Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

freebsd-pf Digest, Vol 271, Issue 2

0 views
Skip to first unread message

freebsd-p...@freebsd.org

unread,
Dec 3, 2009, 7:00:24 AM12/3/09
to freeb...@freebsd.org
Send freebsd-pf mailing list submissions to
freeb...@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org

You can reach the person managing the list at
freebsd-...@freebsd.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."


Today's Topics:

1. PF + load balancing over 100Mbit (Adam PAPAI)
2. PF + load balancing over 100Mbit traffic (Adam PAPAI)
3. Re: PF + load balancing over 100Mbit traffic (Gergely CZUCZY)
4. Re: PF + load balancing over 100Mbit traffic [SOLVED] (Adam PAPAI)


----------------------------------------------------------------------

Message: 1
Date: Thu, 03 Dec 2009 09:16:54 +0100
From: Adam PAPAI <wo...@wooh.hu>
Subject: PF + load balancing over 100Mbit
To: freeb...@freebsd.org
Message-ID: <4B1773F6...@wooh.hu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dear List,

I have a feeling that PF can't do perfect round-robin load balancing
over 100Mbit.

When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network traffic
goes over 100Mbit, the 80 port's connect time increases to 3-5-10 sec
instead of the stable 0.001-0.002 sec. The web servers feel good, they
don't have load, the redundant master-slave database servers feel good,
they dont have high load. So everything seems fine, except the connect
time. (Our checker script asks only a HEAD request from the web servers)

The internal network has Gbit connection so as the internet side.

Do you have any advice? Is it time to get a Layer 7 switch and do load
balancing with it? Or is it possible to do it in a PF way without a
Content Switch?

2 web servers and 2 database servers are involved.

[web 1] ---|
[web 2] ---|
[db 1] ---|---[pf/web 3/default gw]---internet
[db 2] ---|


For a while the web server on the PF server is down to test, but it does
the same connection time with a running apache and without a running apache.

Any idea? Our internet traffic average is 100Mbit-130Mbit and the
connect time makes me so sad.

Thanks in advance,

--
Adam PAPAI
NETIDEA Informatikai Szolgaltato Kft.
http://www.netidea.hu
E-mail: wo...@wooh.hu

------------------------------

Message: 2
Date: Thu, 03 Dec 2009 09:19:29 +0100
From: Adam PAPAI <wo...@wooh.hu>
Subject: PF + load balancing over 100Mbit traffic
To: freeb...@freebsd.org
Message-ID: <4B17749...@wooh.hu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Dear List,

I have a feeling that PF can't do perfect round-robin load balancing
over 100Mbit.

When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network traffic
goes over 100Mbit, the 80 port's connect time increases to 3-5-10 sec
instead of the stable 0.001-0.002 sec. The web servers feel good, they
don't have load, the redundant master-slave database servers feel good,
they dont have high load. So everything seems fine, except the connect
time. (Our checker script asks only a HEAD request from the web servers)

The internal network has Gbit connection so as the internet side.

Do you have any advice? Is it time to get a Layer 7 switch and do load
balancing with it? Or is it possible to do it in a PF way without a
Content Switch?

2 web servers and 2 database servers are involved.

[web 1] ---|
[web 2] ---|
[db 1] ---|---[pf/web 3/default gw]---internet
[db 2] ---|


For a while the web server on the PF server is down to test, but it does
the same connection time with a running apache and without a running apache.

Any idea? Our internet traffic average is 100Mbit-130Mbit and the
connect time makes me so sad.

Thanks in advance,

--
Adam PAPAI
NETIDEA Informatikai Szolgaltato Kft.
http://www.netidea.hu
E-mail: wo...@wooh.hu

------------------------------

Message: 3
Date: Thu, 3 Dec 2009 10:13:27 +0100
From: Gergely CZUCZY <pho...@harmless.hu>
Subject: Re: PF + load balancing over 100Mbit traffic
To: Adam PAPAI <wo...@wooh.hu>
Cc: freeb...@freebsd.org
Message-ID: <20091203101327.00004dac@unknown>
Content-Type: text/plain; charset=US-ASCII

On Thu, 03 Dec 2009 09:19:29 +0100
Adam PAPAI <wo...@wooh.hu> wrote:

> Dear List,
>
> I have a feeling that PF can't do perfect round-robin load balancing
> over 100Mbit.
>
> When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network
> traffic goes over 100Mbit, the 80 port's connect time increases to
> 3-5-10 sec instead of the stable 0.001-0.002 sec. The web servers
> feel good, they don't have load, the redundant master-slave database
> servers feel good, they dont have high load. So everything seems
> fine, except the connect time. (Our checker script asks only a HEAD
> request from the web servers)
Have you adjusted the TCP timeout parameters? this can be caused by the
standard 30sec timeouts and your state table is getting filled up. I'd
check the following parameters:
- timeout tcp.{closing,finwait,closed}
- interval
- limit states

pftop can be a great help for checking pf's behaviour, it's available
in ports.

>
> The internal network has Gbit connection so as the internet side.
>
> Do you have any advice? Is it time to get a Layer 7 switch and do
> load balancing with it? Or is it possible to do it in a PF way
> without a Content Switch?
>
> 2 web servers and 2 database servers are involved.
>
> [web 1] ---|
> [web 2] ---|
> [db 1] ---|---[pf/web 3/default gw]---internet
> [db 2] ---|
>
>
> For a while the web server on the PF server is down to test, but it
> does the same connection time with a running apache and without a
> running apache.
>
> Any idea? Our internet traffic average is 100Mbit-130Mbit and the
> connect time makes me so sad.
>
> Thanks in advance,
>

--
Sincerely,
Gergely CZUCZY
Harmless Digital Bt

+36-30-9702963


------------------------------

Message: 4
Date: Thu, 03 Dec 2009 12:19:42 +0100
From: Adam PAPAI <wo...@wooh.hu>
Subject: Re: PF + load balancing over 100Mbit traffic [SOLVED]
To: freeb...@freebsd.org
Message-ID: <4B179ECE...@wooh.hu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Gergely CZUCZY wrote:
> On Thu, 03 Dec 2009 09:19:29 +0100
> Adam PAPAI <wo...@wooh.hu> wrote:
>
>> Dear List,
>>
>> I have a feeling that PF can't do perfect round-robin load balancing
>> over 100Mbit.
>>
>> When our PF server's (Dual Quad Core 3Ghz with 8GB ram) network
>> traffic goes over 100Mbit, the 80 port's connect time increases to
>> 3-5-10 sec instead of the stable 0.001-0.002 sec. The web servers
>> feel good, they don't have load, the redundant master-slave database
>> servers feel good, they dont have high load. So everything seems
>> fine, except the connect time. (Our checker script asks only a HEAD
>> request from the web servers)
> Have you adjusted the TCP timeout parameters? this can be caused by the
> standard 30sec timeouts and your state table is getting filled up. I'd
> check the following parameters:
> - timeout tcp.{closing,finwait,closed}
> - interval
> - limit states
>

Thanks,

I really had to change the pf.conf and set the values below.

set limit states 40000
set timeout interval 5

In the future i should increase the limit states and reduce the timeout
interval :)

Since i've changed the values, the connection time is between 0.001 and
0.004, the traffic is over than 110Mbit.

\o/

Have a nice day :)

--
Adam PAPAI
NETIDEA Informatikai Szolgaltato Kft.
http://www.netidea.hu
E-mail: wo...@wooh.hu

------------------------------

End of freebsd-pf Digest, Vol 271, Issue 2
******************************************

0 new messages