Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    States at 9986/10000 and connection is slow…

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 6 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      delicatepc
      last edited by

      Hi,

      Running a PFSense Box 1.2rc3 with a single wan using Clearwire.

      Use various P2P.

      Whenever a long period of time passes (like 8 hours) of P2P activity the states table is loaded to the max and all connections drop to little or nothing. When I flush the state tables the speed goes back to normal.

      Is this a bug in the states or is it a unavoidable sideeffect of P2P?

      DPC

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Increase your maximum states in System -> Advanced -> Firewall Maximum States.

        States take roughly 1K a piece so plan accordingly to the amount of ram you have installed in the firewall.

        1 Reply Last reply Reply Quote 0
        • D
          delicatepc
          last edited by

          Can I get more of a detailed back story on states?

          I do not understand why they clog up like this. I understand that P2P makes a lot of connection but what seems to be happening is that all these connections remain open until nothing can be sent through. I have a hard time accessing the firewall to reset the states (it sometimes times out when states are full).

          Would PeerGuardian have something to do with this? I can imagine it blocking IPs but yet leaving the connections open.

          Also a long time ago there was a TCP/IP stack patch released. Using SP2 XP should I apply such a patch?

          I know I can raise the states to something higher however currently I am testing with only one client and 10K of states should be more then enough.

          What do you think?

          DPC

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            Clearwire you say, isn't there something with High-latency on games and traffic-shaping on p2p with that ISP…....

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              We cannot tell you how to fix your XP problem.  We can only tell you how to lift the upper state limit to ensure pfSense continues to work.

              1 Reply Last reply Reply Quote 0
              • AhnHELA
                AhnHEL
                last edited by

                Would using the Aggressive Setting in System/Advanced/Firewall Optimization Options help him any with his problem?

                AhnHEL (Angel)

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by

                  @onhel:

                  Would using the Aggressive Setting in System/Advanced/Firewall Optimization Options help him any with his problem?

                  It's worth a shot.

                  1 Reply Last reply Reply Quote 0
                  • D
                    delicatepc
                    last edited by

                    Hmm…

                    PeerGuardian replicates/causes the issue. Its seems as if it accepts the connection at the firewall level and when Peerguardian drops/blocks and IP the firewall keeps the state open until a time out or similar occurs.

                    Now multiple this over several hundred peers and each is actively seeking to connect...

                    What I think is happening here is a flood of requests coming and the states are kept open too long. Overtime they gather and cause the system to slow down. Then a P2P app requests more connection and the other peer attempts to respond again and its a circle cycle until the requests are stopped.

                    Interesting....

                    Will attempt the aggressive.

                    DPC

                    1 Reply Last reply Reply Quote 0
                    • M
                      mojo-chan
                      last edited by

                      I have exactly the same problem too, and am looking for a solution. In the short term I increased the maximum number of states to 20000.

                      Unfortunately there is no documentation for the "Firewall Optimization Options". As delicatepc pointed out, the problem seems to be that connections live too long and are not closed, resulting in them building up until the firewall runs out of states. Will setting "Firewall Optimization Options" to aggressive reduce the amount of time the connection is open to something more sensible?

                      My system has 512MB RAM and having tens of thousands of connections does not seem to create a significant CPU load. With over 10000 states I get 17% memory usage and around 4% CPU (Pentium III 650MHz). However, it's not an ideal solution.

                      1 Reply Last reply Reply Quote 0
                      • M
                        mojo-chan
                        last edited by

                        I experimented with the aggressive setting, but it doesn't help. Connections are still mounting up faster than they are dissappearing.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mojo-chan
                          last edited by

                          I have found a solution to this.

                          First, you need to set the Firewall Optimization Rules to "Agressive". This seems to give connections a lifetime of a few hours max after the last packet is received. That seems like a sensible default since the only type of connection that might be affected is telnet/ssh left idle four hours (not a good idea, and keep-alive packets can be used anyway).

                          Next, increase the maximum number of states. I use 30,000 with no problems.

                          That should do it.

                          1 Reply Last reply Reply Quote 0
                          • R
                            Rich
                            last edited by

                            If you're talking about the Clearwire the provides wireless internet, that is your problem. You have high latency and high packet loss. You also have a fair usage system built into it that slows your connection down when you download too much. Bi-directional traffic will slow you way down also with an asynchronous link. Add to that a poorly behaved p2p application and you have a stand still traffic jam. You can increase the session states, and set the rules to aggressive, but I doubt it will completely fix it. You'll need to do some reading in the traffic shaping section.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.