another idea is to monitor everything whats going on on the firewall with sa(r) and accounting, but i don't know if sa and accounting is shipped with the pfsense......
2008/12/21 Michael Schuh <[email protected]> > > > 2008/12/21 RB <[email protected]> > >> On Sun, Dec 21, 2008 at 10:34, Michael Schuh <[email protected]> >> wrote: >> > Oh not to understand as "its limit the packets per second", but you get >> not >> > all the time answers from the isps-gateway, because it need proxyarp. >> >> So your particular ISP expected to see the L2 addresses for your >> public IPs - they didn't route your subnet to you. You probably never > > > hmm, it is a little more complicated in my case, and it have in my case > nott really to do with the ISP's routing, more with active components > between the router (ISP) and my firewall. This component routes/bridges > only traffic that have valid arp-adresses. For me, in my case it shows > like a config-issue or an bug in this components. > > >> saw unsolicited inbound L3 traffic, but if return packets came back >> before their ARP cache associating the L3 address to your pfSense's L2 >> address timed out, you'd see the packets. Add TCP retries on top of >> that, and you see intermittent but slow traffic. > > > Not only, that have maked it hard for me to find the problem. > and we not only have TCP-Traffic...... > > >> >> It's possible Lenny is seeing this, but since he's seeing as much >> traffic as he is (15kpps), I find it less probable. Plausible, but >> individual streams would likely be much less than the 170Mbps he's >> quoting. It's easily checked for - a packet capture on the test >> clients looking for high retransmits will either prove or disprove the >> issue. > > > Thought. That could be, but we do nothing know about the configuration and > components > behind the scenes (on ISP Side from lenny). > In other words nothing is impossible....and this could be a simple try and > error, > thats fast made, also why not spend the 5 Mins to test ist? > It is then clear if it is it or not. to be or not to be :-D know or not to > know...... > > ok they more information we get so the possibility of proxyarp issue get > from very small to null.... > > On such suspect errors, believe on nothing, double check all the > possibilities...... > my rules.... :-D > > Another thing is, are the servers and clients ready to deliver such a > spreaded (many conects?) > bandwith? > > Lenny: is your limitation limited to TCP or to TCP/UDP/ICMP > whats going on with GRE-Tunnels par example? or speech it is protocol > related? > > My guess yes and no. My guess with udp/icmp you could get more traffic.... > > Another idea.... > allow icmp to the server from your second machine in the internet.... > make a ping -f -s 15000 from this machine to the servers, whats going on > on the firewall and the server......warnin: this could shot you in your > foot if > the server or the firewall could not really handle this..... > (ping -f sends very much packets, i believe 1000 in parallel, to the > target, and you must be root to do so > in my example with araoung 15k workload, on linux machines it could be that > 15000 is to high...) > > >> >> >> RB >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> > > > -- > === m i c h a e l - s c h u h . n e t === > Michael Schuh > Postfach 10 21 52 > 66021 Saarbrücken > phone: 0681/8319664 > mobil: 0177/9738644 > @: m i c h a e l . s c h u h @ g m a i l . c o m > > === Ust-ID: DE251072318 === > -- === m i c h a e l - s c h u h . n e t === Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0177/9738644 @: m i c h a e l . s c h u h @ g m a i l . c o m === Ust-ID: DE251072318 ===
