Date: Mon, 10 Mar 2008 09:35:38 -0400 From: Chris Marlatt <cmarlatt@rxsec.com> To: Lorenz Helleis <lorenzhelleis@yahoo.com.br> Cc: freebsd-pf@freebsd.org Subject: Re: Dropped Packets Message-ID: <47D5392A.6060407@rxsec.com> In-Reply-To: <151806.66922.qm@web53707.mail.re2.yahoo.com> References: <151806.66922.qm@web53707.mail.re2.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Lorenz Helleis wrote: > Do the machines generating the traffic have multiple paths? > > The only time I've really seen pf have problems with sessions is when > the devices send and receive traffic via different paths or multiple > paths (i.e. traffic comes in via firewall01 but goes out firewall02 and > firewall01 and firewall02 do not implement pfsync). > > Regards, > > Chris > > > I have 2 firewalls , and they were working very good until yesterday... I implemente pfsync in the firewalls... > > I think i need to optimize the rules , like increase the tables.. or something like this.... > > did you increase this values on your firewall ? > > Tell me about your firewall... > > Lorenz. > Please correct me if I'm reading this incorrectly. But it sounds like you're saying the firewalls worked fine until you implemented pfsync, is this correct? If so try backing out of that to isolate that change and confirm this. I've seen pfsync packets either by lost of "slow" in synchronizing with the other firewall and as a result state mismatching occurring on the secondary firewall (if both are active - i.e. arp balance). If you're using that try disabling it and see if there is an improvement. Also, have you made any modifications to sysctl.conf and loader.conf? If so please post them here. Regards, Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47D5392A.6060407>