|
||||||||||
How can a bad switch (yes it's switch not a hub) make the firewall to crash & reboot ? I will try again without switch just to make sure. Thank you Dany Quoting webmaster at ics dash group dot de: > I had the same problem once. But it was the switch not m0n0wall ... maybee u > try another switch and be carefull dont use a HUB because that my network > f*cked up all the time ... a hub is only able to braodcast and thats the > problem u have ... sounds 2 me . Give it a try ... > > Cya Steven > > -----Ursprüngliche Nachricht----- > Von: dany underscore list at natzo dot com [mailto:dany underscore list at natzo dot com] > Gesendet: Montag, 19. Januar 2004 13:27 > An: dany underscore list at natzo dot com > Cc: zealot; m0n0wall at lists dot m0n0 dot ch > Betreff: Re: [m0n0wall] Network getting slower after 20 minutes - Session 2 > and 3 > > It's getting worse. > > Session 2 gave me a "bad nat 4" and during session 3 the PC has rebooted by > itself!!! > See the details below as well as dmesg. > > > Session 2 : > I was able to download about 700MB without any problem using a direct > connection > (crossover) from the PC to the firewall. > > Then I decided (without rebooting) to get back to the switch. I did it and > requested a new IP address and within a minute I got my slow down. > > At this time I was able to get the following trace. > The interesting one is "bad nat 4". What does that mean ? > Is this because I've added the switch ? > > ******************************************** > $ ipnat -s > mapped in 336721 out 234261 > added 1350 expired 1229 > no memory 0 bad nat 4 > inuse 121 > rules 3 > wilds 0 > ********************************************* > > $ ipfstat -s > IP states added: > 1493 TCP > 364 UDP > 244 ICMP > 2291511 hits > 13102 misses > 0 maximum > 0 no memory > 142 bkts in use > 149 active > 534 expired > 1418 closed > > > Session 3 : > > For this round I used : > > PC -> Switch -> Firewall -> Cable modem > > I've been able to download 700MB without problem (at 380KBps average) then I > started a second download session. I then refreshed ipfstat and ipnat as > often > as I could. The last one can be found below. > > This time, I didn't get any slower pings but instead I received a HARD RESET > !!! > > That's the first one I see for the past 2 years on this machine (when > runnning > IPcop). > > Something is definitely wrong. Any idea ? > > PS : I ran MemTest86 overnight (11 times during 7 hours)... not a single > error. > > > > $ ipfstat -s > IP states added: > 1268 TCP > 225 UDP > 215 ICMP > 4516758 hits > 12162 misses > 0 maximum > 0 no memory > 32 bkts in use > 32 active > 439 expired > 1237 closed > > $ ipnat -s > mapped in 694645 out 427910 > added 466 expired 445 > no memory 0 bad nat 0 > inuse 21 > rules 3 > wilds 0 > > > $ dmesg > Copyright (c) 1992-2003 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights reserved. > FreeBSD 4.9-RELEASE-p1 #0: Sat Jan 17 11:54:57 CET 2004 > root at nb dot neon1 dot net:/usr/src/sys/compile/M0N0WALL_GENERIC > Timecounter "i8254" frequency 1193182 Hz > CPU: Pentium/P55C (166.40-MHz 586-class CPU) > Origin = "GenuineIntel" Id = 0x544 Stepping = 4 > Features=0x8001bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX> > real memory = 167772160 (163840K bytes) > avail memory = 148492288 (145012K bytes) > Preloaded elf kernel "kernel" at 0xc0e0e000. > Preloaded mfs_root "/mfsroot" at 0xc0e0e09c. > Intel Pentium detected, installing workaround for F00F bug > md0: Preloaded image </mfsroot> 10485760 bytes at 0xc040cd90 > md1: Malloc disk > Using $PIR table, 5 entries at 0xc00f1cc0 > npx0: <math processor> on motherboard > npx0: INT 16 interface > pcib0: <Host to PCI bridge> on motherboard > pci0: <PCI bus> on pcib0 > rl0: <RealTek 8139 10/100BaseTX> port 0x1000-0x10ff mem > 0x44000000-0x440000ff > irq 11 at device 2.0 on pci0 > rl0: Ethernet address: 00:48:54:5e:52:83 > miibus0: <MII bus> on rl0 > rlphy0: <RealTek internal media interface> on miibus0 > rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > rl1: <RealTek 8139 10/100BaseTX> port 0x1400-0x14ff mem > 0x44100000-0x441000ff > irq 11 at device 4.0 on pci0 > rl1: Ethernet address: 00:48:54:5e:53:14 > miibus1: <MII bus> on rl1 > rlphy1: <RealTek internal media interface> on miibus1 > rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > isab0: <VIA 82C586 PCI-ISA bridge> at device 7.0 on pci0 > isa0: <ISA bus> on isab0 > atapci0: <VIA 82C586 ATA33 controller> port 0x1c00-0x1c0f at device 7.1 on > pci0 > ata0: at 0x1f0 irq 14 on atapci0 > ata1: at 0x170 irq 15 on atapci0 > uhci0: <VIA 83C572 USB controller> port 0x1c20-0x1c3f irq 11 at device 7.2 > on pci0 > usb0: <VIA 83C572 USB controller> on uhci0 > usb0: USB revision 1.0 > uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > pci0: <unknown card> (vendor=0x1106, dev=0x3040) at 7.3 > pci0: <S3 Trio 64V2/DX/GX graphics accelerator> at 15.0 irq 11 > orm0: <Option ROMs> at iomem 0xc0000-0xc7fff,0xe7000-0xeffff on isa0 > pmtimer0 on isa0 > fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 > fdc0: FIFO enabled, 8 bytes threshold > fd0: <1440-KB 3.5" drive> on fdc0 drive 0 > atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 > atkbd0: <aT Keyboard> flags 0x1 irq 1 on atkbdc0 > kbd0 at atkbd0 > vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 > sc0: <System console> at flags 0x100 on isa0 > sc0: VGA <16 virtual