From owner-freebsd-net@FreeBSD.ORG Tue Jan 27 17:28:50 2015 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E1FCA821 for ; Tue, 27 Jan 2015 17:28:50 +0000 (UTC) Received: from marcos.anarc.at (mail.orangeseeds.org [72.0.72.144]) by mx1.freebsd.org (Postfix) with ESMTP id 8E947A6C for ; Tue, 27 Jan 2015 17:28:47 +0000 (UTC) Received: by marcos.anarc.at (Postfix, from userid 1000) id DC2CF1A006C; Tue, 27 Jan 2015 12:28:46 -0500 (EST) From: Antoine =?utf-8?Q?Beaupr=C3=A9?= To: freebsd-net@FreeBSD.org Subject: is polling still a thing? User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) Date: Tue, 27 Jan 2015 12:28:46 -0500 Message-ID: <871tmgceup.fsf@marcos.anarc.at> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 17:28:51 -0000 (Please CC, as i am not on the list.) I was surprised to read this article in the pfSense blog: https://blog.pfsense.org/?p=115 TLDR: "At this time, polling is not recommended at all." Is that true? I am trying to tweak a Supermicro machine as a router to survive major DDOS attacks on a 1gbps link. So far, I can't get far beyond the 100kpps and 50mbps mark. The hardware is: * 2xIntel E1G44HTBLK NICs * 1xIntel 1220LV2 CPU More detailed specs here: https://wiki.koumbit.net/rtr1.koumbit.net We are using a stateful pf firewall and polling on the network interfaces. We got around 100kpps during the DDOS, with 700kpps dropped (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps but around 400mbps reached our port from upstream's point of view. The kernel interfaces counted around 50mbps: https://redmine.koumbit.net/attachments/download/7706 https://redmine.koumbit.net/attachments/download/7707 https://redmine.koumbit.net/attachments/download/7708 https://redmine.koumbit.net/attachments/download/7709 The load on the router was fine during the DDOS, but of course packet loss was endemic. At this point, I'm considering the following options: * switching to an Intel IGB nic * enabling fastforwarding * tweak the number of IGB queues Any recommendations would be welcome. Thanks! A. -- feature, n: a documented bug | bug, n: an undocumented feature - Mario S F Ferreira