States at 9986/10000 and connection is slow…



  • Hi,

    Running a PFSense Box 1.2rc3 with a single wan using Clearwire.

    Use various P2P.

    Whenever a long period of time passes (like 8 hours) of P2P activity the states table is loaded to the max and all connections drop to little or nothing. When I flush the state tables the speed goes back to normal.

    Is this a bug in the states or is it a unavoidable sideeffect of P2P?

    DPC



  • Increase your maximum states in System -> Advanced -> Firewall Maximum States.

    States take roughly 1K a piece so plan accordingly to the amount of ram you have installed in the firewall.



  • Can I get more of a detailed back story on states?

    I do not understand why they clog up like this. I understand that P2P makes a lot of connection but what seems to be happening is that all these connections remain open until nothing can be sent through. I have a hard time accessing the firewall to reset the states (it sometimes times out when states are full).

    Would PeerGuardian have something to do with this? I can imagine it blocking IPs but yet leaving the connections open.

    Also a long time ago there was a TCP/IP stack patch released. Using SP2 XP should I apply such a patch?

    I know I can raise the states to something higher however currently I am testing with only one client and 10K of states should be more then enough.

    What do you think?

    DPC



  • Clearwire you say, isn't there something with High-latency on games and traffic-shaping on p2p with that ISP…....



  • We cannot tell you how to fix your XP problem.  We can only tell you how to lift the upper state limit to ensure pfSense continues to work.



  • Would using the Aggressive Setting in System/Advanced/Firewall Optimization Options help him any with his problem?



  • @onhel:

    Would using the Aggressive Setting in System/Advanced/Firewall Optimization Options help him any with his problem?

    It's worth a shot.



  • Hmm…

    PeerGuardian replicates/causes the issue. Its seems as if it accepts the connection at the firewall level and when Peerguardian drops/blocks and IP the firewall keeps the state open until a time out or similar occurs.

    Now multiple this over several hundred peers and each is actively seeking to connect...

    What I think is happening here is a flood of requests coming and the states are kept open too long. Overtime they gather and cause the system to slow down. Then a P2P app requests more connection and the other peer attempts to respond again and its a circle cycle until the requests are stopped.

    Interesting....

    Will attempt the aggressive.

    DPC



  • I have exactly the same problem too, and am looking for a solution. In the short term I increased the maximum number of states to 20000.

    Unfortunately there is no documentation for the "Firewall Optimization Options". As delicatepc pointed out, the problem seems to be that connections live too long and are not closed, resulting in them building up until the firewall runs out of states. Will setting "Firewall Optimization Options" to aggressive reduce the amount of time the connection is open to something more sensible?

    My system has 512MB RAM and having tens of thousands of connections does not seem to create a significant CPU load. With over 10000 states I get 17% memory usage and around 4% CPU (Pentium III 650MHz). However, it's not an ideal solution.



  • I experimented with the aggressive setting, but it doesn't help. Connections are still mounting up faster than they are dissappearing.



  • I have found a solution to this.

    First, you need to set the Firewall Optimization Rules to "Agressive". This seems to give connections a lifetime of a few hours max after the last packet is received. That seems like a sensible default since the only type of connection that might be affected is telnet/ssh left idle four hours (not a good idea, and keep-alive packets can be used anyway).

    Next, increase the maximum number of states. I use 30,000 with no problems.

    That should do it.



  • If you're talking about the Clearwire the provides wireless internet, that is your problem. You have high latency and high packet loss. You also have a fair usage system built into it that slows your connection down when you download too much. Bi-directional traffic will slow you way down also with an asynchronous link. Add to that a poorly behaved p2p application and you have a stand still traffic jam. You can increase the session states, and set the rules to aggressive, but I doubt it will completely fix it. You'll need to do some reading in the traffic shaping section.


Locked