[ previous ] [ next ] [ threads ]
 
 From:  Dany Nativel <dany underscore list at natzo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: [m0n0wall] Network getting slower after 20 minutes - Solved
 Date:  Sun, 01 Feb 2004 18:49:02 -0500
I solved the problem by changing my hardware (it was planned when I 
started playing with m0n0wall).

I switched my old firewall based on a Pentium 175MHz + 2 RTL8139C to a 
Soekris 4501... thanks for the silence !

So using the same cable modem, same switch, same clients, same network 
config... it works very well... no slow down !!

It's tempting to believe it comes from the RTL8139C driver.

So I'm happy now with this new 4501 board, just need to find a nice case 
for it.

Thank you for the different comments.
Dany



Ian Cartwright wrote:

>Dany,
>
>It's a mystery to be sure. It probably has something to do with the
>drivers for your particular network card. I've noticed similar behavior
>for nVidia network cards based on the nForce chip set. I have been able
>to repeatedly cause a kernel panic by connecting my nForce based PC to
>another PC via a crossover cable, but when I use a hub or switch,
>everything is fine.
>
>Ian
>
>On Mon, 2004-01-19 at 05:38, dany underscore list at natzo dot com wrote:
>  
>
>>How can a bad switch (yes it's switch not a hub) make the firewall to crash &
>>reboot ?
>>
>>I will try again without switch just to make sure.
>>Thank you
>>Dany
>>
>>Quoting webmaster at ics dash group dot de:
>>
>>    
>>
>>>I had the same problem once. But it was the switch not m0n0wall ... maybee u
>>>try another switch and be carefull dont use a HUB because that my network
>>>f*cked up all the time ... a hub is only able to braodcast and thats the
>>>problem u have ... sounds 2 me . Give it a try ... 
>>>
>>>Cya Steven
>>>

>>>Von: dany underscore list at natzo dot com [mailto:dany underscore list at natzo dot com] 
>>>Gesendet: Montag, 19. Januar 2004 13:27
>>>An: dany underscore list at natzo dot com
>>>Cc: zealot; m0n0wall at lists dot m0n0 dot ch
>>>Betreff: Re: [m0n0wall] Network getting slower after 20 minutes - Session 2
>>>and 3
>>>
>>>It's getting worse.  
>>>
>>>Session 2 gave me a "bad nat 4" and during session 3 the PC has rebooted by
>>>itself!!!
>>>See the details below as well as dmesg.
>>>
>>>
>>>Session 2 :
>>>I was able to download about 700MB without any problem using a direct
>>>connection
>>>(crossover) from the PC to the firewall.
>>>
>>>Then I decided (without rebooting) to get back to the switch. I did it and
>>>requested a new IP address and within a minute I got my slow down.
>>>
>>>At this time I was able to get the following trace.
>>>The interesting one is "bad nat 4".  What does that mean ?
>>>Is this because I've added the switch ?
>>>
>>>********************************************
>>>$ ipnat -s
>>>mapped        in        336721        out        234261
>>>added        1350        expired        1229
>>>no memory        0        bad nat        4
>>>inuse        121
>>>rules        3
>>>wilds        0
>>>*********************************************
>>>
>>>$ ipfstat -s
>>>IP states added:
>>>        1493 TCP
>>>        364 UDP
>>>        244 ICMP
>>>        2291511 hits
>>>        13102 misses
>>>        0 maximum
>>>        0 no memory
>>>        142 bkts in use
>>>        149 active
>>>        534 expired
>>>        1418 closed
>>>
>>>
>>>Session 3 :
>>>
>>>For this round I used :
>>>
>>>PC -> Switch -> Firewall -> Cable modem
>>>
>>>I've been able to download 700MB without problem (at 380KBps average) then I
>>>started a second download session. I then refreshed ipfstat and ipnat as
>>>often
>>>as I could. The last one can be found below.
>>>
>>>This time, I didn't get any slower pings but instead I received a HARD RESET
>>>!!!
>>>
>>>That's the first one I see for the past 2 years on this machine (when
>>>runnning
>>>IPcop).  
>>>
>>>Something is definitely wrong. Any idea ?
>>>
>>>PS : I ran MemTest86 overnight (11 times during 7 hours)... not a single
>>>error.
>>>
>>>
>>>
>>>$ ipfstat -s
>>>IP states added:
>>>        1268 TCP
>>>        225 UDP
>>>        215 ICMP
>>>        4516758 hits
>>>        12162 misses
>>>        0 maximum
>>>        0 no memory
>>>        32 bkts in use
>>>        32 active
>>>        439 expired
>>>        1237 closed
>>>
>>>$ ipnat -s
>>>mapped        in        694645        out        427910
>>>added        466        expired        445
>>>no memory        0        bad nat        0
>>>inuse        21
>>>rules        3
>>>wilds        0
>>>
>>>
>>>$ dmesg
>>>Copyright (c) 1992-2003 The FreeBSD Project.
>>>Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
>>>        The Regents of the University of California. All rights reserved.
>>>FreeBSD 4.9-RELEASE-p1 #0: Sat Jan 17 11:54:57 CET 2004
>>>    root at nb dot neon1 dot net:/usr/src/sys/compile/M0N0WALL_GENERIC
>>>Timecounter "i8254"  frequency 1193182 Hz
>>>CPU: Pentium/P55C (166.40-MHz 586-class CPU)
>>>  Origin = "GenuineIntel"  Id = 0x544  Stepping = 4
>>>  Features=0x8001bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX>
>>>real memory  = 167772160 (163840K bytes)
>>>avail memory = 148492288 (145012K bytes)
>>>Preloaded elf kernel "kernel" at 0xc0e0e000.
>>>Preloaded mfs_root "/mfsroot" at 0xc0e0e09c.
>>>Intel Pentium detected, installing workaround for F00F bug
>>>md0: Preloaded image </mfsroot> 10485760 bytes at 0xc040cd90
>>>md1: Malloc disk
>>>Using $PIR table, 5 entries at 0xc00f1cc0
>>>npx0: <math processor> on motherboard
>>>npx0: INT 16 interface
>>>pcib0: <Host to PCI bridge> on motherboard
>>>pci0: <PCI bus> on pcib0
>>>rl0: <RealTek 8139 10/100BaseTX> port 0x1000-0x10ff mem
>>>0x44000000-0x440000ff
>>>irq 11 at device 2.0 on pci0
>>>rl0: Ethernet address: 00:48:54:5e:52:83
