Where are the additional TCP Timeouts? (TIME_WAIT)

highpec

Hello,

I am thinking about building a Pfsense PC for my router, as I use a ton of connections / ports and my residential Linksys / DD-WRT has a hard time handling them.

I've read this page:
https://www.netgate.com/docs/pfsense/config/advanced-setup.html

And see most of the timeouts that I'm used to... but where is the timeout for TIME_WAIT? I work a lot with proxies, and a huge number of connections go into TIME_WAIT. On my Linksys, I have DD-WRT dump these connections in 10 seconds to keep the connections down.

But I don't see any option for it in Pfsense. Note that FIN_WAIT/2, and TIME_WAIT are two difference timeouts from what I understand.

highpec

Anyone know the answer?

marvosa

@highpec said in Where are the additional TCP Timeouts? (TIME_WAIT):

TIME_WAIT

A quick search brought me here -> http://scratching.psybermonkey.net/2011/01/freebsd-how-to-reduce-timewait.html

The post suggests tweaking the following system tunable may be what you're looking for:

net.inet.tcp.msl

I don't believe it's listed in PFsense by default, so you'll need to add it manually:
System -> Advanced -> System Tunables

Derelict

as I use a ton of connections / ports and my residential Linksys / DD-WRT has a hard time handling them.

How many is a ton? What is a huge number?

pfSense can easily handle hundreds of thousands of states on commodity hardware.

My guess is you won't have to change the defaults one bit.

And if you do start reaching a high number of states a fairly-aggressive state killing algorithm (Adaptive Timeouts) will kick in and get rid of the older, inactive ones.

Derelict

@highpec said in Where are the additional TCP Timeouts? (TIME_WAIT):

But I don't see any option for it in Pfsense. Note that FIN_WAIT/2, and TIME_WAIT are two difference timeouts from what I understand.

System > Advanced, Firewall & NAT

I would just suggest setting Firewall Optimization to Aggressive there before manipulating the individual timeouts.

Again, I'd try it first without changing anything from the defaults.

highpec

@derelict said in Where are the additional TCP Timeouts? (TIME_WAIT):

@highpec said in Where are the additional TCP Timeouts? (TIME_WAIT):

But I don't see any option for it in Pfsense. Note that FIN_WAIT/2, and TIME_WAIT are two difference timeouts from what I understand.

System > Advanced, Firewall & NAT

I would just suggest setting Firewall Optimization to Aggressive there before manipulating the individual timeouts.

Again, I'd try it first without changing anything from the defaults.

The odd thing is, and I don't know if this is DD-WRT, but even on my little Linksys WRT 1200ac v2 when I hit 30,000 connections (I'd like to be able to hit at least 30-50k), the CPU usage (1333mhz dual core) is never above 30%, and the RAM is never above 10%.

So do you think it's the firmware causing the router to lag out around 30,000 connections, or the hardware?

I plan on building a really good system if I end up using Pfsense, I will shell out the money for the fastest/best, lowest TDP processor, and have at least 4-8gb RAM. Having a lot of connections is at the core of my business, as I work a lot with proxies that often times have quick timeouts.

Since lowering my FIN_WAIT/TIME_WAIT/Close/Close_Wait/etc timeout in DD-WRT to 10s, my connections barely ever go above 10,000. This means that I can actually accomplish more with dramatically less active connections, and so far have seen zero downside of lowering these timeouts. Often times I'm running at 50mbps consistently, and while at default settings I'd be at 20-30k+ connections, now I'm only at 7k. Even Skype, Teamviewer (30s UDP timeout), etc have no problems with these low timeouts.

However, I wouldn't mind pressing the pedal down even harder, and building a Pfsense rig... but I still think it's a waste to keep the timeouts so high. Anyways, thanks for the responses!

Derelict

30K states is nothing. Absolutely nothing. Neither is 50Mbps with about any CPU. The old (old) ALIX would max at about 80Mbps.

No idea about DD-WRT and its limitations and what you might have been hitting there. Sorry.

but I still think it's a waste to keep the timeouts so high.

Kind of like a /64 is a waste of IPv6 addresses. My advice: deploy and stop sweating it.

marvosa

@derelict said in Where are the additional TCP Timeouts? (TIME_WAIT):

@highpec said in Where are the additional TCP Timeouts? (TIME_WAIT):

But I don't see any option for it in Pfsense. Note that FIN_WAIT/2, and TIME_WAIT are two difference timeouts from what I understand.

System > Advanced, Firewall & NAT

I would just suggest setting Firewall Optimization to Aggressive there before manipulating the individual timeouts.

Again, I'd try it first without changing anything from the defaults.

Agreed. When I skimmed over the OP and saw that the advanced setup had already been read through, I assumed the advanced options had all been tried already. However, after re-reading the OP, it became evident that PFsense hasn't even been deployed yet.

As @Derelict already stated, after deploying with decent hardware, I highly doubt you'll need to stray from the defaults. However, in the event that the situation presents itself, try changing the firewall optimization first before tweaking tunables.

Derelict

Those FreeBSD tunables (such as net.inet.tcp.msl) are for connections to the firewall itself (like to a web server) and have nothing to do with state timeouts in pf and connections through the firewall.

The pf timeouts are in System > Advanced, Firewall & NAT.