Название: Очень странное поведение шейпера для серых адресов
Отправлено: zavhoz от 15 Июля 2011, 13:46:12
Доброго всем дня. Столкнулся с очень странной проблемой. Имеется сеть, внутри которой используются серые и белые IP адреса. Выход в инет через NoDeny 49.32 freebsd 7.3. Не используются никакие mpd pptp и прочее. Все настройки нодени стандартные, из мануала. Так вот проблема в том, что если у клиента используется серый ip, то скорость у него почти всегда ниже заявленной. Т.е. если например ему прописано 10мбит/с, скорость прыгает от 4 мбит/с до 7 мбит/с, редко поднимается до заявленной 10мбит. Если ему прописать реальный ип, то скорость стабильно держится 9-10мбит/с. Ширина внешнего канала влиять не может, она достаточная. Конфигурация такая: uname -a FreeBSD gw.lan 7.3-RELEASE-p4 FreeBSD 7.3-RELEASE-p4
rc.conf ifconfig_em0_name="ethin1" ifconfig_ethin1="inet 111.111.111.1/24" ifconfig_ethin1_alias1="inet 10.10.0.1 netmask 255.255.0.0"
ifconfig_re0_name="ethout1" ifconfig_ethout1="inet 222.222.222.166 netmask 255.255.255.252"
defaultrouter="222.222.222.165"
hostname="gw.lan" sshd_enable="YES" firewall_enable="YES" fsck_y_enable="YES" background_fsck="NO" gateway_enable="YES" mysql_enable="YES" apache22_enable="YES" ntpd_enable="YES"
pf_enable="YES"
ipcad_enable="YES" dnsmasq_enable="YES"
monit_enable="YES"
mysql_dbdir="/usr/db/mysql" bandwidthd_enable="YES"
fail2ban_enable="YES"
arpwatch_enable="YES" arpwatch_interfaces="ethin1" arpwatch_ethin1_options="-m root"
sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"
pf.conf set limit states 128000 set optimization aggressive scrub in all nat pass on ethout1 from 10.10.0.0/16 to any -> ethout1
ядро cpu I686_CPU ident GW
# To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for devices.
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options DUMMYNET options IPDIVERT
options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_SOCKET options NETGRAPH_TEE
options SCHED_ULE # ULE scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking options INET6 # IPv6 communications protocols options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options UFS_GJOURNAL # Enable gjournal-based UFS journaling options MD_ROOT # MD is a potential root device options NFSCLIENT # Network Filesystem Client options NFSSERVER # Network Filesystem Server options NFSLOCKD # Network Lock Manager options NFS_ROOT # NFS usable as /, requires NFSCLIENT options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_LABEL # Provides labelization options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options STACK # stack(9) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options P1003_1B_SEMAPHORES # POSIX-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. options STOP_NMI # Stop CPUS using NMI instead of IPI options AUDIT # Security event auditing #options KDTRACE_HOOKS # Kernel DTrace hooks options INCLUDE_CONFIG_FILE # Include this file in kernel
# To make an SMP kernel, the next two lines are needed options SMP # Symmetric MultiProcessor Kernel device apic # I/O APIC
# CPU frequency control device cpufreq
# Bus support. device eisa device pci
# Floppy drives #device fdc
# ATA and ATAPI devices device ata device atadisk # ATA disk drives device ataraid # ATA RAID drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
# atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options) #device apm # Add suspend/resume support for the i8254. device pmtimer
# PCCARD (PCMCIA) support # PCMCIA and cardbus bridge support
# If you've got a "dumb" serial or parallel PCI card that is # supported by the puc(4) glue driver, uncomment the following # line to enable it (connects to sio, uart and/or ppc drivers): #device puc
# PCI Ethernet NICs. device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 Gigabit Ethernet Family device igb # Intel PRO/1000 PCIE Server Gigabit Family device ixgb # Intel PRO/10GbE Ethernet Card device le # AMD Am7900 LANCE and Am79C9xx PCnet device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device age # Attansic/Atheros L1 Gigabit Ethernet device alc # Atheros AR8131/AR8132 Ethernet device ale # Atheros AR8121/AR8113/AR8114 Ethernet device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet device bfe # Broadcom BCM440x 10/100 Ethernet device bge # Broadcom BCM570xx Gigabit Ethernet device dc # DEC/Intel 21143 and various workalikes device et # Agere ET1310 10/100/Gigabit Ethernet device fxp # Intel EtherExpress PRO/100B (82557, 82558) device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet device lge # Level 1 LXT1001 gigabit Ethernet device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet device nfe # nVidia nForce MCP on-board Ethernet device nge # NatSemi DP83820 gigabit Ethernet #device nve # nVidia nForce MCP on-board Ethernet Networking device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le') device re # RealTek 8139C+/8169/8169S/8110S device rl # RealTek 8129/8139 device sf # Adaptec AIC-6915 (``Starfire'') device sis # Silicon Integrated Systems SiS 900/SiS 7016 device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet device ste # Sundance ST201 (D-Link DFE-550TX) device stge # Sundance/Tamarack TC9021 gigabit Ethernet device ti # Alteon Networks Tigon I/II gigabit Ethernet device tl # Texas Instruments ThunderLAN device tx # SMC EtherPower II (83c170 ``EPIC'') device vge # VIA VT612x gigabit Ethernet device vr # VIA Rhine, Rhine II device wb # Winbond W89C840F device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
# Pseudo devices. device loop # Network loopback device random # Entropy device device ether # Ethernet support device vlan # 802.1Q VLAN support device sl # Kernel SLIP device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter
device carp
device pf device pflog device pfsync
options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build
ipfw стандартный, из документации по биллингу. Может кто-нибудь сталкивался с похожим? И еще такой момент: если скорость у клиента поставить 5мбит, то реальная скорость будет 2-3мбита, если поставить 7мбит - то реальная 3-5мбит, если 10 - то 4-7мбит.
