все працюэ норм якщо в таблиці (ipfw tables 10,11) 2-3 правила! Якщо я закидаю 180 починаэ матюкатись:
PING 192.168.51.4 (192.168.51.4): 56 data bytes
ping: sendto: No buffer space available
ping: sendto: No buffer space available
ping: sendto: No buffer space available
###
В лог файлі dmesg.today
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
Bump sched buckets to 2048 (was 0)
файл rc.conf
Код: Выделить всё
ifconfig_em0="inet 192.168.101.2/30"
#vlans_re0="vlan100"
#create_args_vlan100="vlan 100"
#ifconfig_vlan100="192.168.101.2/30"
defaultrouter="192.168.101.1"
fsck_enable="YES"
sshd_enable="YES"
#ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
sendmail_enable="NO" # Run the sendmail inbound daemon (YES/NO).
sendmail_submit_enable="NO" # Start a localhost-only MTA for mail submission
sendmail_outbound_enable="NO" # Dequeue stuck mail (YES/NO).
sendmail_msp_queue_enable="NO" # Dequeue stuck clientmqueue mail (YES/NO).
ifconfig_em1="up"
vlans_em1="vlan40 vlan50 vlan60 vlan70"
create_args_vlan40="vlan 40"
create_args_vlan50="vlan 50"
create_args_vlan60="vlan 60"
create_args_vlan70="vlan 70"
ifconfig_vlan40="inet 192.168.50.1/24"
ifconfig_vlan40_alias0="inet 192.168.0.10/28"
ifconfig_vlan50="inet 192.168.51.1/24"
ifconfig_vlan60="inet 192.168.52.1/24"
ifconfig_vlan70="inet 192.168.53.1/24"
firewall_enable="YES"
firewall_type="OPEN"
#natd_enable="YES"
#natd_interface="re0"
#natd_flags=""
mysql_enable="YES"
apache22_enable="YES"
abills_shaper_enable="YES"
abills_ipn_nas_id="14"
abills_ipn_if="vlan*"
abills_shaper_if="vlan*"
#abills_portal_ip="192.168.101.2"
#abills_neg_deposit="192.168.101.2"
abills_nat="192.168.101.2:192.168.0.0/16:em0"
#abills_ipn_allow_ip=«разрешённые ип адреса»
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="vlan40 vlan50 vlan60 vlan70"
flow_capture_enable="YES"
flow_capture_datadir="/usr/abills/var/log/ipn/"
flow_capture_port="9996"
flow_capture_flags="-S 5 -n 287 -N 0 -d 5"
ipcad_enable="YES"
Код: Выделить всё
#
# GENERIC -- Generic kernel configuration file for FreeBSD/amd64
#
# For more information on this file, please read the config(5) manual page,
# and/or the handbook section on Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: release/9.0.0/sys/amd64/conf/GENERIC 227305 2011-11-07 13:40:54Z marius $
cpu HAMMER
ident HAM
maxusers 512
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options MD_ROOT # MD is a potential root device
#options NFSCL # New Network Filesystem Client
#options NFSD # New Network Filesystem Server
#options NFSLOCKD # Network Lock Manager
#options NFS_ROOT # NFS usable as /, requires NFSCL
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options MAC # TrustedBSD MAC Framework
#options KDTRACE_FRAME # Ensure frames are compiled in
#options KDTRACE_HOOKS # Kernel DTrace hooks
options INCLUDE_CONFIG_FILE # Include this file in kernel
options KDB # Kernel debugger related code
options KDB_TRACE # Print a stack trace for a panic
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device pci
# Floppy drives
device fdc
# ATA controllers
#device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
options ATA_CAM # Handle legacy controllers with CAM
options ATA_STATIC_ID # Static device numbering
device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA
# SCSI Controllers
#device ahc # AHA2940 and onboard AIC7xxx devices
#options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
#device esp # AMD Am53C974 (Tekram DC-390(T))
#device hptiop # Highpoint RocketRaid 3xxx series
#device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
#device mpt # LSI-Logic MPT-Fusion
#device mps # LSI-Logic MPT-Fusion 2
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
#device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#device adw # Advansys wide SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters
# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
#device ch # SCSI media changers
device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct ATA/SCSI access)
#device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device arcmsr # Areca SATA II RAID
#XXX it is not 64-bit clean, -scottl
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV - See NOTES for options
#device hptmv # Highpoint RocketRAID 182x
#device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mfi # LSI MegaRAID SAS
