 Intel 82557 rev 0x02: irq 11, address 
00:a0:c9:91:b1:df
inphy2 at fxp2 phy 1: i82555 10/100 media interface, rev. 0
ukphy0 at fxp2 phy 2: Generic IEEE 802.3u media interface
ukphy0: OUI 0x37ec40, model 0x0008, rev. 3
pcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: QUANTUM FIREBALLlct10 06
wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
auich0 at pci0 dev 31 function 5 Intel 82801AA AC97 Audio rev 0x02: irq 11, 
ICH AC97
ac97: codec id 0x41445340 (Analog Devices AD1881)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
auich0: measured ac97 link rate at 47982 Hz, will use 48000 Hz
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 4840 netmask 4840 ttymask 48c2
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302  

-- 
Regards,
 Bc. Radek Krejca
 [EMAIL PROTECTED]
 http://www.ceskedomeny.cz
 http://www.skdomeny.com
 http://www.starnet.cz

Re: packet loss over nat

[Bc. Radek Krejca]

Hi,

  thank you for response. It was my idea too but pfctl -ss shows about
  1 lines. Where I got better information about ports over nat?

  Thank you
  Radek

1. srpna 2005, 23:02:15, jste napsal(a):
SKQ On Mon, 2005-08-01 at 21:21 +0200, Bc. Radek Krejca wrote:
   I have problem with packet loss over nat. I dont know where could be
   mistake. If i try stop half IPs I have no problem. What can I change
   to resolving problem? Over this nat runs about 1300 IPs.

SKQ My gut instinct says that you're simply running out of ports on the one
SKQ external address. That is definitely something you want to look into at
SKQ some point.



-- 
Regards,
 Bc. Radek Krejca
 [EMAIL PROTECTED]
 http://www.ceskedomeny.cz
 http://www.skdomeny.com
 http://www.starnet.cz