Название: Re: Очень странное поведение шейпера для серых адресов
Отправлено: VitalVas от 15 Июля 2011, 13:56:46
ipfw show ifconfig pfctl -si ???
Название: Re: Очень странное поведение шейпера для серых адресов
Отправлено: zavhoz от 15 Июля 2011, 14:23:17
gw# ipfw show 00054 189 218 allow tcp from any to me dst-port 22 00055 19 10 allow tcp from me 22 to any 00100 19521 980180 deny tcp from any to any dst-port 445,135 00110 0 0 allow ip from any to any via lo0 00120 88675 11179064 skipto 1000 ip from me to any 00130 13395 750188 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17 00131 0 0 allow ip from me to table(122) 00132 795 64320 allow ip from table(122) to me 00140 122115 9784670 deny ip from any to table(120) 00150 16876 1331151 deny ip from table(120) to any 00160 123639 14585623 skipto 2000 ip from any to me 00200 531116422 409309576915 skipto 500 ip from any to any via ethout1 00300 247429083 127834443592 skipto 4500 ip from any to any in 00400 283451380 280710589461 skipto 450 ip from any to any recv ethout1 00420 6507 765563 divert 1 ip from any to any 00450 283465825 280713865141 divert 2 ip from any to any 00490 282988919 280149473605 allow ip from any to any 00500 284192790 281614216117 skipto 32500 ip from any to any in 00510 246979675 127726081982 divert 1 ip from any to any 00540 246925905 127689430093 allow ip from any to any 01000 36650 7458771 allow udp from any 53,7723 to any 01010 128 14433 allow tcp from any to any setup keep-state 01020 90780 11589925 allow udp from any to any keep-state 01100 5775 667654 allow ip from any to any 02000 0 0 check-state 02010 2441 488398 allow icmp from any to any 02020 0 0 allow tcp from any to any dst-port 80,443 02050 38083 3019448 deny ip from any to any via ethout1 02060 36763 2387749 allow udp from any to any dst-port 53,7723 02100 1694 138309 deny ip from any to any 05000 7110 1020579 deny ip from not table(0) to any 05001 0 0 skipto 5010 ip from table(127) to table(126) 05002 247338544 127820025839 skipto 5030 ip from any to not table(2) 05003 0 0 deny ip from any to not table(1) 05004 2070 390365 pipe tablearg ip from table(21) to any 05005 0 0 deny ip from any to any 05010 0 0 pipe tablearg ip from table(127) to any 05030 0 0 deny tcp from table(15) to any dst-port 25 05400 247338544 127820025839 pipe tablearg ip from table(11) to any 32000 0 0 deny ip from any to any 32490 3297 247675 deny ip from any to any 33000 0 0 pipe tablearg ip from table(126) to table(127) 33001 284096945 281547556102 skipto 33010 ip from not table(2) to any 33002 0 0 pipe tablearg ip from any to table(20) 33003 0 0 deny ip from any to any 33400 284086146 281546504510 pipe tablearg ip from any to table(10) 65535 19408 1791766 deny ip from any to any gw# gw# ifconfig ethin1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4> ether 00:1b:21:96:94:7e inet 111.111.111.1 netmask 0xffffff00 broadcast 94.25.30.255 inet 10.10.0.1 netmask 0xffff0000 broadcast 10.10.255.255 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active ethout1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC> ether 1c:6f:65:20:5d:7f inet 222.222.222.166 netmask 0xfffffffc broadcast 92.50.198.167 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active sk0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=b<RXCSUM,TXCSUM,VLAN_MTU> ether 1c:af:f7:0d:dd:23 media: Ethernet autoselect (none) status: no carrier pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=0<> metric 0 mtu 33204 gw#
gw# pfctl -si Status: Enabled for 0 days 02:24:59 Debug: Urgent
State Table Total Rate current entries 449 searches 1424069894 163705.0/s inserts 98634 11.3/s removals 98185 11.3/s Counters match 1420279449 163269.3/s bad-offset 0 0.0/s fragment 240 0.0/s short 38 0.0/s normalize 347 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 148 0.0/s proto-cksum 14813 1.7/s state-mismatch 50 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s gw#
|