[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  newmedia42 at excite dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with deployment (timeout related)...
 Date:  Thu, 30 Sep 2004 20:48:08 +0200
On 30.09.2004 14:24 -0400, NewMedia42 wrote:

> problem.  I also found the web interface to sometimes 'freeze up'
> for lack of a better description, at which point I think it would
> timeout new connections.  It is important to note that the problem
> seems to be exclusively with it establishing new connections - it
> doesn't appear to have any impact on existing connections.
> Has anyone had this problem, and if so does anyone know how I could
> solve it?
> Is there any sort of limit on the number of connections which can
> pass through m0n0 at any time?  

Yes - I'm pretty sure you're hitting the maximum of ~4000 state table
entries. That's the default value for ipfilter, and can unfortunately
not be changed without recompiling the kernel.

Since m0n0wall wasn't initially meant for high volume setups like
yours, the state/NAT hash table sizes and maximums were just left at
their default values. I posted a message to m0n0wall-dev about two
weeks ago, asking people who'd like to help with m0n0wall to figure
out what increasing the state and NAT table sizes would entail in
terms of memory and CPU requirements (especially for small embedded
PCs). The goal would be being able to increase the table sizes to
something on the order of 80000 to cover all but the biggest setups
with a single image per platform. I haven't seen a response yet.

Any takers?

- Manuel