[ previous ] [ next ] [ threads ]
 
 From:  dany underscore list at natzo dot com
 To:  dany underscore list at natzo dot com
 Cc:  zealot <zealot at tradersguild dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Network getting slower after 20 minutes - Session 2 and 3
 Date:  Mon, 19 Jan 2004 06:26:57 -0600
It's getting worse.  

Session 2 gave me a "bad nat 4" and during session 3 the PC has rebooted by
itself!!!
See the details below as well as dmesg.


Session 2 :
I was able to download about 700MB without any problem using a direct connection
(crossover) from the PC to the firewall.

Then I decided (without rebooting) to get back to the switch. I did it and
requested a new IP address and within a minute I got my slow down.

At this time I was able to get the following trace.
The interesting one is "bad nat 4".  What does that mean ?
Is this because I've added the switch ?

********************************************
$ ipnat -s
mapped        in        336721        out        234261
added        1350        expired        1229
no memory        0        bad nat        4
inuse        121
rules        3
wilds        0
*********************************************

$ ipfstat -s
IP states added:
        1493 TCP
        364 UDP
        244 ICMP
        2291511 hits
        13102 misses
        0 maximum
        0 no memory
        142 bkts in use
        149 active
        534 expired
        1418 closed


Session 3 :

For this round I used :

PC -> Switch -> Firewall -> Cable modem

I've been able to download 700MB without problem (at 380KBps average) then I
started a second download session. I then refreshed ipfstat and ipnat as often
as I could. The last one can be found below.

This time, I didn't get any slower pings but instead I received a HARD RESET !!!

That's the first one I see for the past 2 years on this machine (when runnning
IPcop).  

Something is definitely wrong. Any idea ?

PS : I ran MemTest86 overnight (11 times during 7 hours)... not a single error.



$ ipfstat -s
IP states added:
        1268 TCP
        225 UDP
        215 ICMP
        4516758 hits
        12162 misses
        0 maximum
        0 no memory
        32 bkts in use
        32 active
        439 expired
        1237 closed

$ ipnat -s
mapped        in        694645        out        427910
added        466        expired        445
no memory        0        bad nat        0
inuse        21
rules        3
wilds        0


$ dmesg
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 4.9-RELEASE-p1 #0: Sat Jan 17 11:54:57 CET 2004
    root at nb dot neon1 dot net:/usr/src/sys/compile/M0N0WALL_GENERIC
Timecounter "i8254"  frequency 1193182 Hz
CPU: Pentium/P55C (166.40-MHz 586-class CPU)
  Origin = "GenuineIntel"  Id = 0x544  Stepping = 4
  Features=0x8001bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX>
real memory  = 167772160 (163840K bytes)
avail memory = 148492288 (145012K bytes)
Preloaded elf kernel "kernel" at 0xc0e0e000.
Preloaded mfs_root "/mfsroot" at 0xc0e0e09c.
Intel Pentium detected, installing workaround for F00F bug
md0: Preloaded image </mfsroot> 10485760 bytes at 0xc040cd90
md1: Malloc disk
Using $PIR table, 5 entries at 0xc00f1cc0
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
rl0: <RealTek 8139 10/100BaseTX> port 0x1000-0x10ff mem 0x44000000-0x440000ff
irq 11 at device 2.0 on pci0
rl0: Ethernet address: 00:48:54:5e:52:83
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl1: <RealTek 8139 10/100BaseTX> port 0x1400-0x14ff mem 0x44100000-0x441000ff
irq 11 at device 4.0 on pci0
rl1: Ethernet address: 00:48:54:5e:53:14
miibus1: <MII bus> on rl1
rlphy1: <RealTek internal media interface> on miibus1
rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
isab0: <VIA 82C586 PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <VIA 82C586 ATA33 controller> port 0x1c00-0x1c0f at device 7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
uhci0: <VIA 83C572 USB controller> port 0x1c20-0x1c3f irq 11 at device 7.2 on pci0
usb0: <VIA 83C572 USB controller> on uhci0
usb0: USB revision 1.0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pci0: <unknown card> (vendor=0x1106, dev=0x3040) at 7.3
pci0: <S3 Trio 64V2/DX/GX graphics accelerator> at 15.0 irq 11
orm0: <Option ROMs> at iomem 0xc0000-0xc7fff,0xe7000-0xeffff on isa0
pmtimer0 on isa0
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <aT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1: configured irq 3 not in bitmap of probed irqs 0
RTC BIOS diagnostic error 2
BRIDGE 020214 loaded
IPsec: Initialized Security Association Processing.
IP Filter: v3.4.31 initialized.  Default = block all, Logging = enabled
acd0: CD-RW <SAMSUNG CD-R/RW SW-232B> at ata0-master PIO4
Mounting root from ufs:/dev/md0c





Quoting dany underscore list at natzo dot com:

> Here the result of my first session (switch + AP).
> 
> In order to see the problem, I've downloaded a big iso image. Unfortunately
> I
> don't have ipfstat and ipnat close enough to the event.
> 
> No traffic shapper, no NAT, no Pipe.... only one rule for LAN (the default
> one)
>  *  	 LAN net  	 *  	 *  	 *  	 Default LAN -> any 
> 
> Basicaly after reboot :
> 
> $ ipfstat -s
> IP states added:
> 	2 TCP
> 	6 UDP
> 	4 ICMP
> 	62 hits
> 	29 misses
> 	0 maximum
> 	0 no memory
> 	6 bkts in use
> 	6 active
> 	6 expired
> 	0 closed
> 	
> $ ipnat -s
> mapped	in	3	out	3
> added	3	expired	0
> no memory	0	bad nat	0
> inuse	3
> rules	3
> wilds	0
> 
> 
> 
> 
> Some time after :
> 
> $ ipfstat -s
> IP states added:
> 	581 TCP
> 	122 UDP
> 	64 ICMP
> 	212164 hits
> 	10541 misses
> 	0 maximum
> 	0 no memory
> 	207 bkts in use
> 	207 active
> 	183 expired
> 	377 closed	
> 	
> $ ipnat -s
> mapped	in	31915	out	18800
> added	270	expired	118
> no memory	0	bad nat	0
> inuse	152
> rules	3
> wilds	0	
> 
> 
> I'm working on a second session where I only have 1 PC connected to the
> firewall
> through a crossover cable.
> 
> I'll post my results later on.
> 
> Dany
> 
> 
> Quoting zealot <zealot at tradersguild dot net>:
> 
> > Dany wrote:
> > 
> > > Fred Weston wrote:
> > > 
> > >> Dany wrote:
> > >>
> > >>> Fred Weston wrote:
> > >>>
> > >>>> Dany wrote:
> > >>>>
> > >>>>> Hello,
> > >>>>>
> > >>>>> I wanted to see if m0n0wall could replace my ipcop box which has 
> > >>>>> been running for few years now.
> > >>>>> Hardware is an old Compaq Pentium 200MHz with 200MB of memory and 
> > >>>>> two realtek NIC, a small switch and a SMC-2655W 802.11b AP.
> > >>>>>
> > >>>>> I used the following CD image (fairly new!) :
> > >>>>> cdrom-pb25r595.iso
> > >>>>> Version: Public Beta Release 25, Build #595
> > >>>>> Release date: 01/17/2004
> > >>>>>
> > >>>>> Everything works fine, I really like it.
> > >>>>> Just after installing it if I ping the firewall from a station I 
> > >>>>> get "<10ms" but after let's say 20 minutes (random in fact) it goes 
> > >>>>> to 80-100ms. This morning it was over 900ms. In some cases I can't 
> > >>>>> even get the firewall webpage so I have to reboot it the cold way. 
> > >>>>> Names are taking longer to resolve (if they ever resolve).
> > >>>>>
> > >>>>> Any idea on this performance drop over the time ?
> > >>>>>
> > >>>>> Thank you
> > >>>>> Dany
> > >>>>>
> > >>>>>
> > >>>>>
> ---------------------------------------------------------------------
> > >>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>> I can't think of any reason off the top of my head as to why you 
> > >>>> would see this behaviour.  My only suggestion would be to try 
> > >>>> removing everything non-essential such as the AP and switch and try 
> > >>>> running it for a while with just a single PC connected to it and see 

> > >>>> if the problem remains.  It sounds like you might be overloading the 
> > >>>> MAC table on your switch, but with a setup that small, that seems 
> > >>>> unlikely.
> > >>>>
> > >>> Today I got the problem after few hours.
> > >>> Ping started to give long time and then no ping at all for both lan 
> > >>> and wan addresses.
> > >>> I then disconnected the switch and AP and connected only one PC to 
> > >>> the firewall usign a crossover cable but that didn't solve anything.
> > >>>
> > >>> Dany
> > >>>
> > >>> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >>>
> > >>>
> > >>>
> > >> In your setup, are you running ipcop and m0n0 on the same hardware?  
> > >> If not, perhaps you could try replacing one or both NICs.  It may be 
> > >> worthwhile to simply start over with m0n0 by resetting it to 
> > >> defaults.  Configure only your IP addresses and anything else 
> > >> essential for it to function and then see if you still experience the 
> > >> same symptoms.
> > >>
> > > same hardware,  to run ipcop I reboot with the HDD connected. For 
> > > monowall, i just insert the CD and floppy.
> > > This afternoon I restarted from scratch. I just use the DHCP server of 
> > > the monowall box to get my clients internet access (no fancy rules or 
> > > bandwidth limitation).
> > > 
> > > One thing I do is to give a an pre-defined IP address based the MAC 
> > > address of each PC (outside the DHCP IP range).
> > > 
> > > Dany
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > 
> > 
> > Dany,
> > 
> > Do you have Traffic Shaper enabled, but no rules created for it?
> > 
> > z
> > 
> > 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>