On 2019-11-13, radek wrote:
> After upgrading my two endpoints to i386/6.6 it started to work flawlessly.
> There wasn't even one IKED restart within first two days of running.
> Thank you Patrick, Stuart and everyone involved in making IKED work as
> expected. I really appreciate it.
Thanks fo
After upgrading my two endpoints to i386/6.6 it started to work flawlessly.
There wasn't even one IKED restart within first two days of running.
Thank you Patrick, Stuart and everyone involved in making IKED work as
expected. I really appreciate it.
# vmstat -m | head -n 17
Memory statistics by
Thank you Stuart.
I can't touch/upgrade these routers, but I have a bunch of Soekris/net5501 that
I can use for testing -current. Unfortunately, they are i386. I hope the arch
doesn't matter in this case.
I'll try -current asap.
Am I the only one @misc who's facing this kind of iked issue? Nobod
On 2019-09-20, radek wrote:
> Hello Patrick,
> I am sorry for the late reply.
>
> I have replaced my ALIX/Soekris production routers with APU1C and with PC box
> (cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04).
> Both are running 6.5/amd64 and both are fully syspatched.
Please
Hello Patrick,
I am sorry for the late reply.
I have replaced my ALIX/Soekris production routers with APU1C and with PC box
(cpu0: Intel(R) Pentium(R) D CPU 2.80GHz, 2810.34 MHz, 0f-06-04).
Both are running 6.5/amd64 and both are fully syspatched.
A also added "inet proto { tcp, udp, icmp }" to
Radek
In my opinion upstream DNS & UDP issues can cause interrupts with some ISP's.
I also believe that defining specific proto's in your nat rule can decrease
interrupts.
You might consider the following to modification to your nat rule to
specificity allow UDP & ICMP.
match out log on $ext_if
Hello Patrick,
> In my opinion your net5501’s system calls per interval are relatively high.
> The (traps sys) column on my firewall hovers between 40 & 50 quite
> consistently.
> My understanding is that system calls are things like program calls & library
> access.
Is there any way to decreas
In my opinion your net5501’s system calls per interval are relatively high.
The (traps sys) column on my firewall hovers between 40 & 50 quite consistently.
My understanding is that system calls are things like program calls & library
access.
In addition your net5501’s memory requests per second
Hello Patrick,
> I’ve found that fast networking is actually CPU & memory intensive.
In my case it is 40/4 Mbps at both ends. Not so fast.
> Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my
> opinion.
I will run the same VPN confs on apu1d and PC with Pentium D 820 an
Radek
I’ve found that fast networking is actually CPU & memory intensive.
Pentium 4 and Xeon's are increasingly a necessity for stable firewalls in my
opinion.
Keep in mind OpenBSD is a monolithic kernel & isn’t a one to one ratio with a
commercial router.
What are your context switches & inte
Hello Patrick,
I am sorry for the late reply.
> Do you consider memory an issue?
No, I do not. I have a bunch of old Soekris/net5501-70 and ALIX2d2/2d3, that I
use for VPN testing.
Current testing set (6.5/i386) is net5501-70 <-> ALIX2d3
Production set (6.3/i386) is net5501-70 <-> ALIX2d2
Also ha
Do you consider memory an issue?
What is the speed of your memory?
Unix load average can occasionally be deceiving.
What make of Ethernets are you running?
Regards
Patrick
> On Aug 19, 2019, at 5:28 AM, radek wrote:
>
> Hello Patrick,
>
>> Does your ISP implement authoritative DNS?
>> Do you su
Hello Patrick,
> Does your ISP implement authoritative DNS?
> Do you suspect a UDP issue?
My VPN is configured with IPs, not with domain names. Does DNS and/or UDP
matter anyway?
> Is a managed (switch) involved?
No, it is not. I do not use any switches in my testing setup.
GW1--ISP1_modem--
Does your ISP implement authoritative DNS?
Do you suspect a UDP issue?
Is a managed (switch) involved? Has duplex ever been an issue?
Regards
Patrick
> On Aug 18, 2019, at 1:03 PM, Radek wrote:
>
> Hello,
>
> I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs
> (Op
Hello,
I have two testing gateways (6.5/i386) with site-to-side VPN between its LANs
(OpenIKED).
Both gws are fully syspatched, have public IPs and the same iked/pf
configuration.
Unfortunately, the network traffic over the VPN tunnel stalls few times a day.
On the one side I use a script to
15 matches
Mail list logo
