From owner-freebsd-net@FreeBSD.ORG Tue Mar 16 19:20:03 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D83E41065675; Tue, 16 Mar 2010 19:20:03 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-fx0-f215.google.com (mail-fx0-f215.google.com [209.85.220.215]) by mx1.freebsd.org (Postfix) with ESMTP id 4E9058FC15; Tue, 16 Mar 2010 19:20:02 +0000 (UTC) Received: by fxm7 with SMTP id 7so304532fxm.3 for ; Tue, 16 Mar 2010 12:20:02 -0700 (PDT) Received: by 10.223.4.217 with SMTP id 25mr6822940fas.82.1268767201821; Tue, 16 Mar 2010 12:20:01 -0700 (PDT) Received: from kkPC (76-10-166-187.dsl.teksavvy.com [76.10.166.187]) by mx.google.com with ESMTPS id f31sm9480184fkf.18.2010.03.16.12.19.59 (version=SSLv3 cipher=RC4-MD5); Tue, 16 Mar 2010 12:20:01 -0700 (PDT) From: "kevin" To: , References: <4B8E4850.1060104@zirakzigil.org> <4B9EA5A2.4010900@zirakzigil.org> In-Reply-To: Date: Tue, 16 Mar 2010 15:19:51 -0400 Message-ID: <00bc01cac53d$a92f0b70$fb8d2250$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcrEhjqFCr63bMSAS2qTuc1O2AZEtAAl5OJAAAaVpCA= Content-Language: en-us Cc: Subject: PF + BRIDGE + PFSYNC causes system freezing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2010 19:20:04 -0000 I have been experiencing this problem with 2x freebsd firewall implementations running pf + transparent bridging + pfsync between both boxes. Today in an effort to narrow down and troubleshoot the issue further, I have decided to build two FreeBSD 7.2-RELEASE implementations using virtualbox. Each box was allocated 256mb ram, 3 NIC's (internal network only) and a 4GB hard drive. I compiled PF/ALTQ/MROUTING into the kernel and installed it. No other fundamental modifications were made. The intent is to reproduce the problem in a controlled environment. And provide any information to @freebsd.org if requested. Here is the pertinent information below. Note both boxes are identical : [UNAME] # uname -a FreeBSD fw 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Tue Mar 16 13:18:05 UTC 2010 root@:/usr/obj/usr/src/sys/FW i386 [IFCONFIG] # ifconfig em0: flags=8902 metric 0 mtu 1500 options=9b ether 08:00:27:91:2d:fd media: Ethernet autoselect (1000baseTX ) status: active em1: flags=8902 metric 0 mtu 1500 options=9b ether 08:00:27:c7:3f:6b media: Ethernet autoselect (1000baseTX ) status: active em2: flags=8843 metric 0 mtu 1500 options=9b ether 08:00:27:de:66:c6 inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect (1000baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141 metric 0 mtu 33204 pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 10.0.0.11 maxupd: 128 bridge0: flags=8802 metric 0 mtu 1500 ether 1e:29:e0:82:6e:d6 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: em1 flags=143 ifmaxaddr 0 port 2 priority 128 path cost 20000 member: em0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 20000 [KERNEL OPTIONS] # Multicast routing support options MROUTING # PF Firewall device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build [RC.CONF] keymap="us.iso" hostname="fw" gateway_enable="YES" sshd_enable="YES" cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 up" ifconfig_em0="up" ifconfig_em1="up" ifconfig_em2="inet 10.0.0.10 netmask 255.255.255.0" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" pfsync_enable="YES" pfsync_syncdev="em2" ifconfig_pfsync0="up syncpeer 10.0.0.11 syncif em2" [PF.CONF] # macros ext_if="em0" int_if="em1" mng_if="em2" tcp_services="{ 22, 113, 53, 80 }" icmp_types="echoreq" # options set block-policy return set loginterface $ext_if set skip on lo # scrub scrub in all random-id fragment reassemble scrub out on $ext_if random-id # filter rules pass in quick pass out quick pass quick on $mng_if proto pfsync Note the only difference in config is the ip address of the pfsycn interface. When both boxes are on , one or both of them start to really slow down and ultimately freeze. No messages are pasted on the console and /var/log/messages is inaccessible during this point. I would like to assist in diagnosing this issue so if anyone wants me to check anything or test, please let me know. I would really like to understand this problem. Thanks, Kevin K.