[ previous ] [ next ] [ threads ]
 
 From:  "Bostjan Hojkar" <bostjan dot hojkar at fov dot uni dash mb dot si>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Cc:  "Chris Buechler" <cbuechler at gmail dot com>
 Subject:  Re: [m0n0wall] Filtering bridge - packet loss
 Date:  Wed, 24 Aug 2005 11:33:16 +0200 
>> Sometimes i notice packet loss like this:
>>
>> 2241 packets transmitted, 2196 received, 2% packet loss, time 1915ms
>> (ping through firewall)
>>
>> I'm always pinging same host (uplink router),
>
>I bet if you ping the router without the firewall, you'll still see
>~2% packet loss over a long period.  Routers tend to ignore ICMP echo
>requests when they have better things to do (i.e. are under a bit of
>load).  Or, put a packet sniffer on both sides of m0n0wall and see if
>you're seeing all the echo requests on the outside of the firewall.
>I'm betting you will see them getting through the firewall and never
>coming back from the router.

Not realy. Without m0n0 (direct connect) - no packetloss.
I traced the problem - if i pull out RJ45 for WAN or OPT1 (one is enough) 
for 5 sec, plug it back in - i notice packetloss.
I can fix packetloss by clicking "interfaces" - my guess is ifconfig resets 
something. After that, all pings come back the way expected.
And this is repeatable - see atached .txt file for more info on how i got 
this results.

Next step (if no idea in m0n0wall config or sysctl) i'm going to do is 
change network cards, both WAN and OPT1. Currently i use 3Com 905-TX NM.

Should m0n0wall work out of the box for my network (~ 3 C-class subnets of 
public IPs through bridge firewall) or should i tweak something with sysctl? 
(i'm still looking about this on list archive, so sorry if it has been 
discussed)

Regards, Bostjan
Resolving packetloss on m0n0wall
=====================


traceroute works like a charm beside sometimes some lost answers, but if a router is busy, it won't
always answer a TTL time exceed so i guess traceroutes are fine:

traceroute to s0.m0n0.ch (80.238.135.125), 30 hops max, 38 byte packets
 1  rfov (xxxxxxxxxxxxxx)  0.422 ms  0.361 ms  0.359 ms
 2  lfov (xxxxxxxxxxxxxx)  0.455 ms  0.419 ms  0.428 ms
 3  xfov (xxxxxxxxxxxxxx)  0.506 ms  0.485 ms  0.450 ms
 4  larnes6-V704.arnes.si (212.235.160.21)  0.849 ms  0.821 ms  0.825 ms
 5  rarnesGEANT-G0-2-0x0.arnes.si (212.235.160.246)  1.142 ms  1.472 ms  0.959 ms
 6  arnes.si1.si.geant.net (62.40.103.49)  2.022 ms  0.983 ms  0.942 ms
 7  si.at1.at.geant.net (62.40.96.13)  9.013 ms  8.973 ms  9.052 ms
 8  212.73.202.141 (212.73.202.141)  9.311 ms  9.105 ms  9.118 ms
 9  so-4-0-0.mp2.Vienna1.Level3.net (4.68.112.81)  76.522 ms  9.419 ms  9.371 ms
10  ae-1-0.bbr1.Frankfurt1.Level3.net (212.187.128.30)  21.326 ms as-0-0.bbr2.Frankfurt.Level3.net
(4.68.128.1)  21.392 ms  21.325 ms
11  ge-10-0.ipcolo1.Frankfurt1.Level3.net (195.122.136.7)  22.198 ms
ge-11-1.ipcolo1.Frankfurt1.Level3.net (195.122.136.83)  21.279 ms
ge-10-1.ipcolo1.Frankfurt1.Level3.net (195.122.136.67)  21.346 ms
12  gw0.fe-2-0-0.decix.de.netstream.com (62.65.134.1)  22.235 ms  21.762 ms  22.908 ms
13  core1.atm-1-0-0.nshq.ch.netstream.com (62.65.128.129)  35.039 ms  33.833 ms  34.106 ms
14  lns0.ge-0-2-0.nshq.ch.netstream.com (62.65.128.163)  33.881 ms  34.676 ms  36.100 ms
15  gw.ptr-80-238-129-130.customer.ch.netstream.com (80.238.129.130)  46.527 ms  45.824 ms  45.943
ms
16  s0.m0n0.ch (80.238.135.125)  44.656 ms  46.090 ms  44.790 ms

between #1 and #2 is m0n0wall, pings from host on LAN to #2 sometimes result in 2-5% packetloss.... 
#2 is my providers router, and i don't see any packetloss if i connect directly.

After some further testing i notice, that packetloss starts if i plug out cables - do direct connect
between routers (#1 and #2), and after that, plug in m0n0wall again between #1 and #2. M0n0 is
runing online all the time, no changes on config or anything.. Just plug out WAN & OPT (bridged
interfaces).

------------------------
Trying to resolve problem:

1. ping.. i get packet loss.
4056 packets transmitted, 4006 received, 1% packet loss, time 2932ms
rtt min/avg/max/mdev = 0.402/0.474/2.929/0.248 ms, ipg/ewma 0.723/0.510 ms

2. disabling filtering bridge (going to dumb bridge mode)
3957 packets transmitted, 3881 received, 1% packet loss, time 3153ms
rtt min/avg/max/mdev = 0.397/0.476/3.448/0.258 ms, ipg/ewma 0.797/0.447 ms

3. not helping, so jumping back to filtering bridge
4424 packets transmitted, 4193 received, 5% packet loss, time 5270ms
rtt min/avg/max/mdev = 0.398/0.500/15.655/0.371 ms, pipe 2, ipg/ewma 1.191/0.631 ms

!!! Notice substantialy more packet loss

4. disabling filtering bridge again
4684 packets transmitted, 4683 received, 0% packet loss, time 3146ms
rtt min/avg/max/mdev = 0.405/0.497/8.248/0.306 ms, ipg/ewma 0.671/0.450 ms

!!!! Phew. things looking better?

5. enabling filtering bridge, keeping my fingers crossed
5028 packets transmitted, 5028 received, 0% packet loss, time 3261ms
rtt min/avg/max/mdev = 0.399/0.490/3.515/0.273 ms, ipg/ewma 0.648/0.455 ms

!!!! Everything works!
(Estimated time 2-3 minutes)

---------------------------
Trying to repeat above, with further testing:

1. pluged out WAN for 5 sec..
3985 packets transmitted, 3824 received, 4% packet loss, time 4150ms
rtt min/avg/max/mdev = 0.398/0.489/3.343/0.258 ms, ipg/ewma 1.041/0.466 ms

2. disabled filtering bridge
4038 packets transmitted, 3817 received, 5% packet loss, time 4854ms
rtt min/avg/max/mdev = 0.404/0.495/4.802/0.288 ms, ipg/ewma 1.202/0.550 ms

3. enabled filtering bridge
4092 packets transmitted, 3867 received, 5% packet loss, time 5043ms
rtt min/avg/max/mdev = 0.398/0.503/12.139/0.332 ms, pipe 2, ipg/ewma 1.232/0.485 ms

4. disabled again..
4277 packets transmitted, 4052 received, 5% packet loss, time 5106ms
rtt min/avg/max/mdev = 0.404/0.498/3.563/0.269 ms, ipg/ewma 1.194/0.619 ms

Shit.. it's not helping any more... so maybe all i need is wait some time for things to fix,
disabling and enabling maybe not related at all...

5. I check "Rules" and "Interfaces" pages
4826 packets transmitted, 4825 received, 0% packet loss, time 3298ms
rtt min/avg/max/mdev = 0.405/0.499/3.491/0.273 ms, ipg/ewma 0.683/0.451 ms

!!! MAGIC. I suspect the "interfaces" might be the one...

6. Enabling filtering bridge again
4775 packets transmitted, 4774 received, 0% packet loss, time 3314ms
rtt min/avg/max/mdev = 0.401/0.505/14.280/0.353 ms, pipe 2, ipg/ewma 0.694/0.499 ms

Still OK...



---------------------------
#2 trying to repeat and get closer to "fix it procedure"

1. Unpluging LAN for 5 sec
4781 packets transmitted, 4773 received, 0% packet loss, time 3024ms
rtt min/avg/max/mdev = 0.402/0.485/28.999/0.567 ms, pipe 3, ipg/ewma 0.632/0.468 ms

Although the result is 0% figures show some packet loss bellow 1%

2. Clicking "interfaces" on m0n0
4734 packets transmitted, 4733 received, 0% packet loss, time 2970ms
rtt min/avg/max/mdev = 0.403/0.482/3.561/0.265 ms, ipg/ewma 0.627/0.471 ms

3. Trying 1. and 2. for WAN - results are the same, packet loss was about 3%, after clicking
"interfaces", things are OK.

So the stuff is repeatable, and is happening. Can any1 else try to repeat this?
Would any1 with more insight into kernel and bridge stuff care to comment on results?