#device mlx # Mylex DAC960 family
#XXX pointer/int warnings
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
#device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text mode
device agp # support several AGP chipsets
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
#device ppc
#device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
#device ppi # Parallel port interface device
##device vpo # Requires scbus and da
#device puc # Multi I/O cards and multi-channel UARTs
# PCI Ethernet NICs.
device bxe # Broadcom BCM57710/BCM57711/BCM57711E 10Gb Ethernet
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 Gigabit Ethernet Family
device igb # Intel PRO/1000 PCIE Server Gigabit Family
device ixgbe # Intel PRO/10GbE PCIE Ethernet Family
device le # AMD Am7900 LANCE and Am79C9xx PCnet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device ae # Attansic/Atheros L2 FastEthernet
device age # Attansic/Atheros L1 Gigabit Ethernet
device alc # Atheros AR8131/AR8132 Ethernet
device ale # Atheros AR8121/AR8113/AR8114 Ethernet
device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device et # Agere ET1310 10/100/Gigabit Ethernet
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
device lge # Level 1 LXT1001 gigabit Ethernet
device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
device nfe # nVidia nForce MCP on-board Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
#device nve # nVidia nForce MCP on-board Ethernet Networking
device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (``Starfire'')
device sge # Silicon Integrated Systems SiS190/191
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device stge # Sundance/Tamarack TC9021 gigabit Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 ``EPIC'')
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device ex # Intel EtherExpress Pro/10 and Pro/10+
device ep # Etherlink III based cards
device fe # Fujitsu MB8696x based cards
device sn # SMC's 9000 series of Ethernet chips
device xe # Xircom pccard Ethernet
# Wireless NIC cards
#device wlan # 802.11 support
#options IEEE80211_DEBUG # enable debug msgs
#options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
#options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
#device wlan_wep # 802.11 WEP support
#device wlan_ccmp # 802.11 CCMP support
#device wlan_tkip # 802.11 TKIP support
#device wlan_amrr # AMRR transmit rate control algorithm
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros NIC's
#device ath_pci # Atheros pci/cardbus glue
#device ath_hal # pci/cardbus chip support
#options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
#device ath_rate_sample # SampleRate tx rate control for ath
#device bwi # Broadcom BCM430x/BCM431x wireless NICs.
#device bwn # Broadcom BCM43xx wireless NICs.
#device ipw # Intel 2100 wireless NICs.
#device iwi # Intel 2200BG/2225BG/2915ABG wireless NICs.
#device iwn # Intel 4965/1000/5000/6000 wireless NICs.
#device malo # Marvell Libertas wireless NICs.
#device mwl # Marvell 88W8363 802.11n wireless NICs.
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wpi # Intel 3945ABG wireless NICs.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device pty # BSD-style compatibility pseudo ttys
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
#options USB_DEBUG # enable debug msgs
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device ehci # EHCI PCI->USB interface (USB 2.0)
#device xhci # XHCI PCI->USB interface (USB 3.0)
#device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices (needs netgraph)
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
#device urio # Diamond Rio 500 MP3 player
# USB Serial devices
#device u3g # USB-based 3G modems (Option, Huawei, Sierra)
#device uark # Technologies ARK3116 based serial adapters
#device ubsa # Belkin F5U103 and compatible serial adapters
#device uftdi # For FTDI usb serial adapters
#device uipaq # Some WinCE based devices
#device uplcom # Prolific PL-2303 serial adapters
#device uslcom # SI Labs CP2101/CP2102 serial adapters
#device uvisor # Visor and Palm devices
#device uvscom # USB serial support for DDI pocket's PHS
# USB Ethernet, requires miibus
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cdce # Generic USB over Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
#device udav # Davicom DM9601E USB
# USB Wireless
#device rum # Ralink Technology RT2501USB wireless NICs
#device run # Ralink Technology RT2700/RT2800/RT3000 NICs.
#device uath # Atheros AR5523 wireless NICs
#device upgt # Conexant/Intersil PrismGT wireless NICs.
