FreeBSD high load loopback interface

Posted by user1740915 on Server Fault See other posts from Server Fault or by user1740915
Published on 2012-10-23T14:13:42Z Indexed on 2012/11/02 11:04 UTC
Read the original article Hit count: 295

Filed under:

upload

freebsd

squid

I have a problem with a FreeBSD server.

There is a FreeBSD 9.0 amd64, two network cards em1 (internet), em0 (local network) configured firewall ipfw, natd, squid (not transparent), the server acts as a gateway for access to the Internet.

Next problem: upload via squid is very low.

At this moment I see next: natd, dhcpd load the cpu at that time when uploading through squid and there are a lot of traffic through the loopback interface.

ipfw show output

0100  655389684   36707144666 allow ip from any to any via lo0
00200          0             0 deny ip from any to 127.0.0.0/8
00300          0             0 deny ip from 127.0.0.0/8 to any
00400          0             0 deny ip from any to ::1
00500          0             0 deny ip from ::1 to any
00600          4           292 allow ipv6-icmp from :: to ff02::/16
00700          0             0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800          1            76 allow ipv6-icmp from fe80::/10 to ff02::/16
00900          0             0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000          0             0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100       1615         76160 deny ip from 192.168.1.1 to any in via em1
01200          0             0 deny ip from 199.69.99.11 to any in via em0
01300      46652       3705426 deny ip from any to 172.16.0.0/12 via em1
01400    3936404     345618870 deny ip from any to 192.168.0.0/16 via em1
01500          4           336 deny ip from any to 0.0.0.0/8 via em1
01600       4129        387621 deny ip from any to 169.254.0.0/16 via em1
01700          0             0 deny ip from any to 192.0.2.0/24 via em1
01800     917566      33777571 deny ip from any to 224.0.0.0/4 via em1
01900     147872      22029252 deny ip from any to 240.0.0.0/4 via em1
02000 1132194739 1190981955947 divert 8668 ip4 from any to any via em1
02100          3           248 deny ip from 172.16.0.0/12 to any via em1
02200      35925       2281289 deny ip from 192.168.0.0/16 to any via em1
02300       1808        122494 deny ip from 0.0.0.0/8 to any via em1
02400          3           174 deny ip from 169.254.0.0/16 to any via em1
02500          0             0 deny ip from 192.0.2.0/24 to any via em1
02600          0             0 deny ip from 224.0.0.0/4 to any via em1
02700          0             0 deny ip from 240.0.0.0/4 to any via em1
02800  960156249 1095316736582 allow tcp from any to any established
02900   64236062    8243196577 allow ip from any to any frag
03000         34          1756 allow tcp from any to me dst-port 25 setup
03100        193         11580 allow tcp from any to me dst-port 53 setup
03200         63          4222 allow udp from any to me dst-port 53
03300         64          8350 allow udp from me 53 to any
03400        417         24140 allow tcp from any to me dst-port 80 setup
03500        211         10472 allow ip from any to me dst-port 3389 setup
05300         77          4488 allow ip from any to me dst-port 1723 setup
05400          3           156 allow ip from any to me dst-port 8443 setup
05500       9882        590596 allow tcp from any to me dst-port 22 setup
05600          1            60 allow ip from any to me dst-port 2000 setup
05700          0             0 allow ip from any to me dst-port 2201 setup
07400    4241779     216690096 deny log logamount 1000 ip4 from any to any in via em1 setup proto tcp
07500   21135656    1048824936 allow tcp from any to any setup
07600     474447      35298081 allow udp from me to any dst-port 53 keep-state
07700        532         40612 allow udp from me to any dst-port 123 keep-state
65535 1990638432 1122305322718 allow ip from any to any

systat -ifstat when uploading via squid

Load Average   ||| 

      Interface           Traffic               Peak                Total
           tun0  in     79.507 KB/s        232.479 KB/s           42.314 GB
                 out     2.022 MB/s          2.424 MB/s           59.662 GB

            lo0  in      4.450 MB/s          4.450 MB/s           43.723 GB
                 out     4.450 MB/s          4.450 MB/s           43.723 GB

            em1  in      2.629 MB/s          2.982 MB/s          464.533 GB
                 out     2.493 MB/s          2.875 MB/s          484.673 GB

            em0  in    240.458 KB/s        296.941 KB/s          442.368 GB
                 out   512.508 KB/s        850.857 KB/s          416.122 GB

top output

PID USERNAME       THR PRI NICE   SIZE    RES STATE   C   TIME   WCPU COMMAND
66885 root             1  92    0 26672K  2784K CPU3    3 528:43 65.48% natd
 9160 dhcpd            1  45    0 31032K  9280K CPU1    1   7:40 32.96% dhcpd
66455 root             1  20    0 18344K  2856K select  1 119:27  1.37% openvpn
16043 squid            1  20    0 44404K 17884K kqread  2   0:22  0.29% squid

squid.conf

cat /usr/local/etc/squid/squid.conf
#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 192.168.1.1:3128

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

I understand that the traffic passes through the SQUID several times. But can not find why.

Developer IT