[nycbug-talk] Exploring pfSense (and an issue with States)
techneck at goldenpath.org
Tue Aug 15 11:14:41 EDT 2006
After reading the topic for next months meeting, I looked into monowall
We had a little linksys router facilitating our DSL connection and I've
been thinking of switching that out since I came to this company.
So, after rolling out a batch of computers I took one of the old ones
and, last Friday installed pfSense on it and switched out the linksys.
(PIII 550 MHz, 384 Mgs)
I'm very impressed.
I re-setup the VPNs we are using.
Switched it over to the "Advanced Outgoing NAT" to get NAT working for
our Jersey network as well.
(Not cool, I know, but they get their internet over our T1. Hey, that's
the way I found it =)
So.... last night, from home, I figured I'd just take a peek at whats
all up and open on the office network in the middle of the night.
I have a VPN connection to my house, so I just nmap the 10/24 network.
And, I'm watching the pfSense interface the whole time.
# of States starts going up.
Around 8000ish states I'm thinking, "hmm, I wonder what happens when we
exceed the maximum."
(Oh yea, baby. Load test time!)
And I figure, "hey, worst case scenario, I reboot and restore the back
up, no problem"
After 10005 states, it went to "Undefined", my shell froze (not
disconnected) but froze up as if the machine was hung.
The http server stopped responding.
All new connection attempts failed. No ping, nothing.
I figured something like that'd happen. But, I wanted to see for myself
at an off time.
I figured that either the states will expire and everything will be ok
again. Or, I'll just go in a little early and reboot the box.
Everything was fine and back to normal in the morning after the states
So, my experience leaves me with some questions:
1. Max number of states:
I can change the max number of states. But why is 10000 the default? and
what impact will raising it have?
I figure this states table is stored in memory. What's a reasonable
maximum for 384 megs? These states have to be processed, though, so it's
a processing power limitation too, no?
If I raise it very high, and then under heavy load it runs out of
memory, what happens?
Will pfSense do the smart thing and start dropping the oldest inactive
states? ~Is~ that the smart thing? And, I guess either it isn't or it
won't otherwise it probably would have done it in this case.
2: Time to expire / Peremptory clean up of states:
Can I change the amount of time states remain in the table, maybe based
on state type, protocol type or other factors? and what impact would
Is there a way to selectively drop states based on priority as the state
table approaches capacity?
I like that I can do more with less. But, I'm looking at my options
here. If I have a choice, and it's reasonable, I'd rather have more than
Soekris is cool. But their top of the line boxes are only half of what
this super craptacular box is that I'm working with here.
What about other barebones embedded architectures? I'm thinking, like,
Soekris only with PowerPC procs and memory sockets (as opposed to
And, why for godsakes do these things never come with gigabit or fe
ports? Yes, I realize that for WAN routing 100mbps is 10x more than
But, I'd like to break the LAN down into subnets and I'd need to route
them, at 1 gig+ speeds to the application servers if I can.
When we say "FreeBSD runs on ppc architecture," what boxes are we
talking about? Who sells it? Are we talking about embedded boxes?
What other architectures (that fbsd runs on) are popular for embedded
More information about the talk