Heavy CPU load?
-
I have 5 NICS on DHCP… and DHCP-Server on the 6 interface...
Its not clear to me what this means. I guess you are saying you have most (or all) of your interfaces serving DHCP addresses AND requesting DHCP addresses from another DHCP server. This is not a good idea. Your DHCP server interfaces should have static (fixed) IP addresses.
i get alots entrys like this:
May 28 19:51:02 kernel: arp: 85.226.120.1 is on em1 but got reply from 00:03:a0:3b:80:00 on em4
May 28 19:51:02 kernel: arp: 85.226.120.1 is on em1 but got reply from 00:03:a0:3b:80:00 on em3
May 28 19:51:02 kernel: arp: 85.226.120.1 is on em1 but got reply from 00:03:a0:3b:80:00 on em5
May 28 19:51:02 kernel: arp: 85.226.120.1 is on em1 but got reply from 00:03:a0:3b:80:00 on em2Your network topology and/or address assignments are messed up. 85.226.120.1 is accessible on multiple interfaces, it should be accessible over only one interface (unless you have bridged interfaces, but then why would you have a switch?) And printing these messages repeatedly will be another consumer of CPU time.
What are you trying to accomplish with this configuration? At first sight it appears overly complex.
-
can this be the problem?
Yep. This is most likely your problem as the DHCP processes shouldn't be using any CPU at all.
It still doesn't solve the em-problems, but that's probably not what's limiting you with that massive CPU-usage from DHCP.
Probably your problem is solved by ensuring that the DHCP-server is not running on the WAN-interfaces as it seems that you are actually running DHCP-server on those in addition to the LAN-interface.
This should be a configurable setting. -
My ISP gives me 10Mbit/s for every IP we use.
Max 5 IP-addressesThats why i use five NIC's to get my five IPs.
So with one IP 10Mbit/s with two 20Mbit/s.. and five 50Mbit/s
Okay?
My ISP will never give me static IPs
Always DHCP…here is how it works:
em0/LAN Static 192.168.1.111. And runs DHCP Server for LAN clients.
em1/WAN Dynamic DHCP Client
em2/WAN1 Dynamic DHCP Client
em3/WAN2 Dynamic DHCP Client
em4/WAN3 Dynamic DHCP Client
em5/WAN4 Dynamic DHCP ClientIf i do killall dhclient
My CPU usage get low. But pfsens stop working after a while.....
So what is wrong ?:(
Okay... kill dhclinet works... but the firewall dies so i have to restart it after a while....
-
All your ports share the same switch?
Ive never had good luck when I had two dhcp servers (your pfsense lan and your isp's modem) on the same switch…
Can you move your lan to another switch to rule that possible issue out?
-
I use VLANs.
So its physically one switch but inside they are different.You can read about it here: http://en.wikipedia.org/wiki/VLAN
-
I know what you are trying to do so I guess Ill ask outright…
Have you ruled out a misconfiguration on your switch as the root cause of your problem?
What else have you tried in your troubleshooting process?
Start with the basics and add one element at a time until you can reproduce the result.
Your setup while innovative is not typical.
Good Luck!
-
There is nothing wrong with the Switch. As you can se here the Vlan settings is so simple.
You guys just helpt me to see that it is wrong with the dhclient.
what is wrong with my setup thats makes it non typical?
What else can i do to troubleshoot? i have killd dhclient and everyhing works fine..
-
Most people either have:
-
Multiple interfaces, connecting to different ISPs
-
Multiple static IPs (possibly with one dynamic), on a single interface
It's very uncommon to have a single ISP, with multiple dynamic IPs across the same subnet on multiple interfaces, particularly using a single VLAN capable switch to separate WAN(s) and LAN.
-
-
I have tested with a second GS724T so VLAN works. Thats not the problem..
No1 else have problem with dhclient CPU usage?
-
I am afraid your problem is network design. Everything esle is the result of this problem.
-
I'm trying to understand your configuration rather better because I also think its unusual. I take it you have 5 "WAN" interfaces from your ISP purely to get additional bandwidth.
From what you have displayed about your switch it looks as if you MIGHT be purely using its "VLAN" capability to segment the ports so as to isolate one group of ports ("LAN") from another group of ports ("WAN"). Correct?
