Date: Tue, 27 Jan 2015 12:03:19 -0600 From: Jim Thompson <jim@netgate.com> To: =?utf-8?Q?Antoine_Beaupr=C3=A9?= <anarcat@koumbit.org> Cc: freebsd-net@FreeBSD.org Subject: Re: is polling still a thing? Message-ID: <A32D80F3-9D34-4136-A870-B28582F6EAA0@netgate.com> In-Reply-To: <871tmgceup.fsf@marcos.anarc.at> References: <871tmgceup.fsf@marcos.anarc.at>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jan 27, 2015, at 11:28 AM, Antoine Beaupré <anarcat@koumbit.org> wrote: > > (Please CC, as i am not on the list.) > > I was surprised to read this article in the pfSense blog: > > https://blog.pfsense.org/?p=115 <https://blog.pfsense.org/?p=115>; That article is from June 2007. It’s over seven years old. Times change. > TLDR: "At this time, polling is not recommended at all.” There are situations which warrant polling. > Is that true? I am trying to tweak a Supermicro machine as a router to > survive major DDOS attacks on a 1gbps link. So far, I can't get far > beyond the 100kpps and 50mbps mark. > > The hardware is: > > * 2xIntel E1G44HTBLK NICs Quad port i340 PCIe Nic (igb(4) driver) > * 1xIntel 1220LV2 CPU 2 core Ivy Bridge @ 2.3GHz > More detailed specs here: > > https://wiki.koumbit.net/rtr1.koumbit.net <https://wiki.koumbit.net/rtr1.koumbit.net>; Says you’re running 9.3 The pf in 9.3 is single-threaded. > We are using a stateful pf firewall and polling on the network > interfaces. We got around 100kpps during the DDOS, with 700kpps dropped > (or at least 700k/s errors) on the NIC. The DDOS was apparently 5.5gbps > but around 400mbps reached our port from upstream's point of view. The > kernel interfaces counted around 50mbps: > > https://redmine.koumbit.net/attachments/download/7706 > https://redmine.koumbit.net/attachments/download/7707 > https://redmine.koumbit.net/attachments/download/7708 > https://redmine.koumbit.net/attachments/download/7709 <https://redmine.koumbit.net/attachments/download/7709>; These want a login/password to access. > > The load on the router was fine during the DDOS, but of course packet > loss was endemic. > > At this point, I'm considering the following options: > > * switching to an Intel IGB nic You already have one. > * enabling fastforwarding typically a good idea. > * tweak the number of IGB queues > > Any recommendations would be welcome. Have you considered FreeBSD 10.1? > Thanks! > > A. > > -- > feature, n: a documented bug | bug, n: an undocumented feature > - Mario S F Ferreira <lioux@FreeBSD.org> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A32D80F3-9D34-4136-A870-B28582F6EAA0>