проблема с NAT'ом

Вся активность

проблема с NAT'ом

Ответить

_afad

Опубликовано 28 мая, 2014 (изменено) · Жалоба

Всем доброго времени суток. Прошу помощи.

Ситуация следующая:

Есть NAS: CPU: Intel® Core i3-2100 CPU @ 3.10GHz, ОЗУ 2ГБ

FreeBSD 8.2-RELEASE, MPD5.5

На NAS'е крутится MPD5.5 в качестве PPTP-сервера, pf - в качестве фаервола и нат

Вдруг чуть меньше недели назад начали рваться соединения абонентов(только тех кто сидит за натом, у реальников такой проблемы нет) с онлайн играми с периодичностью 3-4 минуты.

Пробовал настраивать IPNAT, со стандарнтыми параметрами ipf_nattable_sz и ipf_nattable_max, все более менее ровно, но обрывы присутствуют. При увеличении данных параметров связь через пару минут пропадает вообще.

После этого попробовал ipfw nat, такая же ерунда как и с pf.

Сломал уже всю голову. Буду очень признателен если поможете.

Нагрузка около 300-400 тунеллей, в пике около 500, Трафика порядка 150-180Mbit/s и 220-230Mbit/s в пике.

Ядро

cpu             I486_CPU
cpu             I586_CPU
cpu             I686_CPU
ident           GENERIC
# To statically compile in device wiring instead of /boot/device.hints
#hints          "GENERIC.hints"         # Default places to look for devices.

# Use the following to compile in values accessible to the kernel
# through getenv() (or kenv(1) in userland). The format of the file
# is 'variable=value', see kenv(1)
#
# env           "GENERIC.env"

makeoptions     DEBUG=-g                # Build kernel with gdb(1) debug symbols

options         SCHED_ULE               # ULE scheduler
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         INET6                   # IPv6 communications protocols
options         SCTP                    # Stream Control Transmission Protocol
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
options         UFS_GJOURNAL            # Enable gjournal-based UFS journaling
options         MD_ROOT                 # MD is a potential root device
options         NFSCLIENT               # Network Filesystem Client
options         NFSSERVER               # Network Filesystem Server
options         NFSLOCKD                # Network Lock Manager
options         NFS_ROOT                # NFS usable as /, requires NFSCLIENT
options         MSDOSFS                 # MSDOS Filesystem
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_PART_GPT           # GUID Partition Tables.
options         GEOM_LABEL              # Provides labelization
options         COMPAT_43TTY            # BSD 4.3 TTY compat (sgtty)
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         COMPAT_FREEBSD6         # Compatible with FreeBSD6
options         COMPAT_FREEBSD7         # Compatible with FreeBSD7
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         STACK                   # stack(9) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         P1003_1B_SEMAPHORES     # POSIX-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         PRINTF_BUFR_SIZE=128    # Prevent printf output being interspersed.
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         HWPMC_HOOKS             # Necessary kernel hooks for hwpmc(4)
options         AUDIT                   # Security event auditing
options         MAC                     # TrustedBSD MAC Framework
#options        FLOWTABLE               # per-cpu routing cache
#options        KDTRACE_HOOKS           # Kernel DTrace hooks
options         INCLUDE_CONFIG_FILE     # Include this file in kernel

options         KDB                     # Kernel debugger related code
options         KDB_TRACE               # Print a stack trace for a panic

# To make an SMP kernel, the next two lines are needed
options         SMP                     # Symmetric MultiProcessor Kernel

options         DEVICE_POLLING
options         HZ=2000

options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_SOCKET
options         NETGRAPH_TEE
options         NETGRAPH_BPF
options         NETGRAPH_IFACE
options         NETGRAPH_KSOCKET
options         NETGRAPH_PPP
options         NETGRAPH_PPTPGRE
options         NETGRAPH_TCPMSS
options         NETGRAPH_VJC
options         NETGRAPH_ONE2MANY
options         NETGRAPH_RFC1490
options         NETGRAPH_TTY
options         NETGRAPH_UI

options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_PRIQ
options         ALTQ_NOPCC

options         IPFIREWALL
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_FORWARD
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=50
options         IPFIREWALL_NAT
options         LIBALIAS
device          pf
device          pflog
device          pfsync
...

