Hi,
Traffic coming out of my jails seems to be very slow so I ran a tcpdump on my external interface to see what is going on and I get a whole slew of TCP Out of Order and TCP Duplicate ACK in Wireshark. I am talking pages full when any traffic is going out of the jails. Traffic going into the jails seems fine.
Can someone shed some light on what I missed?
Also if the answer is 'use pf'. I am fine doing that as well but I was interested in why this config (which is from the handbook-ish) is causing these issues.
I currently have the following ipfw setup (some details in all pastes are censored):
With the following natd.conf:
The following relevant parts of the rc.conf (let me know if I miss anything):
And the following settings for iocage:
Traffic coming out of my jails seems to be very slow so I ran a tcpdump on my external interface to see what is going on and I get a whole slew of TCP Out of Order and TCP Duplicate ACK in Wireshark. I am talking pages full when any traffic is going out of the jails. Traffic going into the jails seems fine.
Can someone shed some light on what I missed?
Also if the answer is 'use pf'. I am fine doing that as well but I was interested in why this config (which is from the handbook-ish) is causing these issues.
I currently have the following ipfw setup (some details in all pastes are censored):
Code:
00010 allow ip from any to any via lo0
00011 allow ip6 from any to any via lo0
00012 allow ip from any to any via lo1
00013 allow ip6 from any to any via lo1
00020 divert 8668 ip from 10.0.10.0/24 to not me out via ix0
00030 skipto 1000 ip from any to any diverted
00100 allow ip from any to any out
00100 allow icmp from any to me in
00100 allow ipv6-icmp from any to me in
00101 allow ip6 from any to any out
00110 allow tcp from any to me dst-port 22 in
00110 allow tcp from any to me dst-port 1194 in
00200 divert 8668 ip from not me to any in via ix0
00210 skipto 1000 ip from any to any diverted
00900 deny log logamount 10000 ip from any to any
01000 allow ip from any to any
65535 deny ip from any to anyWith the following natd.conf:
Code:
redirect_port tcp 10.0.10.50:80 80The following relevant parts of the rc.conf (let me know if I miss anything):
Code:
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"And the following settings for iocage:
Code:
interfaces:vnet0:bridge0,vnet1:bridge1
vnet:off
host_hostname:26ef974e-4d7b-11e6-8084-0cc47ac3416c
hostname:balancer01
ip4_addr:lo1|10.0.10.50
ip4_autostart:none
ip4_autoend:none
ip4_autosubnet:none
ip4_saddrsel:1
ip4:new
ip6_addr:none
ip6_saddrsel:1
ip6:new
defaultrouter:none
defaultrouter6:none
resolver:none
exec_fib:0
vnet0_mac:none
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
devfs_ruleset:4
mount_devfs:1
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_poststop:/usr/bin/true
exec_poststart:/usr/bin/true
exec_clean:1
exec_timeout:60
stop_timeout:30
exec_jail_user:root
exec_system_jail_user:0
exec_system_user:root
mount_fdescfs:1
mount_procfs:0
enforce_statfs:2
children_max:0
login_flags:-f root
securelevel:2
allow_set_hostname:0
allow_sysvipc:0
allow_raw_sockets:0
allow_chflags:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_socket_af:0
host_hostuuid:26ef974e-4d7b-11e6-8084-0cc47ac3416c
memoryuse:8G:log
memorylocked:off
vmemoryuse:off
maxproc:off
cputime:off
pcpu:off
datasize:off
stacksize:off
coredumpsize:off
openfiles:off
pseudoterminals:off
swapuse:off
nthr:off
msgqqueued:off
msgqsize:off
nmsgq:off
nsemop:off
nshm:off
shmsize:off
wallclock:off
tag:balancer01
template:no
rlimits:off
boot:off
notes:none
owner:root
priority:99
last_started:2016-07-20_00:13:14
type:jail
hostid:fb6e2d9a-dbaf-11e5-ac7b-0cc47ac3416c
cpuset:off
jail_zfs:off
jail_zfs_dataset:iocage/jails/26ef974e-4d7b-11e6-8084-0cc47ac3416c/root/data
release:10.2-RELEASE
hack88:0
sync_stat:-
sync_target:none
sync_tgt_zpool:none
ftphost:-
ftpdir:-
gitlocation:https://github.com
branch:-