On 8/23/05, Bostjan Hojkar <bostjan dot hojkar at fov dot uni dash mb dot si> wrote:
> 
> Sometimes i notice packet loss like this:
> 
> 2241 packets transmitted, 2196 received, 2% packet loss, time 1915ms
> (ping through firewall)
> 
> I'm always pinging same host (uplink router), 

I bet if you ping the router without the firewall, you'll still see
~2% packet loss over a long period.  Routers tend to ignore ICMP echo
requests when they have better things to do (i.e. are under a bit of
load).  Or, put a packet sniffer on both sides of m0n0wall and see if
you're seeing all the echo requests on the outside of the firewall. 
I'm betting you will see them getting through the firewall and never
coming back from the router.


> 
> Is it possible that sometimes i get hit by some blocked traffic, and
> m0n0wall is logging connections, and while doing this, some packets don't go
> through?
> 

no.  Not with as low of CPU usage as you're seeing.  If you were
absolutely pounding a slow system (like trying to push 20 Mb through a
486), then yes you might see some lost packets, but it's definitely
not the case here.


> 
> BTW - in documentation, filtering bridge, there is a suggestion to put a
> public IP on WAN interface - you don't need that for filtering bridge, do
> you?
> Is it an error? Or it should be stated that you only need that, if you want
> your m0n0wall to access internet (hence see the updates & stuff ).
> 

that's absolutely correct for the example it's illustrating.  In that
configuration, you need to be able to administer it over the Internet,
so yes, it must have a public IP.  It's also pretty important that it
can get to the Internet so it can keep its time synced for log
correlation purposes.

-Chris