FreeBSD7+ipfw+Vlan

Valerij Solovyov valeranew at ukr.net
Fri Apr 25 12:42:44 UTC 2008


Hello.  
I use for router:  
Dlink DES-3016 + intel Pro/1000XT + Pentium4 + FreeBSD  
# uname -r  
7.0-RC1  
  
I use:  
6.2-RELEASE-p11 for my vpn-server and this router with kernel option  
if_bridge. In that time I have 5 NIC's, and my router was switch with  
shaper. But one month ago my VPN-server began hang up. Befor hang up I  
recive by squid message:  
  
Socket Failure  
  
The system returned:  
    (24) Too many open files  
  
AND when I try to reboot or write whatever freeBSD couldn't write letter  
and nothing more.  
  
In my VPN-server I use ipfw + dummynet too.  
  
After this I decide do router from my bridge with FreeBSD.  
I rebuild kernel. I after that my VPN-server has uptime ten days (before  
less then one day). But my router began hang up.  
Before this problem's I use Dlink DES-2108 as swtitch more than 1 year.  
  
#cat /etc/rc.conf  
ifconfig_em0="inet 172.168.1.1  netmask 255.255.255.0"  
ifconfig_vr0="inet 10.11.25.13 netmask 255.255.0.0"  
defaultrouter="10.11.25.1"  
cloned_interfaces="vlan1 vlan2 vlan3 vlan4 vlan5 vlan6 vlan7 vlan8 vlan9  
vlan10"  
ifconfig_vlan1="inet 10.12.1.1 netmask 255.255.255.0 vlan 3 vlandev em0"  
ifconfig_vlan2="inet 10.13.1.1 netmask 255.255.255.0 vlan 4 vlandev em0"  
ifconfig_vlan3="inet 10.14.1.1 netmask 255.255.255.0 vlan 5 vlandev em0"  
ifconfig_vlan4="inet 10.15.1.1 netmask 255.255.255.0 vlan 6 vlandev em0"  
gateway_enable="YES"  
rpcbind_enable="NO"  
ipfw_enable="YES"  
ipfw_enable="YES"  
ipfw_type="OPEN"  
pf_enable="YES"  
pf_rules="/etc/pf.conf"  
router_enable="NO"  
#########dhcp#################  
dhcpd_enable="YES"  
dhcpd_flags="-q"  
dhcpd_ifaces="vlan1 vlan2 vlan3 vlan4"  
dhcpd_chroot_enable="YES"  
dhcpd_conf="/usr/local/etc/dhcpd.conf"    
dhcpd_devfs_enable="YES"  
dhcpd_jail_enable="NO"  
  
# cat /etc/sysctl.conf  
kern.maxfiles=128000  
kern.maxfilesperproc=65000  
kern.ipc.somaxconn=32768  
net.inet.ip.intr_queue_maxlen=200  
kern.ipc.maxsockbuf=1048576  
net.inet.tcp.sendspace=65535  
net.inet.tcp.recvspace=32768  
net.inet.udp.recvspace=655350  
net.inet.icmp.drop_redirect=1  
net.inet.udp.blackhole=2  
net.inet.tcp.blackhole=2  
net.inet.tcp.msl=7500  
kern.ipc.maxsockets=204800  
  
# cat /etc/pf.conf  
scrub in all  
pass in all  
pass out all  
  
  
  
#pftop  
pfTop: Up State 1-30/578, View: default, Order: none, Cache: 10000  
14:18:08  
  
# pfctl -s info  
Status: Enabled for 0 days 00:27:07           Debug: Urgent  
  
State Table                          Total             Rate  
  current entries                      566  
  searches                         8512194         5231.8/s  
  inserts                            21525           13.2/s  
  removals                           20959           12.9/s  
Counters  
  match                            4340001         2667.5/s  
  bad-offset                             0            0.0/s  
  fragment                               0            0.0/s  
  short                                  0            0.0/s  
  normalize                              0            0.0/s  
  memory                                 0            0.0/s  
  bad-timestamp                          0            0.0/s  
  congestion                             0            0.0/s  
  ip-option                              0            0.0/s  
  proto-cksum                            1            0.0/s  
  state-mismatch                        31            0.0/s  
  state-insert                           0            0.0/s  
  state-limit                            0            0.0/s  
  src-limit                              0            0.0/s  
  synproxy                               0            0.0/s  
  
#ipfw show  
00008 13848862  8065556536 allow gre from any to any  
00009        0           0 allow udp from any to any dst-port 500  
00010    17332     1051156 allow tcp from any to any dst-port 1023,1723  
00011        0           0 allow esp from any to any  
00024        0           0 allow udp from 0.0.0.0 2054 to 0.0.0.0  
00025        0           0 deny icmp from any to any in icmptypes  
5,9,13,14,15,16,17  
00026        0           0 deny tcp from any to me in tcpflags syn,fin,!  
ack  
00027        0           0 deny tcp from any to me in tcpflags syn,fin,!  
ack,psh,urg  
00028        0           0 deny tcp from any to me in tcpflags fin,!  
ack,psh,urg  
00203     4263      581066 pipe 12 ip from 10.11.25.1 to any via vlan1  
00204     2763      147041 pipe 12 ip from any to 10.11.25.1 via vlan1  
00205  5944333  5438517982 pipe 13 ip from any to any via vlan1  
  
00206      1585      240264 pipe 14 ip from 10.11.25.1 to any via vlan2  
00207     859       52217 pipe 14 ip from any to 10.11.25.1 via vlan2  
00208  19187     5468180 pipe 15 ip from any to any via vlan2  
  
00209     0      0 pipe 16 ip from 10.11.25.1 to any via vlan3  
00210     0      0 pipe 16 ip from any to 10.11.25.1 via vlan3  
00211  0  0 pipe 17 ip from any to any via vlan3  
  
[root at f7RC1 /usr/src/sys/i386/conf]# cat ROUTER  
  
cpu             I686_CPU  
ident           ROUTER  
options         SCHED_ULE  
options IPFIREWALL  
options IPFIREWALL_VERBOSE  
#options IPDIVERT  
options IPFIREWALL_FORWARD  
#options IPV6FIREWALL  
#options IPV6FIREWALL_VERBOSE  
  
options DUMMYNET  
  
options DEVICE_POLLING  
  
  
  
I create Vlan's on DES-3016, with differents VID:  
  
DES-3016:4#show vlan  
Command: show vlan  
....  
VID             : 3          VLAN Name       : 3  
VLAN Type       : static  
Member ports    : 1,7  
Static ports    : 1,7  
Tagged ports    : 1  
Untagged ports  : 7  
  
VID             : 4          VLAN Name       : 4  
VLAN Type       : static  
Member ports    : 1,8  
Static ports    : 1,8  
Tagged ports    : 1  
Untagged ports  : 8  
  
VID             : 5          VLAN Name       : 5  
VLAN Type       : static  
Member ports    : 1,9  
Static ports    : 1,9  
Tagged ports    : 1  
Untagged ports  : 9  
  
............  
  
Total Entries  : 10  
  
  


More information about the freebsd-net mailing list