>>>miibus0: <MII bus> on rl0
>>>rlphy0: <RealTek internal media interface> on miibus0
>>>rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
>>>rl1: <RealTek 8139 10/100BaseTX> port 0x1400-0x14ff mem
>>>0x44100000-0x441000ff
>>>irq 11 at device 4.0 on pci0
>>>rl1: Ethernet address: 00:48:54:5e:53:14
>>>miibus1: <MII bus> on rl1
>>>rlphy1: <RealTek internal media interface> on miibus1
>>>rlphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
>>>isab0: <VIA 82C586 PCI-ISA bridge> at device 7.0 on pci0
>>>isa0: <ISA bus> on isab0
>>>atapci0: <VIA 82C586 ATA33 controller> port 0x1c00-0x1c0f at device 7.1 on
>>>pci0
>>>ata0: at 0x1f0 irq 14 on atapci0
>>>ata1: at 0x170 irq 15 on atapci0
>>>uhci0: <VIA 83C572 USB controller> port 0x1c20-0x1c3f irq 11 at device 7.2
>>>on pci0
>>>usb0: <VIA 83C572 USB controller> on uhci0
>>>usb0: USB revision 1.0
>>>uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
>>>uhub0: 2 ports with 2 removable, self powered
>>>pci0: <unknown card> (vendor=0x1106, dev=0x3040) at 7.3
>>>pci0: <S3 Trio 64V2/DX/GX graphics accelerator> at 15.0 irq 11
>>>orm0: <Option ROMs> at iomem 0xc0000-0xc7fff,0xe7000-0xeffff on isa0
>>>pmtimer0 on isa0
>>>fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
>>>fdc0: FIFO enabled, 8 bytes threshold
>>>fd0: <1440-KB 3.5" drive> on fdc0 drive 0
>>>atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
>>>atkbd0: <aT Keyboard> flags 0x1 irq 1 on atkbdc0
>>>kbd0 at atkbd0
>>>vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
>>>sc0: <System console> at flags 0x100 on isa0
>>>sc0: VGA <16 virtual consoles, flags=0x300>
>>>sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
>>>sio0: type 16550A
>>>sio1: configured irq 3 not in bitmap of probed irqs 0
>>>RTC BIOS diagnostic error 2
>>>BRIDGE 020214 loaded
>>>IPsec: Initialized Security Association Processing.
>>>IP Filter: v3.4.31 initialized.  Default = block all, Logging = enabled
>>>acd0: CD-RW <SAMSUNG CD-R/RW SW-232B> at ata0-master PIO4
>>>Mounting root from ufs:/dev/md0c
>>>
>>>
>>>
>>>
>>>
>>>Quoting dany underscore list at natzo dot com:
>>>
>>>      
>>>
>>>>Here the result of my first session (switch + AP).
>>>>
>>>>In order to see the problem, I've downloaded a big iso image.
>>>>        
>>>>
>>>Unfortunately
>>>      
>>>
>>>>I
>>>>don't have ipfstat and ipnat close enough to the event.
>>>>
>>>>No traffic shapper, no NAT, no Pipe.... only one rule for LAN (the default
>>>>one)
>>>> *  	 LAN net  	 *  	 *  	 *  	 Default LAN -> any 
>>>>
>>>>Basicaly after reboot :
>>>>
>>>>$ ipfstat -s
>>>>IP states added:
>>>>	2 TCP
>>>>	6 UDP
>>>>	4 ICMP
>>>>	62 hits
>>>>	29 misses
>>>>	0 maximum
>>>>	0 no memory
>>>>	6 bkts in use
>>>>	6 active
>>>>	6 expired
>>>>	0 closed
>>>>	
>>>>$ ipnat -s
>>>>mapped	in	3	out	3
>>>>added	3	expired	0
>>>>no memory	0	bad nat	0
>>>>inuse	3
>>>>rules	3
>>>>wilds	0
>>>>
>>>>
>>>>
>>>>
>>>>Some time after :
>>>>
>>>>$ ipfstat -s
>>>>IP states added:
>>>>	581 TCP
>>>>	122 UDP
>>>>	64 ICMP
>>>>	212164 hits
>>>>	10541 misses
>>>>	0 maximum
>>>>	0 no memory
>>>>	207 bkts in use
>>>>	207 active
>>>>	183 expired
>>>>	377 closed	
>>>>	
>>>>$ ipnat -s
>>>>mapped	in	31915	out	18800
>>>>added	270	expired	118
>>>>no memory	0	bad nat	0
>>>>inuse	152
>>>>rules	3
>>>>wilds	0	
>>>>
>>>>
>>>>I'm working on a second session where I only have 1 PC connected to the
>>>>firewall
>>>>through a crossover cable.
>>>>
>>>>I'll post my results later on.
>>>>
>>>>Dany
>>>>
>>>>
>>>>Quoting zealot <zealot at tradersguild dot net>:
>>>>
>>>>        
>>>>
>>>>>Dany wrote:
>>>>>
>>>>>          
>>>>>
>>>>>>Fred Weston wrote:
>>>>>>
>>>>>>            
>>>>>>
>>>>>>>Dany wrote:
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>>>Fred Weston wrote:
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>>>Dany wrote:
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>>>Hello,
>>>>>>>>>>
>>>>>>>>>>I wanted to see if m0n0wall could replace my ipcop box which has 