#device ural # Ralink Technology RT2500USB wireless NICs
#device urtw # Realtek RTL8187B/L wireless NICs
#device zyd # ZyDAS zd1211/zd1211b wireless NICs
# FireWire support
#device firewire # FireWire bus code
# sbp(4) works for some systems but causes boot failure on others
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
#device fwip # IP over FireWire (RFC 2734,3146)
#device dcons # Dumb console driver
#device dcons_crom # Configuration ROM for dcons
# Sound support
#device sound # Generic sound driver (required)
#device snd_es137x # Ensoniq AudioPCI ES137x
#device snd_hda # Intel High Definition Audio
#device snd_ich # Intel, NVidia and other ICH AC'97 Audio
#device snd_uaudio # USB Audio
#device snd_via8233 # VIA VT8233x Audio
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options IPDIVERT
options IPSTEALTH
options TCPDEBUG
options LIBALIAS
options DUMMYNET
options HZ=2000
options NETGRAPH
options NETGRAPH_PPPOE
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
options ALTQ_NOPCC
options ALTQ_DEBUG
options SHMMAXPGS=65536
options SEMMNI=40
options SEMMNS=240
options SEMUME=40
options SEMMNU=120
Код: Выделить всё
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
#for nodenny
#net.graph.recvspace=1000000
#net.graph.maxdgram=1000000
#kern.ipc.maxsockbuf=10000000
#kern.maxfiles=200000
#kern.maxfilesperproc=200000
#kern.threads.max_threads_per_proc=200000
#kern.ipc.somaxconn=16384
#kern.ipc.nmbclusters=400000
#net.inet.ip.fastforwarding=0
#net.isr.dispatch=direct
#net.inet.tcp.sendspace=131072
#net.inet.tcp.recvspace=131072
#net.inet.ip.dummynet.max_chain_len=1024
#for abills
net.inet.ip.fastforwarding=1
net.inet.ip.portrange.randomized=0
net.inet.tcp.nolocaltimewait=1
kern.ipc.nmbclusters=65536
kern.ipc.maxsockets=204800
net.inet.ip.dummynet.expire=0
net.inet.ip.dummynet.hash_size=2048
net.inet.ip.fw.dyn_buckets=2048
net.inet.tcp.maxtcptw=40960
kern.ipc.maxsockbuf=8388608
net.graph.recvspace=256000
## TCP bufer size
kern.ipc.maxsockbuf=8388608
net.inet.tcp.recvspace=65535
# incoming TCP queue size
kern.ipc.somaxconn=4096
# incoming packets queue size
net.inet.ip.intr_queue_maxlen=2000
net.inet.flowtable.enable=0
#my
net.inet.ip.dummynet.pipe_slot_limit=10000
net.graph.maxdgram=1000000
net.inet.ip.dummynet.hash_size=65535
net.inet.ip.fw.dyn_max=524288
net.inet.ip.fw.dyn_buckets=65536
Код: Выделить всё
kern.maxusers=1024
net.graph.maxdata=65536
net.graph.maxalloc=65536
ng_netflow_load="YES"
ng_socket_load="YES"
ng_ksocket_load="YES"
ng_ipfw_load="YES"
hw.em.rxd=4096
hw.em.txd=4096
#hw.igb.rxd=4096
#hw.igb.txd=4096
#hw.igb.max_interrupt_rate=32000
hw.em.max_interrupt_rate=32000
Код: Выделить всё
#!/bin/sh
sleep 30
sysctl dev.em.0.rx_processing_limit=4096
sysctl dev.em.1.rx_processing_limit=4096
#sysctl dev.em.0.rx_int_delay=300
#sysctl dev.em.0.tx_int_delay=300
#sysctl dev.em.0.rx_abs_int_delay=500
#sysctl dev.em.0.tx_abs_int_delay=500
#sysctl dev.em.1.rx_int_delay=300
#sysctl dev.em.1.tx_int_delay=300
#sysctl dev.em.1.rx_abs_int_delay=500
#sysctl dev.em.1.tx_abs_int_delay=500
sysctl dev.em.0.rx_int_delay=600
sysctl dev.em.0.tx_int_delay=600
sysctl dev.em.0.rx_abs_int_delay=1000
sysctl dev.em.0.tx_abs_int_delay=1000
sysctl dev.em.1.rx_int_delay=600
sysctl dev.em.1.tx_int_delay=600
sysctl dev.em.1.rx_abs_int_delay=1000
sysctl dev.em.1.tx_abs_int_delay=1000