Apparently 6 of the 24 switch ports are in the "WAN" LAN. Of those 6 ports 5 go to pfSense interfaces em1 through em5. From your network diagram your sixth port goes to your ISP but what does it actually connect to? Is there is a web page (in English) describing it or holding a pointer to a downloadable manual or datasheet? I'm guessing that its something that will allow up to 5 systems to connect to it, each able DHCP request an address and that these addresses are all on the same IP subnet. I've not come across anything like this that would assign additional bandwidth on the WAN (Internet) side with each additional IP address assigned. If we can find out a bit more about the equipment that connects you to the ISP we may be able to help solve your configuration problem.
The fact that you have 5 pfSense interfaces on the same LAN is a configuration error unless they are bridged. (Each interface should be on its own distinct IP subnet.) And why would you bridge them in pfSense when they are connected to a switch?
-
Eugene:
what is wrong with my network design then? im open for change. U just want my 50mbit and not 10mbit. thats the reason i installed pfsense.wallabybob:
One of the biggest ISP's in sweden gives homes Fibre to the house and after that
one RJ45 contact in the wall. We get five public IP's. The download speed is 100Mbit. The upload speed is limited to 10Mbit for every IP we get. The advertised is "100/10". The reason we are geting 10Mbit/IP is just poor restrictions from there side.And yes. 6 ports are "WAN" u can call them "WANswitch" and the other one "LANswitch" the 2 VLANS never get in contact. Everyting has to through pfsense.
The sixth port is from the RJ45 Connector in the wall.
The reason im using this network design is i got help to. I asked here and got told that i can't make virtual interfaces in freebsd. If i use virtualization i can bridge them easy and get new MAC for every virtual NIC.. But in this case we come up to the conclusion that we cudent make virtual NIC's.
My ISP don't like to say whats behind the walls… im using:
www.bredbandsbolaget.se
They doesn't even have a webpage en english.. but if there is something you guys need to know. I will be happy to call them and ask.WAN (em1) IP address 85.226.121.133 Subnet mask 255.255.248.0 Gateway 85.226.120.1 ISP DNS servers 195.54.122.199 81.26.227.3 195.54.122.204 81.26.228.3 WAN1 (em2) IP address 85.226.122.10 Subnet mask 255.255.248.0 Gateway 85.226.120.1 WAN2 (em3) IP address 85.226.122.11 Subnet mask 255.255.248.0 Gateway 85.226.120.1 WAN3 (em4) IP address 85.226.122.20 Subnet mask 255.255.248.0 Gateway 85.226.120.1 WAN4 (em5) IP address 85.226.122.23 Subnet mask 255.255.248.0 Gateway 85.226.120.1All ips are in the same subnet.
I can undertstand that you guys dont like vlans. So here is without VLAN configurations:
Still looks stupid and unusual? :(
-
Hmm to make load balancing work you have to have different gateways on wan's , do you have that?
If not I wonder if a esxi server could be used so no additional hardware would be needed.
-
-
Do you have to be actively uploading from all 5 IPs? Can you simply have them allocated to you, or does there have to be a device using those IPs?
The simple I can see are:
-
Have the IPs allocated, don't use them
-
Allocate 4 of them to another device that you don't use
-
Insert simple firewall/routers between pfSense and the Internet connection, each with a different LAN subnet
As for what is wrong with your design:
@wallabybob:The fact that you have 5 pfSense interfaces on the same LAN is a configuration error unless they are bridged. (Each interface should be on its own distinct IP subnet.) And why would you bridge them in pfSense when they are connected to a switch?
-
-
I can remove four of the uplinks… Then only use one WAN...
then i can check if dhclient still uses that much CPU? -
I am sorry probably I am stupid but I still can not understand.
Your provider gives you one RJ-45 cable and 5 public IPs belonging to the same subnet. It allows you to download at 100Mb/s and upload with 20Mb/s per IP. And (what is most interesting) you have to acquire all 5 public IPs through DHCP.
Please tell me that I am wrong.
If everything above is correct I am afraid you can not use all 5 IPs without having 5 routers.
I would ask provider to provide me with 1 public IP and allow me to upload at 100 Mb/s paying the same price as you do now for 5 IPs.PS: we love VLANs!
-
I must agree that the provider is giving you such high bandwidth w/ such a setup is to prevent people from aggregating the bandwidth. You can use separate gateways for each wan. Several years ago, I've seen it done on a clarckconnect setup, until they started charging a subscription for such features. They just package a bunch of other people's "hard work/ingenuity" into a very nice gui and charge quite a bit for. I believe it's based on Centos/Redhat/Linux. It's quite reliable, I've been told. You might wanna check it out.