>>>>>>>>>>been running for few years now.
>>>>>>>>>>Hardware is an old Compaq Pentium 200MHz with 200MB of memory and 
>>>>>>>>>>two realtek NIC, a small switch and a SMC-2655W 802.11b AP.
>>>>>>>>>>
>>>>>>>>>>I used the following CD image (fairly new!) :
>>>>>>>>>>cdrom-pb25r595.iso
>>>>>>>>>>Version: Public Beta Release 25, Build #595
>>>>>>>>>>Release date: 01/17/2004
>>>>>>>>>>
>>>>>>>>>>Everything works fine, I really like it.
>>>>>>>>>>Just after installing it if I ping the firewall from a station I 
>>>>>>>>>>get "<10ms" but after let's say 20 minutes (random in fact) it
>>>>>>>>>>                    
>>>>>>>>>>
>>>goes 
>>>      
>>>
>>>>>>>>>>to 80-100ms. This morning it was over 900ms. In some cases I can't
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>>>even get the firewall webpage so I have to reboot it the cold way.
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>>>Names are taking longer to resolve (if they ever resolve).
>>>>>>>>>>
>>>>>>>>>>Any idea on this performance drop over the time ?
>>>>>>>>>>
>>>>>>>>>>Thank you
>>>>>>>>>>Dany
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>---------------------------------------------------------------------
>>>>        
>>>>
>>>>>>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>                    
>>>>>>>>>>
>>>>>>>>>I can't think of any reason off the top of my head as to why you 
>>>>>>>>>would see this behaviour.  My only suggestion would be to try 
>>>>>>>>>removing everything non-essential such as the AP and switch and try
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>>running it for a while with just a single PC connected to it and
>>>>>>>>>                  
>>>>>>>>>
>>>see 
>>>
>>>      
>>>
>>>>>>>>>if the problem remains.  It sounds like you might be overloading
>>>>>>>>>                  
>>>>>>>>>
>>>the 
>>>      
>>>
>>>>>>>>>MAC table on your switch, but with a setup that small, that seems 
>>>>>>>>>unlikely.
>>>>>>>>>
>>>>>>>>>                  
>>>>>>>>>
>>>>>>>>Today I got the problem after few hours.
>>>>>>>>Ping started to give long time and then no ping at all for both lan 
>>>>>>>>and wan addresses.
>>>>>>>>I then disconnected the switch and AP and connected only one PC to 
>>>>>>>>the firewall usign a crossover cable but that didn't solve anything.
>>>>>>>>
>>>>>>>>Dany
>>>>>>>>
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>---------------------------------------------------------------------
>>>      
>>>
>>>>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>                
>>>>>>>>
>>>>>>>In your setup, are you running ipcop and m0n0 on the same hardware?  
>>>>>>>If not, perhaps you could try replacing one or both NICs.  It may be 
>>>>>>>worthwhile to simply start over with m0n0 by resetting it to 
>>>>>>>defaults.  Configure only your IP addresses and anything else 
>>>>>>>essential for it to function and then see if you still experience the
>>>>>>>              
>>>>>>>
>>>>>>>same symptoms.
>>>>>>>
>>>>>>>              
>>>>>>>
>>>>>>same hardware,  to run ipcop I reboot with the HDD connected. For 
>>>>>>monowall, i just insert the CD and floppy.
>>>>>>This afternoon I restarted from scratch. I just use the DHCP server of
>>>>>>            
>>>>>>
>>>>>>the monowall box to get my clients internet access (no fancy rules or 
>>>>>>bandwidth limitation).
>>>>>>
>>>>>>One thing I do is to give a an pre-defined IP address based the MAC 
>>>>>>address of each PC (outside the DHCP IP range).
>>>>>>
>>>>>>Dany
>>>>>>
>>>>>>---------------------------------------------------------------------
>>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>            
>>>>>>
>>>>>Dany,
>>>>>
>>>>>Do you have Traffic Shaper enabled, but no rules created for it?
>>>>>
>>>>>z
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>>        
>>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>      
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>