Can't get more than 10k connections on an IP - Resolved – see 4th post
-
I'm not sure which gets more traffic, so this is posted on the mailing list as well.. sorry if this against any forum rules :)
We are running pfSense v: 1.2.2 and running ejabberd and we are unable to have more than 10K connections to the same IP.
(When this happens, I can still connect to other IPs on the same firewall so it seems to be a per IP limit.)While searching for the settings, we found the following:
vmstat -z
ITEM SIZE LIMIT USED FREE REQUESTS FAILURES
.
pfsrctrpl: 124, 10013, 9803, 210, 592703, 332183
.
.pfsrctrpl seems to be our issue.. What is this and how can we change it?
Advanced Options on the rule we are having trouble with is blank so it should be be used.
We've tried setting it to 15000 and that didn't make any difference.Firewall Maximum States: is set to 100000 and we also tried to change it to 200000
Any ideas?
thanks,
tom -
pfsrctrpl seems to translate to src-nodes
pfctl -sm
states hard limit 200000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 100000I can change the src-nodes limit by editing pf.cfg with the following
set limit { src-nodes 23456 }
and then running
pfctl -f pf.cfgthis shows the following changes
src-nodes hard limit 23456
and
pfsrctrpl: 124, 23467, 2635, 7378, 650614, 336039but I lose access to the firewall.
When I reload the firewall it resets the src-nodesIn addition to the above, I added the following line to the top <system>section of the /cf/conf/config.xml
<max-src-nodes>23456</max-src-nodes>but it still didn't work.</system>
-
the file you need to edit is /tmp/rules.debug but this file is regenerated upon every fw change.
If you don't change the FW then just enter your limit here. -
This seems to have worked.. I'll report the results after we see our traffic rise to more than the 10K we were blocked at.
Chris' reply to the mailing list:
Edit /etc/inc/filter.inc, find these two lines:
$rules .= "\n";
$rules .= "set skip on pfsync0\n";above those, add:
$rules .= "set limit src-nodes 23456\n";or whatever number you want it to be. Save changes, edit and save a
rule and apply changes to kick off a filter reload.