consoles, flags=0x300> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > sio0: type 16550A > sio1: configured irq 3 not in bitmap of probed irqs 0 > RTC BIOS diagnostic error 2 > BRIDGE 020214 loaded > IPsec: Initialized Security Association Processing. > IP Filter: v3.4.31 initialized. Default = block all, Logging = enabled > acd0: CD-RW <SAMSUNG CD-R/RW SW-232B> at ata0-master PIO4 > Mounting root from ufs:/dev/md0c > > > > > > Quoting dany underscore list at natzo dot com: > > > Here the result of my first session (switch + AP). > > > > In order to see the problem, I've downloaded a big iso image. > Unfortunately > > I > > don't have ipfstat and ipnat close enough to the event. > > > > No traffic shapper, no NAT, no Pipe.... only one rule for LAN (the default > > one) > > * LAN net * * * Default LAN -> any > > > > Basicaly after reboot : > > > > $ ipfstat -s > > IP states added: > > 2 TCP > > 6 UDP > > 4 ICMP > > 62 hits > > 29 misses > > 0 maximum > > 0 no memory > > 6 bkts in use > > 6 active > > 6 expired > > 0 closed > > > > $ ipnat -s > > mapped in 3 out 3 > > added 3 expired 0 > > no memory 0 bad nat 0 > > inuse 3 > > rules 3 > > wilds 0 > > > > > > > > > > Some time after : > > > > $ ipfstat -s > > IP states added: > > 581 TCP > > 122 UDP > > 64 ICMP > > 212164 hits > > 10541 misses > > 0 maximum > > 0 no memory > > 207 bkts in use > > 207 active > > 183 expired > > 377 closed > > > > $ ipnat -s > > mapped in 31915 out 18800 > > added 270 expired 118 > > no memory 0 bad nat 0 > > inuse 152 > > rules 3 > > wilds 0 > > > > > > I'm working on a second session where I only have 1 PC connected to the > > firewall > > through a crossover cable. > > > > I'll post my results later on. > > > > Dany > > > > > > Quoting zealot <zealot at tradersguild dot net>: > > > > > Dany wrote: > > > > > > > Fred Weston wrote: > > > > > > > >> Dany wrote: > > > >> > > > >>> Fred Weston wrote: > > > >>> > > > >>>> Dany wrote: > > > >>>> > > > >>>>> Hello, > > > >>>>> > > > >>>>> I wanted to see if m0n0wall could replace my ipcop box which has > > > >>>>> been running for few years now. > > > >>>>> Hardware is an old Compaq Pentium 200MHz with 200MB of memory and > > > >>>>> two realtek NIC, a small switch and a SMC-2655W 802.11b AP. > > > >>>>> > > > >>>>> I used the following CD image (fairly new!) : > > > >>>>> cdrom-pb25r595.iso > > > >>>>> Version: Public Beta Release 25, Build #595 > > > >>>>> Release date: 01/17/2004 > > > >>>>> > > > >>>>> Everything works fine, I really like it. > > > >>>>> Just after installing it if I ping the firewall from a station I > > > >>>>> get "<10ms" but after let's say 20 minutes (random in fact) it > goes > > > >>>>> to 80-100ms. This morning it was over 900ms. In some cases I can't > > > > >>>>> even get the firewall webpage so I have to reboot it the cold way. > > > > >>>>> Names are taking longer to resolve (if they ever resolve). > > > >>>>> > > > >>>>> Any idea on this performance drop over the time ? > > > >>>>> > > > >>>>> Thank you > > > >>>>> Dany > > > >>>>> > > > >>>>> > > > >>>>> > > --------------------------------------------------------------------- > > > >>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > > >>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > >>>>> > > > >>>>> > > > >>>>> > > > >>>> I can't think of any reason off the top of my head as to why you > > > >>>> would see this behaviour. My only suggestion would be to try > > > >>>> removing everything non-essential such as the AP and switch and try > > > > >>>> running it for a while with just a single PC connected to it and > see > > > > >>>> if the problem remains. It sounds like you might be overloading > the > > > >>>> MAC table on your switch, but with a setup that small, that seems > > > >>>> unlikely. > > > >>>> > > > >>> Today I got the problem after few hours. > > > >>> Ping started to give long time and then no ping at all for both lan > > > >>> and wan addresses. > > > >>> I then disconnected the switch and AP and connected only one PC to > > > >>> the firewall usign a crossover cable but that didn't solve anything. > > > >>> > > > >>> Dany > > > >>> > > > >>> > --------------------------------------------------------------------- > > > >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > > >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > >>> > > > >>> > > > >>> > > > >> In your setup, are you running ipcop and m0n0 on the same hardware? > > > >> If not, perhaps you could try replacing one or both NICs. It may be > > > >> worthwhile to simply start over with m0n0 by resetting it to > > > >> defaults. Configure only your IP addresses and anything else > > > >> essential for it to function and then see if you still experience the > > > > >> same symptoms. > > > >> > > > > same hardware, to run ipcop I reboot with the HDD connected. For > > > > monowall, i just insert the CD and floppy. > > > > This afternoon I restarted from scratch. I just use the DHCP server of > > > > > the monowall box to get my clients internet access (no fancy rules or > > > > bandwidth limitation). > > > > > > > > One thing I do is to give a an pre-defined IP address based the MAC > > > > address of each PC (outside the DHCP IP range). > > > > > > > > Dany > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > > > > Dany, > > > > > > Do you have Traffic Shaper enabled, but no rules created for it? > > > > > > z > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |