Performance on Alix2d3, am I maybe missing some configuration?
-
Hi all,
I just set up a new Alix2d3 board with pfSense today, as my FortiGate went south last night.
First impressions are very good, pfSense seems like a fantastic piece of software, and I was very pleased with configuration and possibilities (I need policy based routing for my setup here)
But, just now I wanted to play some Team Fortress 2, and upon launching the server browser, my internet died almost completely.
Existing connections, IRC and a music stream continued, but I was unable to start any new connections, or ping anything outside my LAN.
I know that TF2s serverbrowser is pretty aggressive (it retrieves a list, and then opens up a couple of thousand pings in close succession), but, my old FortiGate never had any problems, now, it just stalled at about 300 (normally the list contains at least a couple thousand entries), and as noted, new internet connectivity simply died.
A minute or two later, operation goes back to normal, and I check the logs/graphs to try and determine what happened.
CPU isnt notably taxed (Except for a few very small spikes up to about 85%), states seem to have maxed out at about 1400, memory, nothing noteworty there either.
I tried getting the list again, this time with a top running on the pfsense shell, and load never exceeded 0.4, as and CPU/memory was hardly touched either. (But CPU load was visible in RRD graphs afterwards)
So, can anyone tell me if this is a hardware problem, as in, not powerful enough, or if I am missing something in my pfSense configuration (it is pretty vanilla, only added a couple of NAT / rules)
I'm not really all that well versed in CPU in regards to firewall operations, but I would think that a 500mhz CPU should be more than enough to handle a couple thousand pings.
/Peter
-
I forgot to mention that I am running pf 2.0, I don't know if the HW requirements for 1.2.3 are smaller? (If it is indeed because my HW is underspecced)
-
I would think that a 500mhz CPU should be more than enough to handle a couple thousand pings.
You wrote the pings were "in close succession". For the sake of illustration, suppose the pings were sent "back to back". Suppose the Alix can't process the pings as quickly as they arrive (the Alix CPU is probably consideray slower than the server CPU): the NIC receive ring in main memory will back up and then the receive buffer in the NIC will back up and then arriving pings will be discarded without being seen at all by the Alix. Some NICs have a "receive overrun" counter that gets incremented every time an arriving packet gets dropped because there is nowhere to put it.
You might get a very different result if you use pings with (say) 1000 byte payload because the larger payload will considerably reduce the arrival rate.
I suspect if you want something to handle several thousand pings in close succession then you may need a more capable CPU. However if want something that will handle predominantly file download traffic (with at worst, an occasional short ping flood) then the Alix is probably just fine.
-
You wrote your states maxed out at 1400, why is your max states so low? My ALIX 2D3 has a default Maximum States of 23000.
In your GUI, go to System: Advanced: Firewall and NAT and raise the Firewall Maximum States to 23000.
-
@onhel:
You wrote your states maxed out at 1400, why is your max states so low? My ALIX 2D3 has a default Maximum States of 23000.
Sorry, badly written, what I meant was that in the situation where I opened the TF2 serverbrowser, the states peaked at ~1400, the max setting is left at default which is 23000, the same as yours.
-
I suspect if you want something to handle several thousand pings in close succession then you may need a more capable CPU. However if want something that will handle predominantly file download traffic (with at worst, an occasional short ping flood) then the Alix is probably just fine.
Thanks a lot for the answer, it has helped me a lot, looks like i'll have to go look for a larger CPU.