Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transparent squid + torrent = 11,000 states

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 4 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rsingh
      last edited by

      i'm running into an issue with bit torrent and squid transparent mode.

      • with just bit torrent running (transmission client) i get about 1000-1600 states. everything works fine. bit torrent is set to max out connections at 500 (1000 total states +/- a couple hundred). transmission is not configured to use port 80 of course!

      • with just squid transparent mode running, there are usually only a couple hundred states, all http port 80 connections work nicely and are cached nicely.

      if you run bit torrent and squid transparent mode together, the number of states will jump to 11,000-12,000 in less than 30 seconds. when this happens, no port 80 browsing is possible, but other ports which don't go through the proxy will work. this behavior is seen with the latest version of pfsense 2.0 as well as a snap from last Thursday.

      this is a small example of what is in the state table, 90% of it is this:
      tcp 127.0.0.1:80 <- 127.0.0.1:43035 ESTABLISHED:ESTABLISHED
      tcp 127.0.0.1:57993 -> 127.0.0.1:80 ESTABLISHED:ESTABLISHED
      tcp 127.0.0.1:80 <- 127.0.0.1:57993 ESTABLISHED:ESTABLISHED
      tcp 127.0.0.1:61552 -> 127.0.0.1:80 ESTABLISHED:ESTABLISHED
      tcp 127.0.0.1:80 <- 127.0.0.1:61552 ESTABLISHED:ESTABLISHED
      tcp 127.0.0.1:21522 -> 127.0.0.1:80 ESTABLISHED:ESTABLISHED
      tcp 127.0.0.1:80 <- 127.0.0.1:21522 ESTABLISHED:ESTABLISHED

      to remedy this i disable transparent mode and clean the states, or turn of the bit torrent client and clear states.

      anyone have advice on how i can use torrents and transparent mode at the same time?

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Seems some kind of loop is happening on your firewall.
        Please post your rulesets and nat rules.

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          @rsingh

          I did a test - just for you:

          I am using utorrent and I used a torrent to download ubuntu 10.04.
          I am using squid in transparent mode.

          The states raise from ~50 up to 300-400.

          I didn't change any settings within my torrent client (utorrent).

          1 Reply Last reply Reply Quote 0
          • M
            Michael Sh.
            last edited by

            Known problem for me. The easiest method to reproduce this -

            lynx localhost    #or
            fetch http://localhost
            from pfSense.

            Some administrators of domains joke.

            dig some.domain
            some.domain. IN A 127.0.0.1

            Itself was checked. Squid does not have a protection from turning to itself. I added rule into squid.inc:

            
             $rules .= "# Setup squid pass rules for proxy\n";
            +$rules .= "block in quick on lo0 proto tcp from 127.0.0.1 to (lo0) port 80\n";
            

            thus far he helps.

            1 Reply Last reply Reply Quote 0
            • R
              rsingh
              last edited by

              i added this silly rule to the top of my floating rules:

              ID Proto Source Port Destination Port Gateway Queue Schedule Description
              [BLOCK] TCP 127.0.0.1 * 127.0.0.1 80 (HTTP) * none

              shortly after adding this (~1-2 minutes) the states dropped from >11,000 to <1,000. http traffic is not being slowed to a crawl.

              so this is a really good workaround but perhaps this should get fixed. ermal, would you like me to just send the whole config file to you?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.