2008/12/21 RB <[email protected]> > On Sun, Dec 21, 2008 at 10:34, Michael Schuh <[email protected]> > wrote: > > Oh not to understand as "its limit the packets per second", but you get > not > > all the time answers from the isps-gateway, because it need proxyarp. > > So your particular ISP expected to see the L2 addresses for your > public IPs - they didn't route your subnet to you. You probably never
hmm, it is a little more complicated in my case, and it have in my case nott really to do with the ISP's routing, more with active components between the router (ISP) and my firewall. This component routes/bridges only traffic that have valid arp-adresses. For me, in my case it shows like a config-issue or an bug in this components. > saw unsolicited inbound L3 traffic, but if return packets came back > before their ARP cache associating the L3 address to your pfSense's L2 > address timed out, you'd see the packets. Add TCP retries on top of > that, and you see intermittent but slow traffic. Not only, that have maked it hard for me to find the problem. and we not only have TCP-Traffic...... > > It's possible Lenny is seeing this, but since he's seeing as much > traffic as he is (15kpps), I find it less probable. Plausible, but > individual streams would likely be much less than the 170Mbps he's > quoting. It's easily checked for - a packet capture on the test > clients looking for high retransmits will either prove or disprove the > issue. Thought. That could be, but we do nothing know about the configuration and components behind the scenes (on ISP Side from lenny). In other words nothing is impossible....and this could be a simple try and error, thats fast made, also why not spend the 5 Mins to test ist? It is then clear if it is it or not. to be or not to be :-D know or not to know...... ok they more information we get so the possibility of proxyarp issue get from very small to null.... On such suspect errors, believe on nothing, double check all the possibilities...... my rules.... :-D Another thing is, are the servers and clients ready to deliver such a spreaded (many conects?) bandwith? Lenny: is your limitation limited to TCP or to TCP/UDP/ICMP whats going on with GRE-Tunnels par example? or speech it is protocol related? My guess yes and no. My guess with udp/icmp you could get more traffic.... Another idea.... allow icmp to the server from your second machine in the internet.... make a ping -f -s 15000 from this machine to the servers, whats going on on the firewall and the server......warnin: this could shot you in your foot if the server or the firewall could not really handle this..... (ping -f sends very much packets, i believe 1000 in parallel, to the target, and you must be root to do so in my example with araoung 15k workload, on linux machines it could be that 15000 is to high...) > > > RB > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
