packet loss to firewall while Internet link is down
lane at joeandlane.com
Sat Oct 28 22:55:23 UTC 2006
On Saturday 28 October 2006 17:41, D G Teed wrote:
> Hi all,
> When the Internet link goes down, ssh refuses
> to allow connection from within the LAN to our BSD
> firewall/gateway. An existing ssh connection might stay
> up, but be very sluggish. We run our own DNS, so that
> can't be the reason for timeouts.
> When the Internet is down, the CPU load factor on the
> FreeBSD firewall is low, but the number of TCP packets
> that can't get past the first hop is likely high, which
> might cause some sort of congestion on the machine.
> The console is very responsive. mtr to any point
> on the local LAN from the firewall sees 50 to 80%
> packet loss. However, there is no packet loss between
> other machines on the lan and our network guy says
> the router port and cable check out fine.
> There are no console error messages providing a clue.
> netstat -m shows the mb_map is about 26% in use
> while the Internet is down. The machine in question
> is FreeBSD 4.11, running ipfw and acting as a gateway
> (not NAT).
> Once the Internet comes back up, ssh in works, and
> ssh sessions are very responsive again.
> Is there some kernel variable I can tweak, or some tests I
> can try the next time the Internet goes down and the
> gateway/firewall drop packets on connections to our LAN?
> Our operations manager is a Windows guy, and every time
> he can't ssh in, he thinks the firewall needs a reboot, when
> the real problem is that the Internet is down and
> there is something we need to tweak to make it
> better able to survive local LAN traffic.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
I have the same problem, but I just thought it was nat somehow interfering.
I've set up a local web server on my router/gateway that lets me do things
like check the status of ppp, or view /var/log/messages, and even reboot the
server. When I can't get in via ssh (i.e. when the "public" internet
connection is down) the web server, samba server, DHCP server, DNS server,
ftp server, and everything else still responds normally.
It's no answer, but what I did was allow telnet connections via the internal
nic, because even telnet is unaffected. Only ssh causes me a problem.
I'm interested in the answer to this one.
More information about the freebsd-questions