Ping floods show packet loss
-
In trying to troubleshoot local network issues, I routinely use the ping -f command to quickly determine where there may be an issue with a host or switch. I’ve noticed that in every pfsense box I’ve deployed (and I’ve done a few dozen, 32 and 64 bit, various cpus, various nics, simple to complex configs), i always see packet loss of under 10% (usually 4-6%). If I do the same with a centos box, I get no loss.
Why does pfsense show a loss, when there really is none?
Could there be some command line switch to use?
Bob
-
If you are scanning a local network, same subnet, you usually wouldn't see traffic going through pfSense. Your switch would keep all of that traffic local.
Are you 100% sure you're going through pfSense?
-
I’m just trying to ping local machines on the lan network for the most part. I’m not saying that the local lan traffic is going thru pfsense, just internet traffic. However, if there is packet loss (either to the Internet or elsewhere), the flood ping is a great way to quickly find it and make sure you don’t have a flaky nic or switch.
Bob
-
@nleaudio said in Ping floods show packet loss:
I’m just trying to ping local machines on the lan network for the most part. I’m not saying that the local lan traffic is going thru pfsense, just internet traffic. However, if there is packet loss (either to the Internet or elsewhere), the flood ping is a great way to quickly find it and make sure you don’t have a flaky nic or switch.
Bob
The only risk you have is creating a situation where you consume all of the resources on the pfSense box by creating the flood. You could unintentionally create a situation where you DOS yourself or a device.
If you do not use a ping flood, do you see packets dropping in the pfSense interface? I will usually pick a monitoring address other than Level3 or Google to use as a monitor IP. That's why I use to determine packet loss rather than doing something like a ping flood.
-
@tim-mcmanus
Thanks for the reply. I just use the flood ping as a tool to see quickly if there is a packet loss issue. I routinely do this with Linux boxes, and I’ve never had an issue. My question here is why does pfsense behave differently than the Linux boxes, and show packet loss when there really isn’t any?For example, try this:
- Pfsense box with LAN on 192.168.1.1
- Centos (or pick your favorite distro) with a pingable port on 192.168.1.100
When you ping -f 192.168.1.1 from the Linux box, you’ll see no lost packets.
When you ping -f 192.168.1.100 from pfsense’s shell, you’ll see some loss.
You can even see this with a cable directly connecting the two, linked up at 1000base.
Bob
-
Tims-iMac-Pro:~ timmcmanus$ sudo ping -f 10.0.0.1 Password: PING 10.0.0.1 (10.0.0.1): 56 data bytes .^C --- 10.0.0.1 ping statistics --- 209306 packets transmitted, 209305 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.059/0.162/1.693/0.274 ms Tims-iMac-Pro:~ timmcmanus$I am pinging a Netgate SG-2440 from an iMac Pro. The ping consumes about 4.2Mbit up and 4.2Mbit down. I wasn't logged into the router interface at all during the test.
No packet loss.
What hardware are you using? The NIC manufacturers?
-
@tim-mcmanus
No, I’m saying that I can get the same results you just posted when I use a different machine. It’s when I shell into pfsense and do a ping flood from that where it shows the packet loss.For hardware, again I have all different kinds of hardware, from older p4s to core 2 duo 3ghz to dell Xeon servers. I typically always use intel nics, but they can be server ones, workstation ones, etc. I seem to see the same results no matter what hardware I use.
Bob
-
How are you getting ping to do a flood on pfSense? When I add the "-f" argument to ping in the pfSense shell I get an error.
-
Works fine here. Ping -f (address)
Bob
-
@nleaudio We're seeing the same problem in our network, on several pfSenses on different hardware. All of them on 2.4.4-RELEASE-p2.
Doing a ping -f from any firewall to a neighbor in the same VLAN, produces around 0,5% packet loss. Doing the same from that same neighbor to the pfSense, there isn't any loss. There's no loss either for icmp floods going through the pfSense.
We've verified that there are not errors in the interfaces, nor in the involved switches ports. There is not bandwith control either.
Any idea?
-
Well you could argue that if there is no loss going through the firewall then there is no problem.
Just how many packets lost are you seeing. I do see some loss but less than 0.5%:
steve@steve-MMLP7AP-00 ~ $ sudo ping -f 172.21.16.66 [sudo] password for steve: PING 172.21.16.66 (172.21.16.66) 56(84) bytes of data. .^C --- 172.21.16.66 ping statistics --- 75479 packets transmitted, 75478 received, 0% packet loss, time 6169ms rtt min/avg/max/mdev = 0.050/0.069/0.529/0.009 ms, ipg/ewma 0.081/0.070 ms[2.4.5-DEVELOPMENT][admin@2220.stevew.lan]/root: ping -f 172.21.16.5 PING 172.21.16.5 (172.21.16.5): 56 data bytes ............................^C. --- 172.21.16.5 ping statistics --- 77759 packets transmitted, 77730 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.052/0.144/2.232/0.210 mspcap on the pfSense interface to see if the packets really are lost would be interesting.
Edit: In my case a pcap shows missing replies there.
Steve
-
@stephenw10 This is getting really weird. Now we get around a 0.1% of packet loss (53 packets over 3 seconds), according to the ping output:
[2.4.4-RELEASE][admin@firewall]/root: ping -f -t 3 -W 10 10.245.51.198 PING 10.245.51.198 (10.245.51.198): 56 data bytes ..................................................... --- 10.245.51.198 ping statistics --- 67182 packets transmitted, 67129 packets received, 0.1% packet loss round-trip min/avg/max/stddev = 0.048/0.190/1.167/0.087 msHowever, in the capture taken from the pfSense we see all the answers, but some of them arrive before the requests is sent!
Using the filter "not icmp.resp_in and icmp.type==8" in wireshark, there are only 6 packets like that one.
You can find the complete pcap here: https://send.firefox.com/download/1784845d32/#0tHxIDIhgpwnvZEW8WIhrA
Regards.
-
Mmm, curious. Do you see any dropped packets in
netstat -i? -
@stephenw10 There are no errors:
Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll ... igb3 1500 <Link#4> 00:1b:21:37:df:0d 1668697756 0 0 2484214267 0 0 igb3 - fe80::%igb3/6 fe80::21b:21ff:fe 0 - - 0 - - igb3 - 10.245.51.192 10.245.51.193 18159161 - - 44321347 - - ...Regards.
