From owner-freebsd-net Tue Nov 19 15:37:26 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0118137B401; Tue, 19 Nov 2002 15:37:25 -0800 (PST) Received: from hotmail.com (f116.law3.hotmail.com [209.185.241.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id AEAB043E8A; Tue, 19 Nov 2002 15:37:24 -0800 (PST) (envelope-from spoug@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 19 Nov 2002 15:37:24 -0800 Received: from 66.38.210.190 by lw3fd.law3.hotmail.msn.com with HTTP; Tue, 19 Nov 2002 23:37:24 GMT X-Originating-IP: [66.38.210.190] From: "Vincent Goupil" To: freebsd-isp@freebsd.org, freebsd-net@freebsd.org Subject: Slow network response with FreeBSD 4.6.2 and ipfilter Date: Tue, 19 Nov 2002 23:37:24 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 19 Nov 2002 23:37:24.0579 (UTC) FILETIME=[9CECEB30:01C29024] Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a system running FreeBSD 4.6.2-RELEASE-p5 #0 with ipfilter v3.4.27. This system act as a firewall for an enterprise. They need high availability. I have 5 network card, all 3C905 (3*3c905B-TX and 2*905C-TX). I made this setup in july and it run fine until 3 weeks ago. The first and second card are for the internet link (primary and backup). The third is for DMZ and the fourth is for local network. The fifth is unused (marked as down). Each card as is own IRQ (except the fifth that is shared with the first). The high availability is provided by the two internet link, if one goes down, the second take the load (change default route, ipf rules, ipnat rules and DNS records). This is done by a script running by cron. We can also do that manually. We have two /29 network for the first link and one /28 network for the second (we use alias on internet interfaces). There is only 3 services that run on the firewall: SSH (but only accessible from 3 subnets), ftpproxy (jftpgw 0.13.1) and snmp (only accessible by one subnet) We begin to have problem 3 weeks ago. The firewall begin to have a slow response. I begin to have this arp message error (many times): arplookup 255.255.255.0 failed: host is not on local network arpresolve: can't allocate llinfo for 255.255.255.0rt We reboot the server and the network fast as earlier. I finally find something: when we use alias, we need to have at least one regular netmask (instead of 255.255.255.255) for each network/subnetwork. My error was on the first link, my second sub-network was not configured properly. I changed it and it stop to have these errors about arp but the problem wasn't resolved. The network continue to be slow until we reboot the server. This happen during the day. Now, it happen everytime. What I've done: - I changed the netmask (as said earlier) - I upgraded from 4.6-RELEASE #0 to 4.6.2-RELEASE-p5 #0. - I look for IRQ conflict - I configure all interface with media and mediaopt. They not using autodetect anymore. - I chkrootkit and nothing found What I suspect: - I read in a forum that the driver (xl) of 3C905 is not the best for FreeBSD. I don't know if this apply to 4.6.2. - Ethernet cables (I need to change it) - We run SSL (with a lot of users) in one of our web servers in the dmz. As I know, SSL run on top of TCP, it should not be a problem. - When i run ifpromisc (in chkrootkit), it tell me that "xl0 is not promisc" and "xl1 is not promisc". I have 5 interfaces, what about the others ? Can someone have an idea ? _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message