Pfsense lockup?!?!? state table SOLUTION

bruor

ok,  figured i would post here because this was a rather annoying issue to figure out.

it seems that my simple home network, 2 pc's and only 1 machine running bittorrent (only around 3 torrents at one time) plus a voip phone, was causing pfsense to lock up

at first i thought it was the hardware becasue there was no entry in the logs under system or firewall that gave me any clue to what the unresponsiveness of the unit might be caused by.  it would seem that every 100th try (overexaggerating) would get through the firewall for web browsing etc, but the bittorrent downloads would no lock up at all.  everyday i would reset the firewall, and it would work for around a day, and would be dead by the next morning

i finally tracked it down to the amount of states that the firewall holds, watching the state table size grow, it would average around a 20 state per second growth rate at the default expiration setting.  moving this to conservative made this rate boom,  and aggressive seems like it is expiring the connections down from around 15000 at a rate of 10/sec

just a tip for anyone out there,  make sure to set your unit to aggressive if you are gonna run filesharing.  or if someone can tell me if i have something misconfigured elsewhere, i would greatly appreciate it.

hope this helps ;)

sullrich

With 150+ users behind one pfsense we rarely even see 10,000 states.  You must be the warez king over there.

lsf

Maybe it's bittorrent, it's eating a lot of states iirc.

epsilon

its like your at my place,

2 computers
a vonage box
1 computer running bittorren

I was thinking hardware as well till i went thou 4 computers last one being a dule amd MP2400+ with 2gigs of ram
was trying of over kill still went dead after about 24hours. some times as little as 4 hours if i was doing a massive anime download.

I'll try changing my settings to aggressive

thanks.

billm

Wierd, I never have a problem with my 4801 and bittorrent.  Of course I also have my state table set to 50000 :)

–Bill

Leoandru

have mine set to 65536.. Its been going for weeks only rebooting on upgrades.. No problems and we run bittorrent on a regular basis.

ZGamer

The interesting problem I find is that after a day or two with the 3 computers on my network I can get this problem without any p2p applications but if I switch to m0n0 is seems to handle it just fine, the only difference which it may be the source of the problem is the atheros pci card which is in the firewall….possibly failing to close states(haven't verified yet).

sullrich

Aren't you comparing apples to oranges?  Last time I checked m0n0wall doesn't support atheros.

ZGamer

@sullrich:

Aren't you comparing apples to oranges?  Last time I checked m0n0wall doesn't support atheros.

True, m0n0wall doesn't support Atheros. I need to check this with the atheros card removed.