MPD.conf:

startup:
       # configure mpd users
       set user <admin> <adminpass> admin
       set user <mpduser> <mpdpass>
       # configure the console
       set console self 127.0.0.1 5005
       set console open
       # configure the web server
       set web self 172.16.0.253 5006
       set web open
       set netflow peer 172.16.0.1 9996
       set radsrv peer 127.0.0.1 <radpass>
       set radsrv open
#
# Default configuration is "dialup"

default:
       load pptp_server


pptp_server:
       create bundle template B
       set ipcp ranges 172.16.0.253/32 10.14.0.0/16
#       set iface up-script "/usr/local/etc/mpd5/mpd_up.pl"
       set iface enable proxy-arp
       set iface disable on-demand
       set iface idle 1800
       set iface enable tcpmssfix
       set iface enable netflow-in
       set iface enable netflow-out
       set ipcp yes vjcomp
#       set ipcp dns <dns_ip>
#       set bundle disable compression
       set bundle enable compression
       set ccp yes mppc
       set mppc no e40
       set mppc no e128
       set mppc no stateless
       create link template L pptp
       set link action bundle B
       set link enable multilink
       set link yes acfcomp protocomp
       set link no pap chap
       set link enable chap
       set link enable chap-msv1
       set link enable chap-msv2
       set link enable chap-md5
       set auth max-logins 1
       set link enable peer-as-calling
       set link keep-alive 10 60
       set link mtu 1460
set pptp self 172.16.0.253
       set link enable incoming
       set radius config /etc/radius.conf
       set radius server 172.16.0.1 <radpass> 1812 1813
       set auth acct-update 60
       set auth enable radius-auth
       set auth enable radius-acct
#       set radius update-limit-in 2048
#       set radius update-limit-out 2048

sysctl.conf

security.bsd.see_other_uids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.link.ether.inet.max_age=600
net.inet.ip.random_id=1
kern.ipc.maxsockbuf=2621440
net.graph.recvspace=1024000
net.graph.maxdgram=1024000
net.inet.flowtable.enable=0
net.inet.tcp.tso=0
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=100
net.inet.ip.fw.one_pass=0

loader.conf

geom_mirror_load="YES"

kern.ipc.nmbclusters=0
net.inet.tcp.reass.maxsegments=2048
vm.pmap.shpgperproc=400

hw.ex.rxd=4096
hw.em.txd=4096
hw.em.rx_int_delay=100
hw.em.tx_int_delay=100
hw.em.rx_abs_int_delay=1000
hw.em.tx_abs_int_delay=1000
dev.em_rx_processing_limit=-1

net.isr.defaultqlimit=4096
net.isr.bindthreads=1
net.isr.maxthreads=8
net.link.ifqmaxlen=1024
aio_load="YES"

net.graph.recvspace=128000
net.graph.maxdgram=128000

pf.conf

ext_if="em0"
int_if="em1"

#set limit states 16000000
set optimization aggressive
#set limit src-nodes 160000
#set limit table-entries 160000

set skip on lo0

scrub all
##TABLES##
table <block-sites> {}
table <active_internet_users> {}
table <inactive_internet_users> {}
table <block-sites2> persist file "/etc/pf.blocksites.txt"

##NAT##

nat on $ext_if from {10.14.1.0/24} to any -> {<ext_ip1>} 
nat on $ext_if from {10.14.2.0/24} to any -> {<ext_ip2>}
nat on $ext_if from {10.14.3.0/24} to any -> {<ext_ip3>}
nat on $ext_if from {10.14.4.0/24} to any -> {<ext_ip4>}
nat on $ext_if from {10.14.5.0/24} to any -> {<ext_ip5>}
nat on $ext_if from {10.14.6.0/24} to any -> {<ext_ip6>}
nat on $ext_if from {10.14.7.0/24} to any -> {<ext_ip7>}
nat on $ext_if from {10.14.8.0/24} to any -> {<ext_ip8>}
nat on $ext_if from {10.14.20.0/24} to any -> {<ext_ip9>}
nat on $ext_if from {10.14.254.0/24} to any -> <ext_ip10>
nat on $ext_if from {10.14.255.0/24} to any -> <ext_ip11>
nat on $ext_if from {10.14.9.10/32} to any -> <ext_ip12>


##FORWARDS##
rdr proto {tcp udp} from any to {<block-sites> <block-sites2>} -> 172.16.0.253 port 8082
##RULES##
block out quick on $ext_if from !<ext_ip_range> to any
block out quick on $ext_if from 172.16.0.0/16 to any
block in quick  on $ext_if proto {tcp udp} from any to em0 port ssh

Изменено 28 мая, 2014 пользователем _afad